Month: August 2020

Log in as your normal user in the Juice Shop application and submit a review to one of the products.

Once the product review has been submitted click the edit review button that pops up as shown below.

Make sure your Burpsuite proxy is on and running to capture the PATCH request for our review edit. But first what is a PATCH request.

A PATCH request is a HTTP method to update partial resources on a web application. When we consider the Juice Shop and many of its intentionally vulnerable API implementations we can use the ID parameter from one users review and place it inside the other and PATCH the request and intentionally forge information displayed on the web application.

http://restcookbook.com/HTTP%20Methods/patch/

So we have captured the request and now send it to repeater in Burpsuite seen below.

Examining the id parameter we can assume that this token be repeated and submitted as though it is another user. Firstly we need to locate the id token of bender to be able to spoof and change his comments. So we will capture the thumbs up on his review and then use his id token below to change his comment on the review section. Changing the id parameter of the PATCH request captured by Burpsuite from yours to Benders id token.

Press [ Send ] and view the FireFox browser for the new comment you sent through the PATCH request Burpsuite and Juice Shop API.

Thanks for reading and happy hacking.

https://youtu.be/xwz2GhQexc0

Today I would like to go over a couple examples of the most basic cross-site scripting attacks. Cross-site scripting attacks or XSS for short have been on the rise over the last few years. XSS is a web application based vulnerability that affects the user or client of a server or application. Typically it can be used as a leverage point to steal cookies and user authentication.
Seen initially as a very primitive attack that had affected the majority of the internet it has now come to public knowledge as a more severe attack wherein a malicious actor can wiggle their way deeper into a server or system.  

Let’s get our hands a bit dirty. You will want to spin up a virtual machine with DVWA in any of your favorite VM environments or set up  Docker on your local machine and import the newest version of DWVA via the terminal. I will not go over the steps here to do that, maybe at a later point, I will give a quick tutorial on how but for now let’s assume you know that part of the process.
Once you have DVWA installed and you have navigated to your localhost:port for the install on your browser we will put in our username and password and begin the exploitation process. Be sure to set the security level to low. 

Once you have found the proper location of the DVWA security level form we will browse over to our XSS (Reflected) page to begin our exploitation process. 

The first thing I would like you to do is place your name into the form field and hit enter. Pay attention to two things. One look at the URL above and two the location of your name on the screen. 

Both of these are going to be paramount to finding a successful attack. What we are looking for here is user data that can be input into a form field that will acknowledge whatever we feed into it.
Now what we are going to do is manipulate the data below to find a possible point of entry for our XSS attack. Write your name again and give it a bit of HTML text styling. 

We see that as a user we can manipulate some data we place into a submit form. So lets now do our “primitive attack” on the web application. Type in the tag below and you should get a window to pop-up notifying the attacker of a flaw in the application.

We always want to refer to the URL and the submit form. This is where we will be able to glean deeper information into the program’s function. Stay tuned for the next post on harden security measures and other ways to bypass the security of the application for finding reflected XSS. 

Further reading and considerations:

Take some time to read about HTML forms, HTML and Javascript basics. Read about tags: script, iframe, img, svg. Lastly read about Javascript and HTML filters. All of this information will be paramount to you understanding how to find and locate XSS attacks in the wild.

I have slowly been working through a few exploits with vulnserver.exe. An awesome multithread TCP server which was written by Stephan Bradshaw of the Grey Corner blog. If you follow the link to the GitHub you can see a few awesome tutorials.

I have mostly started playing with this Windows-based server to get a more robust understanding of exploit dev since working through the C0relan.be exercises. Which I would also highly recommend but are a little dated. Though offer helpful directions in getting your feet a bit wet with exploit dev.

Other tutorials I would recommend and try out:
Sam Class
Sh3llC0d3r series
InfoSec Resources – Part 1

I will slowly be uploading all my code to GitHub so if you want to try it for yourself and see how it works on your machine. I will be sure to comment on all the code detailing the OS version and type.

Note
If you plan on running Vulnserver.exe and exploiting the program will need a few prerequisites. To get yourself started. I suggest learning and understanding Python somewhat thoroughly before diving in. Do not just copy-paste the code and expect it to work.
Also be proficient in the uses of Immunity Debugger and Mona.py both are powerful tools for understanding what is happening in real-time with your code and program crashes.

Happy hunting 

n0ps