Skip to content

Month: October 2019

How to edit response in Burp Proxy?

Published by Bobby Lin on October 30, 2019

In this post, I will show how you can edit the response in Burp Proxy. This is useful in cases where you want to demonstrate that you can inject JavaScript code in the response. I will use the domain “www.example.com” to illustrate.

1) First, intercept the GET request and then click on Action button. In the menu, select ‘Do intercept’ > ‘Response to this request’.

2) Click Forward to allow the GET request to be made. Then you will notice that you can now see the response from www.example.com

3) In the response, you can simply perform malicious actions such as tampering the HTML body or inserting JavaScript code into the response.

4) Finally, when you forward the edited response, the alert will appear and the body will show that it is tampered.

SQL Injection Challenge Two

Published by Bobby Lin on October 21, 2019

This is a challenge from OWASP Security Shepherd.

In this challenge, you will notice that the application is checking for a valid email address. Once the input is validated as an email, it will use the input as part of a query. Because of this weak defence, once we managed to bypass the email validator, we will be able to perform SQL injection attacks.

The main obstacle is to form an input which is both a valid email and contains malicious value. Let’s use the hint to see how the query looks like.

For a valid email, there should not be any space in between the value. Hence the usual SQLi payload “something’ OR 1=1–” does not work here. The work around is to use || instead of ‘OR’.

Failure to Restrict URL Access Challenge 1

Published by Bobby Lin on October 21, 2019

This is a challenge from OWASP Security Shepherd.

If you look at the POST request, there is a parameter “userData”. We can try to brute-force the values in the parameter to see if we can access the data from admin perspective.

After trying this, we will find that this brute-force does not help much as other userData values are invalid. So we need to rethink our strategy. Let’s look at the source-code now to see if we can observe any useful information.

In this snippet code, we can see that there is a submission form that is for a normal user and an admin account. Looking carefully, we can see the URL is different.

Change the URL of the POST request to the URL found in the admin account submission form and we can see that the result key will appear.