Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

All posts by ###xxx###

Manipulating Authorization Token Using Burpsuite

Manipulating Authorization Token Using Burpsuite

During the web application security assessment on a web API, the Authorization Token had some limitation which it is only valid for 5 minutes. Burpsuite unable to perform a complete scanning or if it is completed, the result is not accurate due to the Authorization Token keep changing in 5 minutes timeframe.

To overcome this issue, we need to find a way how to bypass this restriction as Burpsuite require a valid token each time it performs scanning as well as the repeater and intruder. Search on google lead us to a website where they wrote a Burp extender (written in python) to fetch the new token and replace it in the header every time Burpsuite make a request. The Burpsuite extender inspect every request for the tag ‘Authorization: Bearer’ in its header and after that delete it and replace it with the new one in order for the current session to be valid. The bearer token was generated by the following request, the bearer token will be included in JSON keyword called ‘###Token‘ inside the response body.

Create Macro in Burpsuite

To automate the process, we need to create a macro in Burpsuite. The macro will initiating a request to the server to refresh the bearer token. In Burpsuite go to Project Options – Macro:

burpsuite add new macro

Macro Recorder screen will be prompted, select the request that generate the bearer token.

burpsuite macro recorder burpsuite macro recorder

Create Session Handling Rules in Burpsuite

To replace the expired token with the new one, we need to create a macro in Burpsuite (explained above). The macro will initiate a request to get the new bearer token before the Burpsuite extender fetch the new generated token and replace it in the request header. To do this, we need to create a new session handling rules in the Burpsuite.

create burpsuite session handling rule

The rule basically check for HTTP header that match the defined expression “HTTP/1.1 401 Unauthorized”.

burpsuite session handling action editor

If the response match, it will run the macro and after completed it will invoke Burpsuite extender to fetch the new generated bearer token and replace it to the request header.

burpsuite session handling action editor

Result

burp extender output burpsuite scanning result

Credit: https://twelvesec.com/2017/05/05/authorization-token-manipulation/

Bearer Authorization Token (Burpsuite Extender)

NanoSec x Wargames.MY CTF – Super Next Generation WAF

It’s too late for me to submit the flag..lol!

So the challenge is:

So I heard you're hacker. I setup Super Next Gen. AumWAF to protect my l33t website.
Please hack my website.

Thanked!

http://supernext-gen-aumwaf.wargames.my/

Webpage:

supernextgenerationwaf

sql.php page:

hackme

As expected, any sql injection attempt will return error message as below:

sqlinjectionattempt

Nmap result: Noticed that “/*.bak” in robots.txt

Let’s try to see if there is a backup file exist: sql.php.bak -> Yes!! it does exist!!

PHP file source code:

First, I noticed $_REQUEST[‘id’] was sent to filter, but $_GET[‘id’] was sent to the a function. After some research I learnt that $_REQUEST gets values from $_GET, $_POST, $_COOKIE respectively. This is the default order defined in php.ini file and can be changed. [seriously i copy this info from somewhere]

The idea is changing request from GET to POST while keeping the GET parameters in the url. Since $_POST[‘id’] will overwrite $_REQUEST[‘id’] and our $_GET[‘id’] parameter will become free from the filter.

So, to get the flag (+ hint was provided):

 

Flag: wgmy{aumwaf_1z_th3_b3st_w4f}
Credit:
1. https://www.pwndiary.com/write-ups/sec-t-ctf-2017-naughty-ads-write-up-web200/
2. Ramadhan -> improvised my curl request.

[THE END]

This website use cookies to ensure that you have the best experience on this website.