Pentesting: Attacks on Web Applications.

Burp Suite.

There's tool called: 'Burp Suite' that allows user to capture, read, modify & forward HTTP requests, and allows to capture and read/render HTTP responses as well. It's available in free, community version and in pro, paid version.


IDOR Attacks (Insecure direct object reference).

This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. For example, if the request URL sent to a web site directly uses an easily enumerated unique identifier (such as http://example.com/doc/1234), that can provide an exploit for unintended access to all records.

Burp Suite (even in it's free, community edition) is a convenient tool for executing IDOR attacks.

IDOR attacks can - for example - reveal list of usernames that can be used for attacks on login forms.

For more, feel free to look:
- Insecure direct object references (IDOR) on PortSwigger (creators of Burp Suite),
- Insecure direct object reference on Wikipedia.


Attacks on Login Forms.

There are four types of attacks on credentials:
1. Brute force attacks
- For each of attacked usernames we try character combinations (for example: aaaaaa, aaaaab, aaaaac, ...)
2. Dictionary & related attacks
- For each of attacked usernames we try words from a dictionary, perhaps with adding of simple patterns to dictionary words (for example: amanda2001, amanda2002, amanda2003, ..., anna2001, anna2002, anna2003, ...)
3. Password spraying
- We try the same passwords from a list for many usernames. It's useful for avoiding account lockdowns.
4. Credentials stuffing
- When we know username/password for a certain service/webpage (that perhaps have leaked to the internet), then we can try to 'reuse' these credentials in another service/webpage. Or we can try to guess similar passwords, perhaps matching a certain pattern(s). Even strong passwords can be vulnerable to this type of attack. More about leaked passwords & websites that can help to work with these can be found on: Pentesting: Art of Reconaissance.

Attacks on Login Forms can be performed with help of tools like:
- Burp Suit (preferrably paid pro version, because free community version has some of functionalities disabled, and - more importantly - is deliberately slow in attack executions ... and often it's too slow to be practical and useful for professionals),
- THC Hydra (it's fast and free to use).







/ Work in Progress. /

No comments:

Post a Comment

Subscribe to: Posts (Atom)