I’m currently attending an intensive penetration testing course in Haaga-Helia summer semester. The course is held by Tero Karvinen (http://terokarvinen.com/) and it takes 1.5 weeks. Every day there’s 8 hours of lectures and these assignments. Every exercise should be available from our lecturer’s site, from this link: http://terokarvinen.com/2019/penetration-testing-tunkeutumistestaus-ict4tn027-3004-intensive-summer-course-2019-w21w22-5-credits.
Today’s assignment was plain an simple: Complete WebGoat exercises. A specific count wasn’t given, so I’ll just do as many as I feel like and that should be that. I had my Docker running WebGoat so I don’t need to start it this time.
Silent Transactions Attack
This WebGoat lesson was in fact quite hard. I struggled to figure out, what was the objective. I tried using HTTP proxy to intercept the request and modify it but I was not use. As the purpose of this lesson was hard for me to get, I had to take the hint. The hint said: “Check the javascript in the HTML source.” That is exactly what I did.
First, I highlighted everything on the site with Ctrl + A and then clicked “View selection source”. It looked like this:
There were so many useless things, so I doubted that this would help me. I then proceeded to Firefox’s inspector tool. I managed to find this processData() function:
I figured, that maybe it is the function we want to bypass. So, what now? What is needed to be put there instead to bypass this function?
I had no idea, what could that be replaced with. So I opened Firefox’s console to see what other functions are run on that specific site. I started to go through every letter to see, what does the console auto fill suggest, if there’s anything usable or interesting. Bingo! I found quite shortly after a function submitData().
Then I just replaced the current processData() function with submitData() and then this happened:
In my understanding, the objective has been reached. Now to the next lesson.
Dangerous Use of Eval
As this lesson’s name suggests, this has something to do with Eval. I didn’t exactly know, what was Eval. This post (https://medium.com/@eric_lum/the-dangerous-world-of-javascripts-eval-and-encoded-strings-96fd902af2bd) had nice and short way of saying “Eval() takes a string and attempts to run it as Javascript code.” That is interesting – it’s a Javascript function to create a JSON object.
We need to find a way to abuse Eval() in this form:
My first thought was that, if Eval() takes a string as an argument, maybe we can just put alert(document.cookie) there. I tried all fields, pushed all buttons and nothing happened. I suppose there’s more to this than I thought. I tried to use script symbols like < and > but the form filtered them. Need to search deeper.
I tried to intercept the request in Burp to see, if my modifications there could help. I once again, tried to set all arguments to alert(document.cookie), but still, nothing. I’m sure this shouldn’t be hard, so I need to just try harder.
Next I tried to update cart with only one of the field including my that code with all the other values being default. Nothing.
I used quite some time to this and all I could find were direct WebGoat answers, which I really didn’t want to look at. Finally, after quite some time, I found this post: https://www.netsparker.com/blog/web-security/remote-code-evaluation-execution/. There you can see that this kind of Eval attack is not only specific for JS but also for PHP as well. There he showed example input: de';phpinfo()//
It awfully seems similar to SQL injection. The user input is with a quote. So probably we need to use some form of quote as well.
I tried to visualize it inside my head for it to look correct in JS. If there’s Eval(‘something’), then we can just input what ever the form wants and then put quotes to insert our arbitrary code. In this case I first tried it on the quantity fields, in which I was unsuccessful. Then I proceeded to access code field. I tried submitting the field with this: 123′); alert(‘EVAL’); //. What happens here is that I first submit the 123 part, which the application wants. Then I unquote it and end that line of code by closing the parentheses and ending that bit with a semicolon. Then we can insert our own code, which could be in this case would be to alert document.cookie, but for clarity, I use alert string EVAL. After the arbitrary code has been set, the rest can be commented with //.
There, it works! I don’t really have time to any more of these today, if I want to relax before next lecture. More pentesting tomorrow.
Santeri's Pentesting Blog 