Cluster Bomb Type Web Application Attack

February 20, 2017 | Views: 5009

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This is a web application attack surface where the payloads are permuted to penetrate the Application Server.

Before carrying the payloads, the pre-requisite is getting possible map or structure of an application. And the sitemap can be reviewed by either active or passive spidering. There are certain tools available for crawl or spidering of a web application. And most of them are open source. This is an embedded feature for several application scanning tools (Burp Intruder, Nessus scanner, IBM Appscan and Acunetix). Burp Intruder is a handy tool in order to customize the payloads and in automating the attacks.

Advanced Google search option is an added advantage, in order to discover additional resources and information. The naming convention for the application plays a major role in deciphering the application or to penetrate the functionality. These content-discovery exercises are heavily done by an attacker to trace the possible loopholes. This result further can be analyzed to discover the content and functionality of the pages or the application.

The cluster bombing attack is customized and recursive automated payloads to attack a web application.

Mitigation:
In particular from a security perspective, understand the key mechanisms that handle authentication, session management, and access control, and the functions that support them, such as user registration, account recovery, pre/post authentication methods. “Examine any customized data transmission or encoding mechanisms used by the application, such as a non-standard query string format. Understand whether the data being submitted encapsulates parameter names and values, or whether an alternative means of representation is being used. Identify each of the different technologies used on the client side, such as forms, scripts, cookies, Java applets, ActiveX controls, and Flash objects” (Stuttard & Pinto, 2013, p. 673).

This article is for educational purpose; no payloads is shared on this article. Feedback will be appreciated.


References:

Stuttard, D., & Pinto, M. (2013). Chapter 20: A Web Application Pentester’s Methodology. In The web application hacker’s handbook: Finding and exploiting security flaws (p. 673). Retrieved from https://goo.gl/wUTs1L

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel