SELECTis blocked, try
or 1=1--is blocked, try
alert('xss')is blocked, try
SELECT/*foo*/username,password/*foo*/FROM/*foo*/users <img%09onerror=alert(1) src=a>
<script>expressions that appear.
Can you bypass this validation mechanism to smuggle the following data past it?
In a typical application, access is handled using a trio of mechanisms relating to authentication, session management, and access control. These components are highly interdependent, and a weakness in any one of them will undermine the effectiveness of the overall access handling mechanism. For example, a defective authentication mechanism may enable an attacker to login as any user and so gain unauthorized access. If session tokens can be predicted, an attacker may be able to masquerade as any logged in user and gain access to their data. If access controls are broken, then any user may be able to directly use functionality that is supposed to be protected.
A session is a set of data structures held on the server, which are used to track the state of the user’s interaction with the application. A session token is a unique string that the application maps to the session, and is submitted by the user to reidentify themselves across successive requests.
There are many situations where an application may be forced to accept data for processing that does not match a list or pattern of input that is known to be “good”. For example, many people’s names contain characters that can be used in various attacks. If an application wishes to allow people to register under their real names, it needs to accept input that may be malicious, and ensure that this is handled and processed in a safe manner nevertheless.
Defects in the any of the core mechanisms for handling access may enable you to gain unauthorized access to the administrative functionality. Further, data that you submit as a low privileged user may ultimately be displayed to administrative users, enabling you to attack them by submitting malicious data designed to compromise their session when it is viewed.
Yes. If it were not for Step 4, this mechanism would be robust in terms of filtering the specific items it is designed to block. However, because your input is decoded after the filtering steps have been performed, you can simply URL-encode selected characters in your payload to evade the filter:
If Step 4 were performed first (or even not at all) then this bypass would not be possible.
GET /auth/488/YourDetails.ashx?uid=129 HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave- flash, */* Referer: https://mdsec.net/auth/488/Home.ashx Accept-Language: en-GB User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; InfoPath.3; .NET4.0E; FDM; .NET CLR 1.1.4322) Accept-Encoding: gzip, deflate Host: mdsec.net Connection: Keep-Alive Cookie: SessionId=5B70C71F3FD4968935CDB6682E545476
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 09:23:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: tracking=tI8rk7joMx44S2Uu85nSWc X-AspNet-Version: 2.0.50727 Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1067 <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http:// www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”><html xmlns=”http:// www.w3.org/1999/xhtml” ><head><title>Your details</title> ...
HEAD: Same as GET, but server should not return a message body. Server should return same headers as GET. Can be used to check if a resource exists before GETing it.
TRACE: Server should return response body same as request received. Can be used to detect proxies between client and server that might manipulate a request.
OPTIONS: Asks server to report available HTTP methods on a particular resource. Response contains
Allowheader that lists available methods.
PUT: Attempts to upload specified resource to server using content in the body of the request. If enabled, can be leveraged to attack an app, such as by uploading a script and executing it.
301 Moved Permanently
304 Not Modified
400 Bad Request
404 Not Found
405 Method Not Allowed
413 Request Entity Too Large
414 Request URI Too Long
500 Internal Server Error
503 Service Unavailable
select email from users where name = 'daf'
POST /doTransfer.asp HTTP/1.0 Host: mdsec-mgr.int.mdsec.net Content-Type: application/soap+xml; charset=utf-8 Content-Length: 891 <?xml version=”1.0”?> <soap:Envelope xmlns:soap=”http://www.w3.org/2001/12/soap-envelope”> <soap:Body> <pre:Add xmlns:pre=http://target/lists soap:encodingStyle= “http://www.w3.org/2001/12/soap-encoding”> <Account> <FromAccount>18281008</FromAccount> <Amount>1430</Amount> <ClearedFunds>False</ClearedFunds> <ToAccount>08447656</ToAccount> </Account> </pre:Add> </soap:Body> </soap:Envelope>
<form action=”/secure/login.php?app=quotations” method=”post”> username: <input type=”text” name=”username”><br> password: <input type=”password” name=”password”> <input type=”hidden” name=”redir” value=”/secure/home.php”> <input type=”submit” name=”submit” value=”log in”> </form>
POST /secure/login.php?app=quotations HTTP/1.1 Host: wahh-app.com Content-Type: application/x-www-form-urlencoded Content-Length: 39 Cookie: SESS=GTnrpx2ss2tSWSnhXJGyG0LJ47MXRsjcFM6Bd username=daf&password=foo&redir=/secure/home.php&submit=log+in
POST /secure/login.php?app=quotations HTTP/1.1 Host: wahh-app.com Content-Type: multipart/form-data; boundary=------------7d71385d0a1a Content-Length: 369 Cookie: SESS=GTnrpx2ss2tSWSnhXJGyG0LJ47MXRsjcFM6Bd ------------7d71385d0a1a Content-Disposition: form-data; name=”username” daf ------------7d71385d0a1a Content-Disposition: form-data; name=”password” foo ------------7d71385d0a1a Content-Disposition: form-data; name=”redir” /secure/home.php ------------7d71385d0a1a Content-Disposition: form-data; name=”submit” log in ------------7d71385d0a1a--
%3d [=] %25 [%] %20 [ ] %0a [\n] %00 [\0]
space % ? & = ; + #
" " ' ' & < > " " ' ' " " ' '
In any attack, your first task is to map the target application’s content and functionality to establish how it functions, how it attempts to defend itself, and what technologies it uses. The next chapter examines this mapping process in detail and shows how you can use it to obtain a deep understanding of an application’s attack surface. This knowledge will prove vital when it comes to finding and exploiting security flaws within your target.
OPTIONSmethod used for?
If-None-Matchheaders used for?
secureflag when a server sets a cookie?
OPTIONSmethod asks the server to report the HTTP methods that are available for a particular resource.
If-Modified-Sinceheader is used to specify the time at which the browser last received the requested resource. The
If-None-Matchheader is used to specify the entity tag that the server issued with the requested resource when it was last received.
301status code tells the browser that the requested resource has moved permanently to a different location. For duration of the current browser session, if your browser needs to access the originally requested resource, it will use the location specified in the 301 response instead. The
302status code tells the browser that the requested resource has moved temporarily to a different location. On the next occasion that the browser needs to access the originally requested resource, it will request this from the originally requested location.
CONNECTrequest to the proxy, specifying the destination hostname and port number as the URL within this request. If the proxy allows the request, it returns an HTTP response with a
200status, keeps the TCP connection open, and from that point onwards acts as a pure TCP-level relay to the specified destination.
debug, test, hide, source, etc
User-Agent, Referer, Accept, Accept-Language, Host