Chapter 4  ■ Mapping the Application

■

Review the names and values of all parameters being submitted to the

■

Try to think like a programmer, and imagine what server-side mecha-

Often, an application behaves in a consistent way across the range of its func-

tionality. This may be because different functions were written by the same

developer, or to the same design specification, or share some common code

components. In this situation, it may be possible to draw conclusions about

server-side functionality in one area and extrapolate these to another area.

For example, the application may enforce some global input validation

checks, such as sanitizing various kinds of potentially malicious input before

it is processed. Having identified a blind SQL injection vulnerability, you may

encounter problems exploiting it, because your crafted requests are being

modified in unseen ways by the input validation logic. However, there may be

other functions within the application that provide good feedback about the

kind of sanitization being performed — for example, a function that echoes

some user-supplied data back to the browser. You may be able to use this func-

tion to test different encodings and variations of your SQL injection payload,

to determine what raw input must be submitted to achieve the desired attack

string after the input validation logic has been applied. If you are lucky, the

validation works in the same way across the application, enabling you to

exploit the injection flaw.

Some applications use custom obfuscation schemes when storing sensitive

data on the client, to prevent casual inspection and modification of this data by

users (see Chapter 5). Some such schemes may be extremely difficult to deci-

pher given access to only a sample of obfuscated data. However, there may be

functions within the application where a user can supply an obfuscated string

and retrieve the original — for example, an error message may include the

deobfuscated data which led to the error. If the same obfuscation scheme is

used throughout the application, it may be possible to take an obfuscated

string from one location (for example a cookie), and feed it into the other func-

tion to decipher its meaning. It may also be possible to reverse engineer the

obfuscation scheme by submitting systematically varying values to the func-

tion and monitoring their deobfuscated equivalents.