336
◾
Ethical Hacking and Penetration Testing Guide
We will now change the response from “302 Moved Temporarily” to “200 found.” On doing
so, if we get access to the admin page to the contents of admin.php, it means the web application
is not protected against the http response tampering attack.
Automating It with Burp Suite
To automate this process, you can ask burp suite to change all the responses from “302
Moved
Temporarily” to “200 OK.” To do this, navigate to Proxy
→
Options and in the Math and Replace
section, click on “Add a new rule” and enter details as follows:
The
next time, burp looks at any “302 Moved Temporarily” header, it will replace it with “200
OK” automatically.
Authentication Bypass with Insecure Cookie Handling
The vulnerability we will look at in this section was one I found on a live website, and the
website
is vulnerable till date; therefore, I will not be revealing any information about the
website. The website was vulnerable to an insecure cookie handling. It checked if a particular
cookie was present and provided access to a protected storage. If the cookie was not present, it
returned an error.
Web Hacking
◾
337
The homepage of the website contained a log-in form. Obviously,
before proceeding, I tested
the form for SQL injection; however, the website was patched.
Next, while crawling the website using burp’s spider feature, I managed to figure out some of
the restricted links.
Target.com/student/default.aspx
Target.com/student/portfolio.aspx
The target resources returned a “500 Internal Server Error.” I tested
the protected resource
against HTTP response tampering attack to bypass authentication; however, the response did not
reveal any content.
338
◾
Ethical Hacking and Penetration Testing Guide
The following screenshot shows us the “500 Internal Server Error”
I received upon accessing
the protected resource
While peeking around a bit, I figured out that the website uses bitstudent as their cookie name.
I sent an empty “bitstudent cookie,” and I was able to log in to the website as an administrator.
As described before, the vulnerability occurred due to insecure cookie handling. The runtime
error that we received was due to the fact that the application was expecting the bitstudent cookie,
which was not provided.