Chapter 13  ■ Automating Bespoke Attacks

Harvesting Useful Data

The second main use of bespoke automation when attacking an application is

to extract useful or sensitive data by using specific crafted requests to retrieve

the information one item at a time. This situation most commonly arises when

you have identified an exploitable vulnerability, such as an access control flaw,

that enables you to access an unauthorized resource by specifying an identifier

for it. However, it may also arise when the application is functioning entirely

as intended by its designers. Here are some examples of cases where auto-

mated data harvesting may be useful:

■■

An online retailing application contains a facility for registered cus-

tomers to view their pending orders. However, if you can determine the

order numbers assigned to other customers, then you can view their

order information in just the same way as your own.

■■

A forgotten password function relies upon a user-configurable chal-

lenge. You can submit an arbitrary username and view the associated

challenge. By iterating through a list of enumerated or guessed user-

names, you can obtain a large list of users’ password challenges, to

identify those that are easily guessable.

■■

A workflow application contains a function to display some basic

account information about a given user, including her privilege level

within the application. By iterating through the range of user IDs in

use, you can obtain a listing of all administrative users, which can be

used as the basis for password guessing and other attacks.

The basic approach to using automation to harvest data is essentially simi-

lar to the enumeration of valid identifiers, except that you are now not only

interested in a binary result (i.e., a hit or a miss), but are seeking to extract

some of the content of each response in a usable form. 

Consider the following request in an application used by an online retailer,

which displays the details of a specific order, including the personal informa-

tion of the user who made the order:

POST /ShowOrder.jsp HTTP/1.0

Host: wahh-app.com

Cookie: SessionId=21298FE012EEA892981; 

Content-Type: application/x-www-form-urlencoded

Content-Length: 37

OrderRef=1003073781&OrderType=retail

Although this application function is accessible only by authenticated users,

there is an access control vulnerability, which means that any user can view the

Download 5,76 Mb.

Do'stlaringiz bilan baham: