Identifying attack vectors
Take a previously sent
POST request and try to manipulate it. If you recall, the
POST request passed a data buffer containing the text
This request clearly illustrates that the browser transmits some client information. The request contains two fields called
quantity. An attacker would clearly identify this as a possible attack point, because it may be possible to tamper with or manipulate these variables to inject what security people call a payload into the application. By simply looking at the request, it is possible to see what is going on behind the scenes. In this example,
id=1 is the payload that is targeting the SQL database behind the application layer to obtain information about a product. As Figure 7 shows, an
id may represent a link to the back-end database.
Figure 7. SQL linkage to the application
Now, if this back-end code is poorly written, it opens up the possibility of SQL injection vulnerability. To inject SQL code into the application, all an attacker has to do is pass values such as a single (
') or double quotation mark (
") and try to break the query that is running behind the code. Figure 8 illustrates how to perform SQL injection by using LiveHTTPHeaders to manipulate HTTP values.
Figure 8. Manipulating a previous HTTP POST request
This example changes the value of
id=' (single quotation mark). This allows you to try SQL injection techniques and observe the responses received. Suppose that you do so and receive an error status 500 with the error block:
Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''.
Instead of a valid HTML page that displays order status, the web application generated an error and threw it back to the browser. The error clearly suggests a SQL error has occurred. This has identified a SQL injection attack vector!
Other security attack vectors that you can probe with this technique include:
- HTTP header manipulation and checking for responses (example: Referer).
- Cookie-poisoning and session-hijacking attempts.
- SQL injection points and analysis of responses obtained from the server.
- Other metacharacter injections and input validation testing.
POSTvariable and query string manipulations.
When walking through a new web application with web application security assessment as the primary objective, then, having a web browser with extensions that allow HTTP traffic to be sniffed, manipulated, and replayed, all under one roof, benefits the security analyst immensely. A browser extension such as LiveHTTPHeaders provides a comprehensive set of tools without the additional overhead of installing disparate products and getting them to work in tandem in varied environments. All in all, this is a simple solution for complex and challenging tasks such as web application assessment.
Shreeraj Shah is the founder of Blueinfy, a company that provides application security services.
Return to the Security DevCenter.