OWASP Security Shepherd Project - Poor Data Validation 2 (Poor Data Validation Challenge)
Challenge
Solution
First, let's try to input a negative number -100 in troll. (Both UI and BurpSuite for test both client side & server side validation.)
It seems that this time the application do make a data validation for negative number.
Let's see if there would be an boundary issue. Try to input 99999999.
Great! We complete the challenge. Now, we know that there is no data validation for data range and there is a buffer overflow when integer is large enough.
However, it is not enough. We want to have a stable method to test overflow issue, instead of depending on good luck.
Let's try the Intruder feature in BurpSuite! First, let's copy the original place order request and paste it into the Positions field of Intruder. (Of course, we should set target to our Security Shepherd machine in Target tab.) Then, we need to select the integer field that we want to use as payload position. (That is the number of troll we want to buy - the trollAmount.) By pressing Add when selecting 1, we could set the trollAmount field as the payload position.
After that we need to set payload types. Select Payload type as Numbers. Set the range of payloads and set the Step parameter(the interval of number range between each requests). Select number format and then start attack!!
(The following is an example to set range from 1~999999999 and each request the payload will be increased by 1000. Also, the number format is set as integer only.)
With the Intruder feature, we can keep sending the place order request, but automatically increase the number of troll we ordered until there is a buffer overflow.
Great! We could find that with trollAmount=753001, we trigger a buffer overflow and make the total amount of payment become negative number!
https://portswigger.net/burp/help/intruder_payloads_types
Solution
First, let's try to input a negative number -100 in troll. (Both UI and BurpSuite for test both client side & server side validation.)
It seems that this time the application do make a data validation for negative number.
Let's see if there would be an boundary issue. Try to input 99999999.
Great! We complete the challenge. Now, we know that there is no data validation for data range and there is a buffer overflow when integer is large enough.
However, it is not enough. We want to have a stable method to test overflow issue, instead of depending on good luck.
Let's try the Intruder feature in BurpSuite! First, let's copy the original place order request and paste it into the Positions field of Intruder. (Of course, we should set target to our Security Shepherd machine in Target tab.) Then, we need to select the integer field that we want to use as payload position. (That is the number of troll we want to buy - the trollAmount.) By pressing Add when selecting 1, we could set the trollAmount field as the payload position.
After that we need to set payload types. Select Payload type as Numbers. Set the range of payloads and set the Step parameter(the interval of number range between each requests). Select number format and then start attack!!
(The following is an example to set range from 1~999999999 and each request the payload will be increased by 1000. Also, the number format is set as integer only.)
With the Intruder feature, we can keep sending the place order request, but automatically increase the number of troll we ordered until there is a buffer overflow.
Great! We could find that with trollAmount=753001, we trigger a buffer overflow and make the total amount of payment become negative number!
Reference
BurpSuite - Payload Typeshttps://portswigger.net/burp/help/intruder_payloads_types
留言
張貼留言
Welcome to share your comments or questions : -)
Enjoy life!