
By: Babak Esmaeili
December 15, 2016
Practical Web Application Penetration Testing Series - Chapter 4

By: Babak Esmaeili
December 15, 2016
Scanning Web Applications for URL Rewrite Injection with Burpsuite
Hello Cybrarians,As I was very busy last month, I couldn’t write this last chapter until now. In this chapter (chapter 4) I will show you how to test a website for URL rewrite injections with BurpSuite. Then in the next chapter, (chapter 5), we will try to use a plugin in Burpsuite called Bypass WAF for bypassing web application firewalls.Our target site was http://testphp.acunetix.com/ and I saved the primary automated scan result; however, since I want to show you a real-world attack against URL rewrite, I will switch to another legal website for penetration testing which is called http://testsparker.com. First, we need to discuss what URL Rewrite is.- It is a rule in which we change our url format for passing parameters to our web application.Examples:String Parameters:- Example URL: http://www.example.com/user/babak- Pattern: /user/{param1} ---> we use babak as a parameter passing to user. If we want to change it to regularURLs, we should write it like this: http://www.example.com/?user=babakNumeric Parameters- Example URL: http://www.example.com/userid/1- Pattern: /userid/{param1}Multiple Numeric Parameters (for example typically used as dates in URLs)- Example URL: http://www.example.com/blog/2016/05/13/babak-profile- Pattern: /blog/{param1}/{param2}/{param3}/{param4}Parameters with Prefixes- Example URL: http://www.example.com/users/user_babak/- Pattern: /users/user_{param1}Parameters with Suffixes- Example URL: http://www.example.com/users/babak_user/- Pattern: /users/{param1}_userMultiple Parameters in Same URL- Example URL: http://www.example.com/users/123/babak/- Pattern: /users/{param1}/{param2}Slug Based Parameters- Example URL: http://www.example.com/blog/someone_pic_to_show/- Pattern: /blog/{param1}These are url rewrite rules on many web apps. We open this link http://testsparker.com/blog/is-bitcoin-anonymous-95/ in our browser, and intercept the request with Burp suite.
Next, right click somewhere on the body of the request and click Send to Intruder in menu or press (Ctrl+i).
Then in the intruder tab we have:
Press the positions tab.

Now we add a payload tester sign in the request. Consider that the Get request could be something like this: http://testsparker.com/?blog=is-bitcoin-anonymous-95
So we should test the parameter for sql injection or xss or etc., as we did before in normal pentesting. Click on the place that shows in the picture and then put a star sign there. Then select the star sign with the mouse and click Add $ . We have this:
Now just delete the star sign:

Well done! Go to payload tab to specify the appropriate payload for testing:

Now click on Add from list, scroll down and select Fuzzing - SQL injection from the list :

And click on Start Attack button.
What happens here is that the intruder tests all payloads in the place we assigned for request .
Like
http://testsparker.com/blog/is-bitcoin-anonymous-95’/http://testsparker.com/blog/is-bitcoin-anonymous-95 or a=a/

But just after that when we inserted the ‘ at the end of our request, we have the length of 4087 . see the row number 1 in the intruder attack :

There is a changing in response size after injecting ‘ in the request.Therefor something has happened ;) . let’s take a look at the response tab for this request and compare it with a normal response (the response of the row number 0 ).
We click on response and then right click on the body of response and select send to comparer .
And repeat this step for the normal response;we are going to compare the responses of the rows number 0 , 1 with comparer tool of burp suite.
We have this :
As shown below :

So it is suspected to be vulnerable to sql injection.
Lets test it for POC (Proof Of Concept) with sqlmap.Back to our burp request we had:
We copy the entire request and paste it in a text file with whatever name you want.
Like this:
I named it “r.txt”.
Now we simply use sqlmap to test if it is injectable :But first put a star sign in the place where you want sqlmap to inject the payloads like this :
And the command :

And boommmmm

We have successfully exploited a sql injection which we found in url rewrite.
The process of testing url rewrite for xss (cross site scripting) attacks are exactly similar to this.In the next chapter we use WAF bypass Plugin in both burpsuite and sqlmap.Thanks for following.