Saturday, December 26, 2015

Dictionary Webapp Hack.

Disclaimer.

this is technologically advanced article about hacking 'the Internet Applications' & other Tools.

to understand this article, one has to know a little about programming (preferably in Java), a little about web applications, & a little about HTTP Protocol.


HTTP Request analysis.

i've used Google Chrome's tool called 'HTTP Trace' to look at HTTP Request sent to a sample webapp i was running at my computer.

i've looked at a failed login attempt.


   

Failed Login Data.

(click on image to enlarge it).


C0de.

then i've downloaded Apache's HTTP Client Library & wrote a little of the code that 'forged' HTTP Requests & tried to login into an app in a loop.

i've looked at results of both failed & succesful login attempts, then came up with a final version of the code as follows:




C0de for a Hack.

(click on image to enlarge it).



it doesn't matter much that a succesful login attempt is with 'bad request' status, we've got the information that the password is correct still.


... presented code is very simple & can be refined in many ways ... but this all would only obscure the main idea that a program can be used to perform a Dictionary or Brute Force attacks on a webapp.


C0de without a 'Bad Request'.

... slightly refined code, without 'Bad Request' status message is available on a screenshot below & can be downloaded here as well.




C0de, slightly refined.

(click on image to enlarge it).



i've 'printed' first server hit (HTTP GET Request) on monitor screen, analyzed it, noticed the 'jsessionid' part & formed code that extracted it.

... a proper use of HTTP POST parameters, including 'jsessionid' was the key for overcoming 'Bad Request' problem & message as well.

then i've did part of the code responsible for extracting & comparing page's title to determine if we succesfully logged in or not.


... further c0de refinements could include loading passwords dictionary from a file, or generating it somehow & an option of performing more or less refined brute force attacks.


Security Measures.

how to protect against attacks as these?

... with captcha & account locking functionality, but this opens webapp to 'Account Lockout' vulnerability - any user might be prevented from logging in to app.


Other Considerations.

this is brutus / hydra software equivalent (hacks done more or less manually instead of using someone's complete tools).

this method can be used to hack tomcat webapp server's password, web services, routers, ssh, ... & other tools.

just download client library for a given service or app & write code that attacks passwords via the given protocol.

captcha won't protect all the time, but delays after failed login as well as use of strong passwords that change with time should.

No comments:

Post a Comment