Ethical Hacking and Penetration Testing Guide
Testing for the Vulnerability
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Automating It with Burp Suite
- Authentication Bypass with Insecure Cookie Handling
|
335
Testing for the Vulnerability To test for this vulnerability, you need to take a look at the response that you get when sending an HTTP request to the restricted page. Imagine a website, target.com, with a restricted page admin. php. On submitting a GET request to admin.php, we get a “302 Moved Temporarily” error. You may also get a “302 found” response or any other response depending upon the content. The important point to note is if the response body contains the restricted resource. In order to analyze the request and response, we will send the request to burp repeater: We can see that, on accessing the admin.php page, we are getting a “302 Moved Temporarily” error. 336 ◾ Ethical Hacking and Penetration Testing Guide We will now change the response from “302 Moved Temporarily” to “200 found.” On doing so, if we get access to the admin page to the contents of admin.php, it means the web application is not protected against the http response tampering attack. Automating It with Burp Suite To automate this process, you can ask burp suite to change all the responses from “302 Moved Temporarily” to “200 OK.” To do this, navigate to Proxy → Options and in the Math and Replace section, click on “Add a new rule” and enter details as follows: The next time, burp looks at any “302 Moved Temporarily” header, it will replace it with “200 OK” automatically. Authentication Bypass with Insecure Cookie Handling The vulnerability we will look at in this section was one I found on a live website, and the website is vulnerable till date; therefore, I will not be revealing any information about the website. The website was vulnerable to an insecure cookie handling. It checked if a particular cookie was present and provided access to a protected storage. If the cookie was not present, it returned an error. Web Hacking ◾ 337 The homepage of the website contained a log-in form. Obviously, before proceeding, I tested the form for SQL injection; however, the website was patched. Next, while crawling the website using burp’s spider feature, I managed to figure out some of the restricted links. Target.com/student/default.aspx Target.com/student/portfolio.aspx The target resources returned a “500 Internal Server Error.” I tested the protected resource against HTTP response tampering attack to bypass authentication; however, the response did not reveal any content. 338 ◾ Ethical Hacking and Penetration Testing Guide The following screenshot shows us the “500 Internal Server Error” I received upon accessing the protected resource While peeking around a bit, I figured out that the website uses bitstudent as their cookie name. I sent an empty “bitstudent cookie,” and I was able to log in to the website as an administrator. As described before, the vulnerability occurred due to insecure cookie handling. The runtime error that we received was due to the fact that the application was expecting the bitstudent cookie, which was not provided. |