Chapter 13  ■ Automating Bespoke Attacks

T I P

The response length very frequently proves to be a strong indicator of

anomalous responses that merit further investigation. As in the above case, a

different length of response can point towards interesting differences that you

may not have been anticipating when you devised the attack. Therefore, even if

another attribute provides a reliable indicator of hits, such as the HTTP status

code, you should always inspect the response length column to identify other

responses that are interesting.

Attack 2: Harvesting Information

You use your intercepting proxy to set one of the more privileged session

tokens in your browser and so begin using the application interactively as the

compromised user. Among the various additional functionality to which you

now have access is a logging function, which contains log entries for all kinds

of actions performed by other users of the application. Logs of this kind often

provide a gold mine of useful information that can assist you in furthering

your attack. Reading through a few entries, you discover that the application

is logging detailed debugging information whenever an error occurs. This

includes the username of the relevant user, the user’s session token, and the

full parameters of the request. Such information is useful to application devel-

opers when investigating and resolving errors within the application, and it is

equally useful to an attacker. You can quickly grab a list of valid usernames

and session tokens, and you can also capture the data entered by many other

application users. If an error occurred when a user supplied some sensitive

information, such as a password or credit card details, then you will be able to

harvest all of this information by trawling through the logs.

Log file entries are accessed using the following request, where the 

logid

parameter is a sequential number:

POST /secure/logs.jsp HTTP/1.1

Host: wahh-app.com

Cookie: SessionID=000000-fb2200-16cb12-172ba72044

Content-Length: 83

action=view&resource=eventLogs&DB=wahh.audit&returnURL=/secure/logs.jsp&logid=

29810

To configure Intruder to iterate through log file entries, you will need to use

a numeric payload source to generate integers within the range of identifiers

in use, and you will need to set a single payload position, targeting the 

logid

parameter, as shown in Figure 13-5.

Download 5,76 Mb.

Do'stlaringiz bilan baham: