The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

■■

Character and case substitution. From a starting list of payloads,

Intruder can modify individual characters and their case to generate

variations. This can be useful when brute forcing passwords: for exam-

ple, the string 

password

can be modified to become 

p4ssword

, 

passw0rd

,

Password

, 

PASSWORD

, and so on.

■■

Numbers, which can be used to cycle through document IDs, session

tokens, and so on. Numbers can be created in decimal or hexadecimal,

as integers or fractions, sequentially, in stepped increments, or ran-

domly. Producing random numbers within a defined range can be use-

ful in searching for hits when you have an idea of how large some valid

values are but have not identified any reliable pattern for extrapolating

these.

■■

Dates, which can be used in the same way as numbers in some situa-

tions. For example, if a login form requires entry of date of birth, this

function can be used to brute force all of the valid dates within a speci-

fied range.

■■

Illegal Unicode-encodings, which can be used to bypass some input fil-

ters by submitting alternative encodings of malicious characters. 

■■

Character blocks, which can be used to probe for buffer overflow vul-

nerabilities (see Chapter 15).

■■

A brute-forcer function, which can be used to generate all the permuta-

tions of a particular character set in a specific range of lengths. Using

this function is a last resort in most situations because of the huge num-

ber of requests that it generates. For example, brute forcing all possible

six-digit passwords containing only lowercase alphabetical characters

produces more than three million permutations — more than can prac-

tically be tested with only remote access to the application.

Burp Intruder will by default URL-encode any characters that might invali-

date your request if placed into the request in their literal form. 

Download 5,76 Mb.

Do'stlaringiz bilan baham: