the-web-application-hackers-handbook

578 Chapter 14 n Automating Customized Attacks
item of data that can be manipulated and that is attached to a request in a particular
way. Request parameters may appear in the URL query string, HTTP
cookies, or the body of a POST request. Let’s start by creating a Param class to
hold the relevant details:
// JAttack.java
// by Dafydd Stuttard
import java.net.*;
import java.io.*;
class Param
{
String name, value;
Type type;
boolean attack;
Param(String name, String value, Type type, boolean attack)
{
this.name = name;
this.value = value;
this.type = type;
this.attack = attack;
}
}
enum Type
{
URL, COOKIE, BODY
}
In many situations, a request contains parameters that we don’t want to modify
in a given attack, but that we still need to include for the attack to succeed. We
can use the “attack” field to flag whether a given parameter is being subjected
to modification in the current attack.
To modify the value of a selected parameter in crafted ways, we need our tool
to understand the concept of an attack payload. In different types of attacks,
we need to create different payload sources. Let’s build some flexibility into the
tool up front and create an interface that all payload sources must implement:
interface PayloadSource
{
boolean nextPayload();
void reset();
String getPayload();
}
The nextPayload method can be used to advance the state of the source; it
returns true until all its payloads are used up. The reset method returns the
state to its initial point. The getPayload method returns the value of the current
payload.