Tải bản đầy đủ - 0 (trang)
1  Intercepting and Modifying POST Requests

1  Intercepting and Modifying POST Requests

Tải bản đầy đủ - 0trang

Figure 5-1. Modifying an intercepted request

When you have finished, you can disable the interception of requests by deselecting

the checkbox in any of the “Edit Request” windows. If there are a number of waiting

requests, the “Cancel ALL Intercepts” button may come in handy.


As a web proxy (for more on web proxies, see Chapter 3), WebScarab intercepts and

modifies data after it leaves your browser but before it reaches the server. By modifying

the data en route, it circumvents any restrictions or modifications specified by the page.

Note that browsing with “Intercept Requests” enabled will initiate an “Edit Request”

window for every new page. Don’t forget to uncheck “Intercept Requests”! It can be

quite annoying to have to click through several Edit Requests if you forget to turn it off

when you’re done.

Notice that the SSN variable in Figure 5-1 transmitted five digits. This is despite the fact

that the source HTML, as shown in Example 5-1, limits the SSN field to four characters,

as shown in Figure 5-2 and this example.

Example 5-1. HTML that creates the form shown in Figure 5-2

Sending five digits in a field expecting four is just one example of the kind of modification WebScarab makes possible. Once you have established your ability to provide

5.1 Intercepting and Modifying POST Requests | 75

Figure 5-2. Logging into a bank—last four SSN digits only

unusual data, it’s worthwhile to ensure that your application handles these exceptions

gracefully. This technique is instrumental when testing for common security problems,

discussed in Chapter 9.

WebScarab allows you to modify any request header, even the URL to which the request

is sent. This makes it easy to modify both GET and POST information simultaneously,

an ability that other tools, such as TamperData, lack.

Use WebScarab Sparingly

When you are intercepting requests, you will catch AJAX-driven functionality as well

as individual form posts. Each AJAX request may be intercepted and modified on its

own. Remember that a site making heavy use of AJAX will make many requests, possibly bombarding you with tons of intercepted request windows.

Furthermore, using WebScarab requires configuring your entire web browser to use it

as a proxy, not just a single window, tab, or site. In some cases (Internet Explorer or

Safari on Mac OS X), you will actually set the entire operating system to use the proxy.

This means that every software update check, behind-the-scenes HTTP connection, or

application that uses HTTP will suddenly route all its requests through WebScarab.

This can be overwhelming, and it interferes with your ability to gather data about a

single request.

76 | Chapter 5: Tampering with Input

When you use WebScarab, then, be sure to minimize how many other HTTP-using

programs are running at the same time (Adobe Reader, other browser windows, defect

tracking systems, etc.).

5.2 Bypassing Input Limits


Even when you’re not looking specifically at an application’s content (such as Social

Security number, as seen Example 5-1), just the size of the input can be a source of

trouble. If your application does not explicitly handle sizable input, such input can

potentially take down your web server.


Obtain or generate a file with a long sequence of arbitrary data. The script in Example 5-2 will generate a 1 megabyte file that contains random printable ASCII characters.

To adjust how much data it generates, adjust the line that sets the value of the

$KILOBYTES variable.

Example 5-2. Perl script to make a 1 MB file



if( $#ARGV < 0 or $#ARGV > 1 ) {

die "need just one argument: the file name";



open OUTFILE, ">$file" or

die "Could not create $file for writing";

# this many kilobytes will be multiplied by 1024. So a value of 1024 here

# produces 1024 * 1024 bytes of data (1 megabyte)


for( $i = 0; $i<1024; $i++ ) {

# random char between "space" and 0x1F, which is the top of the

# ASCII printable range

my $char = int(rand(95));

$char = chr($char+32);


# print 1023 of them, and then a newline.

print OUTFILE $char x 1023 . "\n";

close OUTFILE;

5.2 Bypassing Input Limits | 77

Now that you have the data, you need to use it. The simplest way to do that for relatively

small amounts of test data (e.g., this 1 megabyte file) is to open the file in a relatively

powerful word processor (like WordPad, PSPad, UltraEdit, vim, TextMate, or

TextEdit) and copy it. Then, following the techniques in Recipe 5.1, paste the value

into a parameter and submit.

If you receive an error, such as “Error 500: Internal Server Error,” you should definitely

check the server or application to dig deeper. This suggests that very little input validation was done. If you receive a properly formatted error message—one that was

generated by the application itself—it is probably the sign of a well-handled error.


It’s frequently the case that even when validation is in place, it ignores the size of the

input. Meanwhile, by submitting large inputs like this repeatedly, the server’s memory

will fill, and the application’s response time will become slower and slower. Eventually

it will be so slow as to be essentially frozen. This is a form of denial-of-service attack.

Note that this attack only works against POST requests. Form data submitted via GET

will almost always automatically be truncated in transit.

As simple as this test is, it has the widest variety of results. Because input size validation

is so rarely explicit in application code, often a framework or server default will kick

in. When trying this test, results include not responding, responding as if no input were

given, giving an internal system-error message, and freezing the server. While all of

these are undesired behaviors, the only one with any particular security drawback is

the case where the server is no longer responding, that is, it’s frozen.

5.3 Tampering with the URL


The URL and query string are commonly used for setting parameters. While most users

never bother manually changing the URL, it is the most obvious way to attempt to

bypass normal functionality—it’s right there on the top of the browser. This recipe

explains what to test when tampering with URL parameters.


Tampering with the URL does not require any additional tools; it all takes place right

in the Location Bar. A URL may be edited manually, or copied and pasted for future

reference, straight from the Location Bar at the top of your browser.

Given the URL http://example.com/web/, we can manually modify interesting components of the URL and tweak them as we’d like. One possible result could be http://


78 | Chapter 5: Tampering with Input

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

1  Intercepting and Modifying POST Requests

Tải bản đầy đủ ngay(0 tr)