Business Security for Web Attack and Defense: Response Status Value Modification Test
Business security refers to measures or means to protect business systems from security threats. Business security in a broad sense should include the software and hardware platforms (operating systems, databases, middleware, etc.) that run the business, the business system itself (software or equipment), and the security of services provided by the business ; business security in the narrow sense refers to the business system’s own software. and service security .
Table of contents:
Response status value modification test:
Step 4: Then we can see that the page jumps directly to the password reset page.
Disclaimer:
It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
Response status value modification test:
Test principle and method:
Modifying the response result of the request exists to achieve the purpose of password reset. Websites or mobile apps with such vulnerabilities often lead to very dangerous password reset operations due to lax verification.
The exploit method of this kind of vulnerability is usually that after the server sends a credential request for password reset, a specific response value appears, such as true, 1, ok, success, etc. , and the website sees that the echo content is a specific value. The password can be modified. Usually, the verification of this kind of vulnerability is performed on the client, so it is only necessary to modify the echo value.
Testing process:
The Response status value modification test process is mainly to analyze the results of the verification of the server, what are the correct and incorrect return results, and to deceive the client by modifying the returned results to be correct, so as to achieve the purpose of password reset.
Step 1: Find the return password function of a certain website, enter the target mobile phone number to be retrieved, and the SMS verification code can be entered casually, then click the "Retrieve Password" button and capture the request (Burp Suite)
Step 2: You can see that this request contains two parameters: validateCode (verification code) and phone (mobile phone number), then right-click on the Burp Suite capture page, select Do intercept --> Response to this request --> put package, and then you can see the echo package of this request
Step 3: Then you can see that the Response echo packet has been successfully received, but the value returned by the packet is false, usually false means failure, that is to say, when the server verifies the verification code, it finds that the verification code is inconsistent and returns Set false to the client, and here we try to change false to true, and then click the Intercept is on button to close the interception so that the data packet can be sent normally.
Step 4: Then we can see that the page jumps directly to the password reset page.
Repair suggestion:
Be careful not to use the value returned by the server to determine whether the password can be changed on the front end, but to hand over the entire verification process to the server for verification.
Books to learn: A Practical Guide to Web Attack and Defense Business Security.