Burp suite test website4/3/2023 ![]() So here, nothing interesting apart from version disclosure is found because it’s a genuine request a user can transfer money from one of his/her accounts to another. Here, if we remember in the previous article, we enumerated some user account information, and according to that account no 20 and 21 belong to same userid=2. ![]() Let check the next request and response as shown in Img11. Other than that, we also enumerated other existing accounts of this bank by the account enumeration vulnerability. Though I don’t have any credentials for either of these two accounts, still I am able to transfer money from one account to another. For easy understanding, I will send the request to the Repeater, where we can see both request and response in same page as shown in Img10.Īs it shows that the transaction is successful, we successfully created an anonymous account money transfer. Similarly, let’s check the next request and response. It contains server path and dberror pattern, so we have two vulnerabilities: The base request contains a special character in place of the “creditAccount” parameter, and we got the response as shown in Img9. The first request we will check is the base request and its response as shown in Img8. Let’s check one by one to find out what we have here. Now start attack on intruder to check the responses as shown in Img7.Īs we can see quite clearly, the first four requests according to the content length differ from other requests, so we are interested in those requests. Now add all the payloads as shown in Img6. In the Positions section only select the “creditAccount” as shown in the Img5. Send the request to intruder to fuzz this parameter. If we fuzz this “creditAccount” parameter we might able to transfer the amount. Here we found another critical vulnerability: Account number enumeration. So let’s submit the request in Repeater, and check the response as shown in Img4. In this case, let’s assume I am an attacker and I don’t have an account in this bank, but I can easily transfer money from account 21 that we have got from the previous vulnerability to any other user’s account. This is also another critical business logic vulnerability i.e. Let’s say the attacker doesn’t have an account, but still he/she can transfer money from one account to another account. So it leads to a critical vulnerability of unauthorized money transfer. So first we have to find the associated data types of those parameters from the WSDL file as shown in Img3.Īs this is a sensitive request and does not ask for any kind of authentication, an attacker (if he/she is an account holder of this bank) can easily transfer money from other user accounts. User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Now if we see the request clearly, it contains four parameters, and we don’t know the data type, as shown below in Img2. Let’s generate a soap request from SoapUI and then intercept in Burp as shown in Img1. As we have gone through the “GetUserAccounts” method in the previous article, now we will check for the “TransferBalance” method. I will continue from where I left in the last article. Now we will focus on how we can use this information for creating other attacks.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |