334
◾
Ethical Hacking and Penetration Testing Guide
We get an error saying our XPath query was not processed properly. This indicates that
there are chances the log-in form would be vulnerable to Xpath injection.
Step 2
—Since,
as mentioned before, we need to make sure that our statement is true, we would
insert the following true statements in the inputs.
Login: ' or '1' = '1
Password: ' or '1' = '1
The
overall query becomes true, and we can successfully bypass the log-in form.
Authentication Bypass Using Response Tampering
Sometimes, it’s possible to tamper the responses of the application to access protected data that
are usually not accessible by a normal user. This vulnerability is also known as “Failure
to restrict
URL access” and secures a spot in OWASP top 10 for 2010.
Crawling Restricted Links
The best way of finding this vulnerability is by crawling all the pages of a particular website and
taking note of all the restricted links not accessible by normal users. Acunetix web vulnerability
scanner has a
great crawler that you can use; alternatively, burp suite’s spider feature is a great way
to crawl a website for pages that are not publicly accessible.
To use the burp spider effectively, we first need to set the scope to crawl our defined
target
only. To set the scope, simply copy the url and click on “Paste URL”, and burp would adjust the
settings automatically.
Next, we right click the place where we want to spider from and click on “Spider this branch”
if it’s a branch or “Spider from here” if it’s a webpage.