We stopped the second lesson after discovering 2 labels: Proxy and Target.
Today we will learn about a label called - Repeater
The Repeater is a feature within burp. It's job is to help with multiple requests to the browser, manually.
The ressons one wants to use this feature is for:
- So if i want to check Url's parameters
- change the HTTP method (POST, GET, HEAD, TRACE, TRACK etc.).
- check page reaction without the use of automatic tool (quieter!).
- change header's parameter such as User agent (for WAF, to prevent filtering): a WAF is a Web application firewall which have the ability to block injections to the page or it's header. by switching the User agent, the WAF wont recognize the browser's signature and pass the request (not always).
and more and more.
So... shell we jump inside?
Open the Burp, make sure that the intercept is ON and the browser is calibrated to the proxy like i showed last Session.
Go to: http://www.jumbo.co.il/Search.asp?Redir ... earchText= (Hold Ctrl so it opens a new window)
this is an israeli site i recently visited.
After coping the link to your browser (Do it with Mozilla Firefox only!) - if you dont have it, download it.
Now open the Burp at the Proxy label and you will see this:
- CODE: SELECT ALL
GET /Search.asp?RedirectBackTo=%2fSearch.asp&SearchText= HTTP/1.1
Host: www.jumbo.co.il
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: he-IL,he;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.3
Cookie: UserProfile=0; UserID=T15253039; ASPSESSIONIDASBRACCC=IPCGEBJAGJHNLANAOBPHFPBA; __utma=102811035.586492454.1320934749.1320934749.1320934749.1; __utmb=102811035.5.10.1320934749; __utmc=102811035; __utmz=102811035.1320934749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PartnerID=%EC%EC%E0+%EE%F4%F0%E4
This is the Request to the browser. After the request we will get a response.
Let's go to the code and make a right click with the mouse on it. A bar will open...
Pick: Send to Repeater (#4 from the top)
And you will see the Repeater's label is now RED. that's because the Burp recognized the action.
Now, let's go to the Repeater.
<!-- BTW - you can switch the Intercept OFF before -->
We can see our page got a sublabel inside, there are a few buttons and a place for the Requests page, and the Response page. The buttons are: Go, Cencel, <, >.
Go means send the Request and Cencel means you want to cencel the page that sent.
the arrows are in order to move back and forward in your edits.
Try inputting 123 like this:
GET /Search.asp?RedirectBackTo=%2fSearch.asp&SearchText=123 HTTP/1.1
Now wait for the Response... Here it is. Now press the back and fourth buttons and you will see the step that you made (with 123, and without 123).
What we did now was EDITING the client-side code, this kind of editing is called sometimes an INJECTION.
a successfull one can make an attacker operate an attack called Cross-site Scripting, means the attacker will be able to
launch malicious code executions inside the site, causing effects over the javascript(the site's code structure).
To prevent this kind of injections, the developers need to write a validation mechanism on the Server-side, which filters the dangerous script... But what is a Dangerous script
Soon you'll find out.In order to check we changed something in the page, two ways are the same:
through the browser
through the proxy - easier!!
So le'ts go to the browser and watch what happens when we change the value to '123'.
When inputting value in the url we can see that a Search field is bieng filled with our input... that means
we make the page change. it is not a unique thing, but! If we will fid a way to trick the browser.. maybe we can come up with an attack on this site.
Let's try inputting a string.. say abcde.
We can see that the page has changed, erasing all the results. That means that this field is expecting Integers (Numbers).
Let's try another trick.. input $%^&* (Shift + 4,5,6,7,8).
Still no results... but, look at the Url... the String is still there, means no filtering has been made! Go to the Repeater!!
If we look closely at the two patterns (Request & Response) we can see a Search bar... look for 123 (our input) in theResponse pattern!
How many did you find? 12?? Great!
Now do you remember what i wrote about XSS at the start of this blog.. i think it was steve asking me about it..
If not go read it and come back! it's very important.
O.K now after your read it you know that we want to try and "step out" of the script in order to inject our own.
so let's add quotation mark to our string of numbers.. 123"
Now press Go and wait for the Response. O.k., Now we have only 2 matches.. means 10 of them got filtered!
For our luck.. a few survived
Let's check the first one - <input type="text" name="SearchText" size="15" dir="rtl" value="123"" /><br />
Look at our value.. this called Encoding and we will learn about it in our next lesson. What happend is that the site's server changed the language in order to prevent attackers to inject dangerous notes.. quoatation mark are dangerous!
also this (),'[]&$%@<> and more.. all those markes can help an attacker to create a code of injection..
for instance: () are a mark for a function - print(), run(), alert() etc.
<> are for HTML tags - image - <img></img>, link - <a href="link"></a> etc.
So all those are dangerous.. So now what?!?!
Ohh wait... we have one more value.. click > near the Response Search bar.
<div dir="rtl" align="right"> <b>îé÷åîê:</b> <a href="Index.asp">ãó äáéú</a> > úåöàåú çéôåù òáåø '<b>123"</b>'</div>
Now here we can see something very interesting... there are no quotation mark! but still there is a filter.. so let's hope
it dosent filters all the dangerous notes
Go back to your Request and change the input to 123</div>
What we want to do is close the first <div> tag, lieving the leaving the close tag without its opener..
it should look like this: <div bla bla bla ><b></b><a href></a><b>123</div></b></div>
You can see the green div tag has been laft alone. So now we need ro add another open <div>. After that, everything we will inject between them will "step" out of the page! it's like working with parentheses, one opens and the other closes.. but what happens when you take this () and you inject one more in the middle... ()) and after it another one ()() now the two of them wont mind we do this - ()injection(), but if we would of tried it before it would of looked like this (injection) and we are not out of the parentheses
Got It?!So after we added the </div><div> all we need to do is inject a malicious code!
See this - ha.ckers.org/xss.html
Let's inject the following: <script>alert(document.cookie)</script> like this -
GET /Search.asp?RedirectBackTo=%2fSearch.asp&SearchText=123</div><script>alert(document.cookie)</script><div> HTTP/1.1
What we did was injecting the tag script and inside it the method alert which pops an alert to the browsers window.
The value we inputed is the users cookie (in this case, our cookie)
see this for cookie - en.wikipedia.org/wiki/HTTP_cookie
Let's press enter and see whats happening..
What's this!? only header with no page... but it returns 200 OK means the page is good...
Do you have an idea?
Well we saw that the server is not filtering <> or div or alert() or document.cookie which count as dangerous..
what else is there?
GET /Search.asp?RedirectBackTo=%2fSearch.asp&SearchText=123</div><script>alert(document.cookie)</script><div> HTTP/1.1
It filters the script... Now what!?
there are a few ways... the best one is Encoding.
the first check will be changing the case of a few letters, cause maybe the server is holding a list with script and SCRIPT
but not ScRipt and scRipT.
Wooowww!! the page is back... let's look at the code..
<b>123</div><sCript>alert(document.cookie)</scripT><div></b>'</div>
Everything is in! suppose to work!
Now all we need to do is copy the value line and paste it in the browser:
GET /Search.asp?RedirectBackTo=%2fSearch.asp&SearchText=123</div><sCript>alert(document.cookie)</scripT><div>
On Mozilla Firefox only! Like this:
http://www.jumbo.co.il?/Search.asp?Redi ... earchText=123</div><sCript>alert(document.cookie)</scripT><div>
Baaammmm!!! XSS!
you've just injected a script into the page causing it to operate the alert() function which pops the window with the value you choose. We choose the user's cookie because it can be used to hack he's account using he's session...
but this is a different story.
Thank you for reading.
You're welcome to promote me with inboxing the uTest team.
Cheers,
Ido_n
No comments:
Post a Comment