The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

The code behind this form is as follows:

Product: Sony VAIO A217S

Quantity:

Notice the form field called 

price

, which is flagged as hidden. This field will

be sent to the server when the user submits the form:

POST /order.asp HTTP/1.1

Host: wahh-app.com

Content-Length: 23

quantity=1&price=1224.95

Now, although the 

price

field is not displayed on-screen, and it is not

editable by the user, this is solely because the application has instructed the

browser to hide the field. Because everything that occurs on the client side is

ultimately within the user’s control, this restriction can be circumvented in

order to edit the price.

One way to achieve this is to save the source code for the HTML page, edit

the value of the field, reload the source into a browser, and click the Buy but-

ton. However, a more elegant and easier method is to use an intercepting

proxy to modify the desired data on the fly.

An intercepting proxy is tremendously useful when attacking a web appli-

cation and is the one truly indispensable tool that you need in your arsenal.

There are numerous such tools available, but the most functional and popu-

lar are:

■■

Burp Proxy (part of Burp Suite)

■■

WebScarab

■■

Paros

The proxy sits between your web browser and the target application. It

intercepts every request issued to the application, and every response received

back, for both HTTP and HTTPS. It can trap any intercepted message for

inspection or modification by the user. The proxies listed also have numerous

advanced functions to make your job easier, including:

■■

Fine-grained rules to control which messages are trapped.

■■

Regex-based replacement of message content.

Download 5,76 Mb.

Do'stlaringiz bilan baham: