Practical Web Application Penetration Testing Series - Chapter 4

Scanning Web Applications for URL Rewrite Injection with Burpsuite

Hello Cybrarians,As I was very busy last month, I couldn’t write this last chapter until now. In this chapter (chapter 4) I will show you how to test a website for URL rewrite injections with BurpSuite.  Then in the next chapter, (chapter 5), we will try to use a plugin in Burpsuite called Bypass WAF for bypassing web application firewalls.Our target site was http://testphp.acunetix.com/ and I saved the primary automated scan result; however, since I want to show you a real-world attack against URL rewrite, I will switch to another legal website for penetration testing which is called http://testsparker.com. First, we need to discuss what URL Rewrite is.- It is a rule in which we change our url format for passing parameters to our web application.Examples:String Parameters:- Example URL: http://www.example.com/user/babak- Pattern: /user/{param1} ---> we use babak as a parameter passing to user. If we want to change it to regularURLs, we should write it like this: http://www.example.com/?user=babakNumeric Parameters- Example URL: http://www.example.com/userid/1- Pattern: /userid/{param1}Multiple Numeric Parameters (for example typically used as dates in URLs)- Example URL: http://www.example.com/blog/2016/05/13/babak-profile- Pattern: /blog/{param1}/{param2}/{param3}/{param4}Parameters with Prefixes- Example URL: http://www.example.com/users/user_babak/- Pattern: /users/user_{param1}Parameters with Suffixes- Example URL: http://www.example.com/users/babak_user/- Pattern: /users/{param1}_userMultiple Parameters in Same URL- Example URL: http://www.example.com/users/123/babak/- Pattern: /users/{param1}/{param2}Slug Based Parameters- Example URL: http://www.example.com/blog/someone_pic_to_show/- Pattern: /blog/{param1}  

These are url rewrite rules on many web apps. We open this link http://testsparker.com/blog/is-bitcoin-anonymous-95/ in our browser, and intercept the request with Burp suite. 

Next, right click somewhere on the body of the request and click Send to Intruder in menu or press (Ctrl+i).

Then in the intruder tab we have:

Press the positions tab.

Now we add a payload tester sign in the request. Consider that the Get request could be something like this: http://testsparker.com/?blog=is-bitcoin-anonymous-95

So we should test the parameter for sql injection or xss or etc., as we did before in normal pentesting. Click on the place that shows in the picture and then put a star sign there. Then select the star sign with the mouse and click Add $ . We have this:

Now just delete the star sign:

Well done! Go to payload tab to specify the appropriate payload for testing:

Now click on Add from list, scroll down and select Fuzzing - SQL injection from the list :

And click on Start Attack button.

 

What happens here is that the intruder tests all payloads in the place we assigned for request .

 

Like

http://testsparker.com/blog/is-bitcoin-anonymous-95’/http://testsparker.com/blog/is-bitcoin-anonymous-95 or a=a/Now we should see the size of responses for requests.In a normal request we have recieved the response with the lenght size of 5057 . see : 

But just after that when we inserted the ‘ at the end of our request, we have the length of 4087 . see the row number 1 in the intruder attack :

There is a changing in response size after injecting ‘ in the request.Therefor something has happened ;) . let’s take a look at the response tab for this request and compare it with a normal response (the response of the row number 0 ).

We click on response and then right click on the body of response and select send to comparer .

And repeat this step for the normal response;we are going to compare the responses of the rows number 0 , 1 with comparer tool of burp suite.

We have this :Press the Words button and we see that some data has been changed after injection .exactly the explanation of :  Is Bitcoin anonymousBitcoin is designed to allow its users to send and receive payments with an acceptable level of privacy as well as any other form of money. However, Bitcoin is not anonymous and cannot offer the same level of privacy as cash. The use of Bitcoin leaves extensive public records. Various mechanisms exist to protect users' privacy, and more are in development. However, there is still work to be done before these features are used correctly by most Bitcoin users.Some concerns have been raised that private transactions could be used for illegal purposes with Bitcoin. However, it is worth noting that Bitcoin will undoubtedly be subjected to similar regulations that are already in place inside existing financial systems. Bitcoin cannot be more anonymous than cash and it is not likely to prevent criminal investigations from being conducted. Additionally, Bitcoin is also designed to prevent a large range of financial crimes. 

As shown below :

So it is suspected to be vulnerable to sql injection.

Lets test it for POC (Proof Of Concept) with sqlmap.Back to our burp request we had: 

We copy the entire request and paste it in a text file with whatever name you want.

Like this:

I named it “r.txt”.

Now we simply use sqlmap to test if it is injectable :But first put a star sign in the place where you want sqlmap to inject the payloads like this :

And the command :

And boommmmm

We have successfully exploited a sql injection which we found in url rewrite.

The process of testing url rewrite for xss (cross site scripting) attacks are exactly similar to this.In the next chapter we use WAF bypass Plugin in both burpsuite and sqlmap.Thanks for following.