top of page
Search
  • Writer's pictureotw

Web App Hacking: BurpSuite, Part 2: Bypass Weak Input Validation to Upload Malware to a Website

Updated: Dec 28, 2022

Welcome back, my aspiring cyber warriors!


In general, we can say that the solution to many injection attacks in web applications is "Input Validation". Input validation makes certain that only the type of input that the application was developed to handle is input and not malicious commands or scripts masquerading as data.





Some applications enable or even encourage us to upload a photo, avatar or other representation of ourselves (think Facebook, Twitter, LinkedIn, other social media or your business or school website). What is to keep attackers from simply uploading a malicious script? Usually the answer is to check and validate the type of input before allowing it to be uploaded.


In a previous post, here we were able to upload a malicious shell to the DVWA web site when it didn't do input validation. In this tutorial, we will bypass weak input validation and still upload a malicious script.


Step #1: Start Kali and Burp Suite


To start, fire up your Kali Linux and open the BurpSuite.






Enable BurpSuite to proxy your request and responses from your browser. See my previous BurpSuite post on how to do this with Mozilla.




Step #2: Start OWASP BWA


Now, start the OWASP Broken Web App (BWA) server and go to the DVWA application and login (admin/password).



After logging into the DVWA, go to the lower left button and set the DVWA Security to "medium". Make certain that you have the intercept on in the BurpSuite proxy.




Step #3: Attempt to Upload a Malicious File


Now, click on the upload button. Imagine that this is your LinkedIn page or your Twitter profile. In both cases, you are expected to upload a picture or avatar of yourself.


Note in the screenshot below, the application states "Choose an image to upload: ".


Now, instead of uploading a picture, we instead try to upload a malicious Python script. I have created a file and named it "malicious_python_script.py" and attempted to upload it. You can create any text file, malicious or not, and attempt to upload it.


As you can see below, the application rejected our malicious script because it uses input validation to assure that the upload file is an image file. Can we bypass this input validation?



Step #4: Bypass Input Validation with BurpSuite


Let's go to our BurpSuite and look at the POST that was captured by the intercept. As you can see on lines 19 and 20, it identified the file name and identified the type of file as "text/x-python". Very good, that is correct. The app was designed to only allow pictures to be uploaded and so it rejected our malicious file.



Now, let's go into the intercepted POST and edit it a bit. The input validation took place inside the form on the client-side. Now that we have intercepted it on its way to the server, we can manipulate the code to reflect that it is a "safe" file before sending it on to the server. We can do this by changing the Content-Type in line #20 to "image/jpeg". In this way the server will accept this file, believing that the file is a jpeg file.



Now, in the BurpSuite, forward the POST to the server.


The file is successfully uploaded and our Python script is ready to be executed and do its dirty work!



Summary


In general, input validation is the answer to the problem of injection attacks to web applications and others. In this case, the web application only did input validation at the client side and therefore the attacker can manipulate the POST response in BurpSuite to edit the file type and get the server to accept our malicious content!

4,147 views2 comments

Recent Posts

See All

2 commenti


astriddavina54
astriddavina54
03 gen 2023

Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity…Then he sure is cheating: I was in that exact same position when I met Henry through my best friend James who helped me hack into my boyfriend’s phone, it was like a miracle when he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(facebook, whatsapp, bbm, IG etc) , GPS locations, phone taps to get live transmissions on all phone conversations. if you need help contact his gmail on , Henryclarkethicalhacker@gmail.com, and you can also , whatsap…


Mi piace

Hire a professional cell Phone Hacker who has the skills that can grant you remotely access to your spouse cell phone and grant access to cheating spouse cell phone information on their cell phone. He can also use he skills to spy on other people’s cell phones device. It is also known as a cell phone spy who are capable to provide you all you require to infiltrate any type of smartphone and iPhone. I was able to got access to partner iPhone, the job was prefect to the extended he didn’t knowing anything about it, was so prefect you can conatct him via kelvinethicalhacker @ gmail. com. reach to him to help spy on your cheating spouse.

Mi piace
bottom of page