The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

If you find an application that is vulnerable in this way, see whether you

Download 5,76 Mb.

Pdf ko'rish

bet	173/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 169 170 171 172 173 174 175 176 ... 875

Bog'liq
3794 1008 4334

HTTP Cookies
URL Parameters

If you find an application that is vulnerable in this way, see whether you

can submit a negative amount as the price. In some cases, applications have

actually accepted transactions using negative prices. The attacker receives a

refund to their credit card and also the goods which they ordered — a win-win

situation if ever there was one.

98

Chapter 5

■

Bypassing Client-Side Controls

70779c05.qxd:WileyRed 9/16/07 5:14 PM Page 98

HTTP Cookies

Another common mechanism for transmitting data via the client is HTTP cook-

ies. As with hidden form fields, these are not normally displayed on-screen or

directly modifiable by the user. They can, of course, be modified using an inter-

cepting proxy, either by changing the server response that sets them, or subse-

quent client requests that issue them.

Consider the following variation on the previous example. When a cus-

tomer logs in to the application, she receives the following response:

HTTP/1.1 302 Found

Location: /home.asp

Set-Cookie: SessId=191041-1042

Set-Cookie: UID=1042

Set-Cookie: DiscountAgreed=25

This response sets three cookies, all of which are interesting. The first

appears to be a session token, which may be vulnerable to sequencing or other

attacks. The second appears to be a user identifier, which can potentially be

leveraged to exploit access control weaknesses. The third appears to represent

a discount rate that the customer will receive on purchases.

This third cookie points towards a classic case of relying on client-side con-

trols (the fact that cookies are normally unmodifiable) to protect data trans-

mitted via the client. If the application trusts the value of the

DiscountAgreed

cookie when it is submitted back to the server, then customers can obtain arbi-

trary discounts by modifying its value. For example:

POST /order.asp HTTP/1.1

Host: wahh-app.com

Cookie: SessId=191041-1042; UID=1042; DiscountAgreed=99

Content-Length: 23

quantity=1&price=1224.95

URL Parameters

Applications frequently transmit data via the client using preset URL parame-

ters. For example, when a user browses the product catalogue, the application

may provide them with hyperlinks to URLs like the following:

https://wahh-app.com/browse.asp?product=VAIOA217S&price=1224.95

When a URL containing parameters is displayed in the browser’s location

bar, any parameters can be trivially modified by any user without the use of

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 169 170 171 172 173 174 175 176 ... 875