Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Controls
quantity=1&price=1224.95
How to edit the price
One way is to save the source code
for the HTML page, edit the value of
field, reload the source back into the
browser and click the Buy button.
Easier method is to use an
intercepting proxy to modify the data
Intercepting Proxy
Proxy sits between the web browser
and the target application
Intercepts every request sent to the
application and every response
It can trap any intercepted message
for inspection or modification
Intercepting Proxy Tools
Burp Proxy
WebScarab
Paros
Burp Proxy, WebScarab,
Paros
Fine-grained rules to control which messages
are trapped
Regex-based replacement of message content
Automatic updating of the Content-Length
header when messages are modified
Browsing history and message cache
Ability to replay and remodify individual
requests
Integration with other tools such as spiders
and fuzzers
Intercepting Proxy (cont)
HTTP cookies
Common method for transmitting
data via the client
Not normally displayed on-screen or
directly modifiable by the user
Can be modified with an intercepted
proxy
Changing the server response that sets
them
Subsequent client requests that issue
them
HTTP Cookie example
HTTP/1.1 302 Found
Location: /home.asp
Set-Cookie: SessId=191041-1042
Set-Cookie: UID=1042
Set-Cookie: DiscountAgreed=25
HTTP Cookie example (cont)
Changing discount rate:
POST /order.asp HTTP/1.1
Host: wahh-app.com
Cookie: SessId=191041-1042;
UID=1042; DiscountAgreed=99
Content-Length: 23
URL Parameters
Applications frequently transmit data
via the client using preset URL
parameters
Example: product catalogue
https://wahh-app.com/browse.asp?
product=VAIOA217S&price=1224.95
<script>
function ValidateForm(theForm)
{
var isInteger = /^\d+$/
if(!isInteger.test(theForm.quantity.value))
{
alert(Please enter a valid quantity);
return false;
}
return true;
}
</script>
<form action=order.asp method=post onsubmit=return
ValidateForm(this)>
<p>Product: Sony VAIO A217S</p>
<p>Quantity: <input size=2 name=quantity>
<input name=price type=hidden value=1224.95>
<input type=submit name=buy value=Buy!></p>
</form>
Hack Steps
Identify any cases where client-side JavaScript is used to perform
input validation prior to form submission.
Submit data to the server that the validation would ordinarily have
blocked, either by modifying the submission request to inject invalid
data or by modifying the form validation code to neutralize it.
As with length restrictions, determine whether the client-side
controls are replicated on the server, and if not, whether this can be
exploited for any malicious purpose.
Note that if multiple input fields are subjected to client-side
validation prior to form submission, you need to test each field
individually with invalid data, while leaving valid values in all of the
other fields. If you submit invalid data in multiple fields
simultaneously, it is possible that the server will stop processing the
form when it identifies the first invalid field, and so your testing is not
reaching all possible code paths within the application.
Disabled Elements
Element on an HTML form is flagged
as disabled, it appears on-screen but
is grayed out and is not editable or
usable
Consider the following form:
Disabled Elements
<form action=order.asp method=post>
<p>Product: <input disabled=true name=product
value=Sony VAIO
A217S></p>
<p>Quantity: <input size=2 name=quantity>
<input name=price type=hidden value=1224.95>
<input type=submit value=Buy!></p>
</form>
Capturing User Data: Thick-Client
Components
Capture data in various different ways, both via
input forms and in some cases by interacting
with the client operating systems file system or
registry
Perform complex validation and manipulation of
captured data prior to submission to the server
Because their internal workings are less
transparently visible than HTML forms and
JavaScript, developers are more likely to
assume that the validation they perform cant
be circumvented
Java Applets
Popular for implementing thick-client
components because they are cross-
platform and run in a sandboxed
environment, prevents against
various security problems
Cant access operating system
resources such as the file system
Main use: to capture user input or
other in-browser information
Java game example
<script>
function play()
{
alert(you scored + TheApplet.getScore());
document.location = submitScore.jsp?score= +
TheApplet.getObsScore() + &name= +
document.playForm.yourName.value;
}
</script>
<form name=playForm>
<p>Enter name: <input type=text name=yourName
value=></p>
<input type=button value=Play onclick=JavaScript:play()>
</form>
<applet code=https://wahh-game.com/JavaGame.class
id=TheApplet></applet>
Java example
URL entry that is returned after
playing game:
https://wahh-game.com/submitScore.jsp?score=
c1cc3139323c3e4544464d51515352585a61606a6b&name=d
af