🍏Web Proxy
I will not go on how to set up foxy proxy and capture a request, i'll hop right in the exploitation and testing part:
Let's say we have this web app:
We capture the request after sending inputting an IP:
now our goal is to "break" the application ("breaking" the request/response flow by manipulating the target parameter, not damaging the target web application). If the web application does not verify and validate the HTTP requests on the back-end, we may be able to manipulate it and exploit it.
What will happen if we change the requets from ip=1 to ;ls;
Try intercepting the ping request on the server shown above, and change the post data similarly to what we did in this section. Change the command to read 'flag.txt'
Intercepting Responses
We may want to intercept the HTTP responses from the server before they reach the browser.
In our previous exercise, the IP
field only allowed us to input numeric values. If we intercept the response before it reaches our browser, we can edit it to accept any value, which would enable us to input the payload we used last time directly.
In Burp, we can enable response interception by going to (Proxy>Options
) and enabling Intercept Response
under Intercept Server Responses
:
Here is the normal HTML of the web app we were exploiting:
Let's try changing the type="number"
on line 27 to type="text"
and change the input length to be able to type bigger commands:
After forwarding the request, we can now input some text and commands:
Automatic Modification
We can choose to match any text within our requests, either in the request header or request body, and then replace them with different text. We can go to (Proxy>Options>Match and Replace
) and click on Add
in Burp.
After clicking ok, this will start automatically replacing the User-Agent
header in our requests with our new User-Agent. We can verify that by visiting any website using the pre-configured Burp browser and reviewing the intercepted request.
Repeating Requests
To go faster with exploitation and not being in the need to recapture a request every time, we can utilize request repeating to make this process significantly easier.
To start, we can view the HTTP requests history in Burp
at (Proxy>HTTP History
):
If we click on a previous request such as:
We can now send it to the repeater (CTRL+R),
edit our request and hit the send button
Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.
Encoding/Decoding
Here are some common errors that can occure if we do not encode our data:
Spaces
: May indicate the end of request data if not encoded&
: Otherwise interpreted as a parameter delimiter#
: Otherwise interpreted as a fragment identifier
To encode any data in burp you can select (Convert Selection>URL>URL encode key characters
), or by selecting the text and clicking [CTRL+U
]
In recent versions of Burp, we can also use the Burp Inspector
tool to perform encoding and decoding (among other things), which can be found in various places like Burp Proxy
or Burp Repeater
:
In recent versions of Burp, we can also use the Burp Inspector
tool to perform encoding and decoding (among other things), which can be found in various places like Burp Proxy
or Burp Repeater
:
Proxying Tools
Proxychains
proxychains routes all traffic coming from any command-line tool to any proxy we specify. Proxychains
adds a proxy to any command-line tool and is hence the simplest and easiest method to route web traffic of command-line tools through our web proxies.
To use proxychains
, we first have to edit /etc/proxychains.conf
, comment out the final line and add the following line at the end of it:
We can now try to use cURL on the previous web app:
Nmap
With nmap we can use the --proxies
flag. We should also add the -Pn
flag to skip host discovery (as recommended on the man page). Finally, we'll also use the -sC
flag to examine what an nmap script scan does
Metasploit
We can start Metasploit with msfconsole
. Then, to set a proxy for any exploit within Metasploit, we can use the set PROXIES
flag
and then we can go back to our web proxy tool of choice and examine the proxy history to view all sent requests:
Try running 'auxiliary/scanner/http/http_put' in Metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?
Last updated