Contact Form

Name

Email *

Message *

Tips for an Information Security Analyst/Pentester career - Ep 71- Web app pentesting practice

I've been working mainly as a web app pentester over the last six months.

I love what I do but I often feel lost, as I've never done this before, so I often look for training resources in order to achieve a better understanding of coding practices and get better at my job.


Real-world scenarios often imply manual testing of web apps and findings aren't as clear-cut as you might think.

It takes a lot of digging into the code and mapping the app to understand which component is doing what.

I recently ran almost by chance into a great resource that I warmly recommend as a tool to learn web app pentesting.


It's totally free and allows to practice web app pentesting by studying the major vulnerabilities through interactive lab simulations.

The site provides you a clear explanation of what the specific vulnerability (for example, SQL injection) is and then challenges you to exploit it though a hands-on lab.

The lab leads you to a webpage where you're gonna have to exploit the vulnerability explained previously. 

I'll show here a couple of SQL injection examples, just to get my point across more clearly, and will leave the other labs to you as a fun exercise (watch the embedded video for more details).

PREMISE: These labs work best when using BurpSuite to intercept the traffic. I didn't do it here because they were pretty straightforward to me.




CHALLENGE

Quoting the page: 
Consider a shopping application that displays products in different categories. When the user clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make an SQL query to retrieve details of the relevant products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return:
* all details (*)
* from the products table
* where the category is Gifts
* and released is 1.

The restriction released = 1 is being used to hide products that are not released. For unreleased products, presumably released = 0.
The application doesn't implement any defenses against SQL injection attacks, so an attacker can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
The key thing here is that the double-dash sequence -- is a comment indicator in SQL, and means that the rest of the query is interpreted as a comment. This effectively removes the remainder of the query, so it no longer includes AND released = 1. This means that all products are displayed, including unreleased products.
Going further, an attacker can cause the application to display all the products in any category, including categories that they don't know about:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
The modified query will return all items where either the category is Gifts, or 1 is equal to 1. Since 1=1 is always true, the query will return all items.
The link to the lab I included above describes the vulnerability and contains the provided solution but I recommend to first try solving the lab manually on your own.

Have a look at the solution only if you're totally stuck and you got no clue where to start from. I see cheating as a proactive way of learning and not like a shortcut.

I mean, if you're so stuck that can't really go on and don't get a thing, well then have a look at it, but this type of challenges is about trying harder.

If you cheat once for you to understand how to face the same thing when you find it next, I think it's OK .

However, if you don't even try and you want a ready-made solution, well this industry's definitely not for you.

In order to solve this lab we need to comment out the AND RELEASED=1 part of the SQL statement.

So, we can use a classic injection like OR 1=1 (which is an identity, being always true), to get rid of that hidden AND clause.

SOLUTION

Click here to enlarge

In the solution, you'll notice how the statement is URL-encoded and spaces are replaced by a + sign.

By adding '+OR+1=1-- to our URL, we get the same results as with the SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1 SQL statement, as explained above.



CHALLENGE

Quoting the page:
Consider an application that lets users log in with a username and password. If a user submits the username wiener and the password bluecheese, the application checks the credentials by performing the following SQL query:
SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'
If the query returns the details of a user, then the login is successful. Otherwise, it is rejected.
Here, an attacker can log in as any user without a password simply by using the SQL comment sequence -- to remove the password check from the WHERE clause of the query. For example, submitting the username administrator'-- and a blank password results in the following query:
SELECT * FROM users WHERE username = 'administrator'-- AND password = ''
This query returns the user whose username is administrator and successfully logs the attacker in as that user.

Here we need basically to subvert the underlying logic of the login page so that an attacker can log in as any user without a password.

In fact, by simply using the SQL comment sequence "--", the attacker can remove the password check from the WHERE clause of the query. 

SOLUTION 

Applying the logic procedure described above, we have the following solution.

Logging in with administrator'-- as a username and '' as a password, we get the below page.

Click here to enlarge
Wrap-up

Portswigger Web Security Academy is a very cool tool to learn web app pentesting, as it provides both theoretical foundations and hands-on scenarios.

I warmly recommend it to any beginner or would-be pentesters, as I find it very beneficial to my professional growth.

I now surely understand better how these vulnerabilities work, which will allow me to detect them faster and more reliably.

Comments

Related Posts Plugin for WordPress, Blogger...