Thursday, April 5, 2018

Exploiting Hidden Fields


- Layout for this exercise:

- Working with OWASP WebGoat  v5.4:

1 - Hidden Fields

- The hidden HTML attribute for a field specifies that the field and its value won't be shown to the user.

- For instance, the next HTML snippet code processes both the fname and the country fields, but the user can see only the first one, because the second one is of type="hidden":

- The input was received by the server as:

- In other words, the hidden fields are not shown, but when the form is submitted the hidden field is still sent with it.

- The purpose of a hidden field is to submit information that is not entered by the visitor.

2 - Exploiting Hidden Fields

- In this scenario we have a Shopping Cart web form, where an HDTV can be purchased by $2999.9:

- The goal of the exercise would be to alter the hidden field Price to purchase the HDTV at a lot cheaper price.

- Let's notice that the hidden field Price is out of the reach of the customer, and only the Quantity input field can be entered by him.

- Going to Purchase and right clicking into Inspect Element:

- The first alteration would be to eliminate the onclick="validate()" event: 

- Secondly, the hidden field Price has a value of 2999.99, and it can be replaced with a more affordable price:

- Now, when clicking Purchase the web form processes the HDTV purchase at a price of $0.99:

Bypassing Client Side JavaScript Validation


- Layout for this exercise:

- Working with OWASP WebGoat  v5.4:

1 - Client Side JavaScript Validation

- JavaScript can be used to validate any type of alphanumeric input. 

- For instance, this script (invoked by the HTML code with the onclick event) would validate if the numeric input is lower or greater than 10:

2 - Bypassing Client Side JavaScript Validation

- In this scenario we have 7 input fields with different validators:

- The challenge consists of bypassing each one of the validators.

- Right clicking Inspect Element over Submit:

- Disabling the input validation:

- Now, all the input validators are disabled:

- Field1:

- Field2:

- Field3:

- Field4:

- Field5:

- Field6:

- Field7:

- Once submitting the inputs the server is not able to correctly validate them and the attack is successful:

Wednesday, April 4, 2018

Bruteforce (III): attacking a WEB server with HYDRA


- Layout for this exercise:

- Enumerating the victim, the attacker Kali checks that the port 80 is open at the victim machine:

- Connecting to the DVWA Vulnerability: Brute Force page:

- Configuring a proxy server at the attacker machine:

- Launching Burp:

- Now, clicking Login at the DVWA web page, even not entering any username or password:

- Burp intercepts the connection trial:

- There are two important pieces of information data:

i) method GET is used  for the login script:

ii) an ID session cookie is generated by the Web server:

- Now, launching an Hydra command (including the intercepted information by Burp) the result of the attack is successful:

- The wordlist used in the attack is provided by Kali, and it is composed of 182 lines, including the right password "password":