December 30, 2018

OWASP sensitive data exposure

The information or data which should not be disclose publicly we can consider them as sensitive or confidential data. The sensitive data exposer, the name itself suggests the meaning of the vulnerability. When an application is not secure enough to protect its data a hacker can steal sensitive information like Account details, credit card info or passwords. 

The sensitivity factor always depends on the application type and the information it is collecting from us at the end point. For example, an online shopping site always keep the credit card details and personal info from the user.

A banking application stores the user personal identity proofs, bank account number, credit or debit card details, insurance details and many more. Similarly, a health care application always keep on storing the user’s health information like blood pressure, diabetes, heart beat rates along with the personal information. 

From an application point of view server credentials, user access privileges, architecture information, configuration file paths and database access are also considerable as a confidential information and these can be easily accessible by a non-privileged user if proper security policies are not implanted.
In this blog we will see how we can get access to the sensitive information of a website using burpsuit.

Let’s begin!!

Open the mutillidae vulnerable web application using the below link

By seeing the URL the value of page attribute says currently we are on which page. Our objective is to fuzz the page value and check if we can find any sensitive page inside the webserver.

Now open your burpsuit tool and make sure the proxy intercept is on. If you want to know how to setup burpsuit with your local proxy please read this blog. Now reload the webpage to get the request info in burpsuit.

In the GET method it is clearly seen the request is going for home.php inside the page attribute. Now I will give some random value after inside the page attribute to compare the response from both the legitimate and non-legitimate page request. 

For this we will send both the legitimate (page=home.php) and non-legitimate (page=home1234.php) page request to repeater tab by right click on the window and select send to Repeater.   

After that come to repeater tab and click on the Go button to view the response from both the legitimate and non-legitimate page request.



For compare both the response further we will send them to compare tab. 

Right click on both the response window > select Send to Compare.

Then come to compare tab and select the items and click on words to compare what exactly the word difference between both of the pages.

After that on popup window will appear and allow you to compare both the pages words as side by side. Basically the page which we had requested as home1234.php returned Validation Error: 404 - Page Not Found value, the only diffrence with the home.php.

Our next objective is to fuzz the page attribute value for requesting the confidential pages from the server. 
Come back to proxy tab and send the home.php page request to intruder tab
Right click on the window > Select send to Intruder

Now come to the Position tab to select the position for attack. By default it will be selected all the possible postitions where we can trigger the attack but first we need to clear all the positions and Add only the postion we want.

Let the attack type as Sniper mode and then come to payload section to load the possible word list.
Under Payload Options click on load > select the word list > click on open

After that come to Grep – Match section under Options tab to filter out all the unmatched pages as compare to the wordlist.
Come to the Grep-Match section under Options tab> Click on Clear to clear the default word list > Type “Validation Error: 404 - Page Not Found” inside Enter a new item field > Click on Add.

We are done with the configuration now, let’s start the attack.

The attack will take some time depend upon the burpsuit version you are using. I am using free  community  edition so it will take longer time than expected.
From the following results  we can detect the available pages with unchecked results under the  404-Page not found tab and others have rtured the page not found output.
Attack has been finished. Now its time to retrieve the sensitive data.

Double click on any available pages on the the attack window > Come to Response tab > Now come to Render tab to see the real time page output.

Congratulations!! You have successfully get the PHP configuration file as output. If you have any further query or suggesstion on the same topic please feel free to comment below. Happy hacking!!


Post a Comment