January 21, 2020

Cluster Bomb Type Web Application Attack

sranjanbehera
Share

infrastructure

This is a web application attack surface where the payloads are permuted to penetrate the Application Server.

Before carrying the payloads, the pre-requisite is getting possible map or structure of an application. And the sitemap can be reviewed by either active or passive spidering. There are certain tools available for crawl or spidering of a web application. And most of them are open source. This is an embedded feature for several application scanning tools (Burp Intruder, Nessus scanner, IBM Appscan and Acunetix). Burp Intruder is a handy tool in order to customize the payloads and in automating the attacks.

Advanced Google search option is an added advantage, in order to discover additional resources and information. The naming convention for the application plays a major role in deciphering the application or to penetrate the functionality. These content-discovery exercises are heavily done by an attacker to trace the possible loopholes. This result further can be analyzed to discover the content and functionality of the pages or the application.

The cluster bombing attack is customized and recursive automated payloads to attack a web application.

Mitigation:In particular from a security perspective, understand the key mechanisms that handle authentication, session management, and access control, and the functions that support them, such as user registration, account recovery, pre/post authentication methods. "Examine any customized data transmission or encoding mechanisms used by the application, such as a non-standard query string format. Understand whether the data being submitted encapsulates parameter names and values, or whether an alternative means of representation is being used. Identify each of the different technologies used on the client side, such as forms, scripts, cookies, Java applets, ActiveX controls, and Flash objects" (Stuttard & Pinto, 2013, p. 673).

This article is for educational purpose; no payloads is shared on this article. Feedback will be appreciated.

References:

Stuttard, D., & Pinto, M. (2013). Chapter 20: A Web Application Pentester's Methodology. In The web application hacker's handbook: Finding and exploiting security flaws (p. 673). Retrieved from https://goo.gl/wUTs1L

Start learning with Cybrary

Create a free account

Related Posts

All Blogs
Building a Security Team
June 27, 2023

Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It

A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.

Read More
Building a Security Team
June 28, 2023

How to Build a Red Team

An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.

Read More
Tools & Applications
June 7, 2023

How to Make the Most of Blending Learning with Cybrary Live

Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.

Read More
News & Events
June 7, 2023

Introducing the New Cybrary Learner Experience

Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.

Read More