the-web-application-hackers-handbook

Chapter 14 n Automating Customized Attacks 583
{
}
new JAttack().doAttack();
That’s it! To compile and run this code, you need to download the Java SDK
and JRE from Sun and then execute the following:
> javac JAttack.java
> java JAttack
In our sample configuration, the tool’s output is as follows:
param payload status length
PageNo 10060 500 3154
PageNo 10061 500 3154
PageNo 10062 200 1083
PageNo 10063 200 1080
PageNo 10064 500 3154
...
Assuming a normal network connection and amount of processing power,
JAttack can issue hundreds of individual requests per minute and output the
pertinent details. This lets you quickly find valid document identifiers for further
investigation.
TRY IT!
http://mdsec.net/app/
It may appear that the attack just illustrated is no more sophisticated than the
original bash script example, which required only a few lines of code. However,
because of how JAttack is engineered, it is easy to modify it to deliver much
more sophisticated attacks, incorporating multiple request parameters, a variety
of payload sources, and arbitrarily complex processing of responses. In the
following sections, we will make some minor additions to JAttack’s code that
will make it considerably more powerful.
Harvesting Useful Data
The second main use of customized automation when attacking an application
is to extract useful or sensitive data by using specific crafted requests to retrieve
the information one item at a time. This situation most commonly arises when
you have identified an exploitable vulnerability, such as an access control flaw,
that enables you to access an unauthorized resource by specifying an identifier
for it. However, it may also arise when the application is functioning entirely as