335
Testing for the Vulnerability
To test for this vulnerability, you need to take a look at the response that you get when sending an
HTTP request to the restricted page. Imagine a website, target.com, with a restricted page admin.
php. On submitting a GET request to admin.php, we get a “302 Moved Temporarily” error. You
may also get a “302 found” response or any other response depending upon the content. The
important point to note is if the response body contains the restricted resource.
In order to analyze the request and response, we will send the request to burp repeater:
We can see that, on accessing the admin.php page, we are getting a “302 Moved Temporarily”
error.
336
◾
Ethical Hacking and Penetration Testing Guide
We will now change the response from “302 Moved Temporarily” to “200 found.” On doing
so, if we get access to the admin page to the contents of admin.php, it means the web application
is not protected against the http response tampering attack.
Automating It with Burp Suite
To automate this process, you can ask burp suite to change all the responses from “302 Moved
Temporarily” to “200 OK.” To do this, navigate to Proxy
→
Options and in the Math and Replace
section, click on “Add a new rule” and enter details as follows:
The next time, burp looks at any “302 Moved Temporarily” header, it will replace it with “200
OK” automatically.
Authentication Bypass with Insecure Cookie Handling
The vulnerability we will look at in this section was one I found on a live website, and the
website is vulnerable till date; therefore, I will not be revealing any information about the
website. The website was vulnerable to an insecure cookie handling. It checked if a particular
cookie was present and provided access to a protected storage. If the cookie was not present, it
returned an error.
Web Hacking
◾
337
The homepage of the website contained a log-in form. Obviously, before proceeding, I tested
the form for SQL injection; however, the website was patched.
Next, while crawling the website using burp’s spider feature, I managed to figure out some of
the restricted links.
Target.com/student/default.aspx
Target.com/student/portfolio.aspx
The target resources returned a “500 Internal Server Error.” I tested the protected resource
against HTTP response tampering attack to bypass authentication; however, the response did not
reveal any content.
338
◾
Ethical Hacking and Penetration Testing Guide
The following screenshot shows us the “500 Internal Server Error” I received upon accessing
the protected resource
While peeking around a bit, I figured out that the website uses bitstudent as their cookie name.
I sent an empty “bitstudent cookie,” and I was able to log in to the website as an administrator.
As described before, the vulnerability occurred due to insecure cookie handling. The runtime
error that we received was due to the fact that the application was expecting the bitstudent cookie,
which was not provided.
Web Hacking
◾
Dostları ilə paylaş: |