Ethical Hacking and Penetration Testing Guide


Testing for the Vulnerability



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə201/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   197   198   199   200   201   202   203   204   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

335
Testing for the Vulnerability
To test for this vulnerability, you need to take a look at the response that you get when sending an 
HTTP request to the restricted page. Imagine a website, target.com, with a restricted page admin.
php. On submitting a GET request to admin.php, we get a “302 Moved Temporarily” error. You 
may also get a “302 found” response or any other response depending upon the content. The 
important point to note is if the response body contains the restricted resource.
In order to analyze the request and response, we will send the request to burp repeater:
We can see that, on accessing the admin.php page, we are getting a “302 Moved Temporarily” 
error.


336
◾ 
Ethical Hacking and Penetration Testing Guide
We will now change the response from “302 Moved Temporarily” to “200 found.” On doing 
so, if we get access to the admin page to the contents of admin.php, it means the web application 
is not protected against the http response tampering attack.
Automating It with Burp Suite
To automate this process, you can ask burp suite to change all the responses from “302 Moved 
Temporarily” to “200 OK.” To do this, navigate to Proxy 

Options and in the Math and Replace 
section, click on “Add a new rule” and enter details as follows:
The next time, burp looks at any “302 Moved Temporarily” header, it will replace it with “200 
OK” automatically.
Authentication Bypass with Insecure Cookie Handling
The vulnerability we will look at in this section was one I found on a live website, and the 
website is vulnerable till date; therefore, I will not be revealing any information about the 
website. The website was vulnerable to an insecure cookie handling. It checked if a particular 
cookie was present and provided access to a protected storage. If the cookie was not present, it 
returned an error.


Web Hacking
◾ 
337
The homepage of the website contained a log-in form. Obviously, before proceeding, I tested 
the form for SQL injection; however, the website was patched.
Next, while crawling the website using burp’s spider feature, I managed to figure out some of 
the restricted links.
Target.com/student/default.aspx
Target.com/student/portfolio.aspx
The target resources returned a “500 Internal Server Error.” I tested the protected resource 
against HTTP response tampering attack to bypass authentication; however, the response did not 
reveal any content.


338
◾ 
Ethical Hacking and Penetration Testing Guide
The following screenshot shows us the “500 Internal Server Error” I received upon accessing 
the protected resource
While peeking around a bit, I figured out that the website uses bitstudent as their cookie name. 
I sent an empty “bitstudent cookie,” and I was able to log in to the website as an administrator.
As described before, the vulnerability occurred due to insecure cookie handling. The runtime 
error that we received was due to the fact that the application was expecting the bitstudent cookie, 
which was not provided.


Web Hacking
◾ 

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   197   198   199   200   201   202   203   204   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin