SQL injection in referrer header
828 views
Skip to first unread message
Rakesh Kirola
Sep 12, 2022, 12:23:01 PM9/12/22
to zaprox...@googlegroups.com
Hi,
I am trying to find sql injection on a post request which allows user registration.This post request has a validation that if we try to register a user with the same username,then it will return a response stating that "User already exists" and this user won't be registered.
Now if this request sends a SQL injection payload in the referrer header,then is the sql injection payload tested through the referrer header against this request or it is not executed since the application has validation in place for duplicate user registration.
Request and response is mentioned below:
Request:
POST http://localhost:5000/users/v1/register HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.29.2
Accept: */*
Postman-Token: ad7a5833-dc3e-4eaf-9c85-b04566bc9633
Connection: keep-alive
Content-Length: 78
Referer: http://localhost:5000/users/v1/register" OR "1"="1
Host: localhost:5000
{
"username": "2",
"password": "yui2",
"email": "yu...@fdgfg.com"
}
Response:
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 69
Server: Werkzeug/1.0.1 Python/3.7.14
Date: Mon, 12 Sep 2022 16:10:26 GMT
{ "status": "fail", "message": "User already exists. Please Log in."}
Please suggest.
Do let me know if further information is required here.
Best Regards,
Rakesh Kirola
I am trying to find sql injection on a post request which allows user registration.This post request has a validation that if we try to register a user with the same username,then it will return a response stating that "User already exists" and this user won't be registered.
Now if this request sends a SQL injection payload in the referrer header,then is the sql injection payload tested through the referrer header against this request or it is not executed since the application has validation in place for duplicate user registration.
Request and response is mentioned below:
Request:
POST http://localhost:5000/users/v1/register HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.29.2
Accept: */*
Postman-Token: ad7a5833-dc3e-4eaf-9c85-b04566bc9633
Connection: keep-alive
Content-Length: 78
Referer: http://localhost:5000/users/v1/register" OR "1"="1
Host: localhost:5000
{
"username": "2",
"password": "yui2",
"email": "yu...@fdgfg.com"
}
Response:
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 69
Server: Werkzeug/1.0.1 Python/3.7.14
Date: Mon, 12 Sep 2022 16:10:26 GMT
{ "status": "fail", "message": "User already exists. Please Log in."}
Please suggest.
Do let me know if further information is required here.
Best Regards,
Rakesh Kirola
Simon Bennetts
Sep 13, 2022, 8:32:51 AM9/13/22
to OWASP ZAP User Group
Hi Rakesh,
I assume this is manual testing?
If so try using the fuzzer and adding another injection point in the username where you inject an incrementing value.
Cheers,
Simon
Rakesh Kirola
Sep 13, 2022, 11:39:19 AM9/13/22
to zaprox...@googlegroups.com
Thanks for the reply Simon!
I am running an active scan on a POST API request.
Best Regards,
Rakesh Kirola
I am running an active scan on a POST API request.
Best Regards,
Rakesh Kirola
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/40d9b3c8-d5ce-4034-9c15-66dccc7a4595n%40googlegroups.com.
Simon Bennetts
Sep 13, 2022, 11:50:44 AM9/13/22
to OWASP ZAP User Group
This is something that ZAP cannot handle "out of the box" as it requires knowledge of how the application works.
What you can do is to create an httpsender script: https://github.com/zaproxy/community-scripts/tree/main/httpsender
The script should only carry on if its the ACTIVE_SCANNER_INITIATOR and a POST request to the expected URL.
If so then in the script inject a number at the end of the username parameter - you'll need to maintain the number as a global/script variable and increment it every time you use it.
The idea is that the ZAP scanner should be able to keep attacking that POST request as usual but your script changes the username on every request, eg to "user1", "user2", etc so that you dont hit the problem where the user already exists.
Cheers,
Simon
Rakesh Kirola
Sep 14, 2022, 12:19:50 PM9/14/22
to zaprox...@googlegroups.com
Thanks for the reply Simon!
Modified an existing httpsender script as mentioned below:
OLD_USERNAME = "22006611";
NEW_USERNAME = "q";
def sendingRequest(msg, initiator, helper):
global OLD_USERNAME;
global NEW_USERNAME;
body = msg.getRequestBody().toString();
NEW_USERNAME = NEW_USERNAME + "f"
newbody = body.replace(OLD_USERNAME, NEW_USERNAME);
msg.setRequestBody(newbody);
msg.getRequestHeader().setContentLength(msg.getRequestBody().length());
def responseReceived(msg, initiator, helper):
pass;
Here the value in OLD_USERNAME is the value of the existing username in the request and NEW_USERNAME is the new username that will be created for each request during the scan.
As of now,I need to change the hardcoded value of NEW_USERNAME on each active scan run,will see how this can be made dynamic.
When an active scan is run manually on the end point now,it creates a new username for each request.Not sure if this is the cleanest approach but serves the purpose for now :)
Best Regards,
Rakesh Kirola
OLD_USERNAME = "22006611";
NEW_USERNAME = "q";
def sendingRequest(msg, initiator, helper):
global OLD_USERNAME;
global NEW_USERNAME;
body = msg.getRequestBody().toString();
NEW_USERNAME = NEW_USERNAME + "f"
newbody = body.replace(OLD_USERNAME, NEW_USERNAME);
msg.setRequestBody(newbody);
msg.getRequestHeader().setContentLength(msg.getRequestBody().length());
def responseReceived(msg, initiator, helper):
pass;
Here the value in OLD_USERNAME is the value of the existing username in the request and NEW_USERNAME is the new username that will be created for each request during the scan.
As of now,I need to change the hardcoded value of NEW_USERNAME on each active scan run,will see how this can be made dynamic.
When an active scan is run manually on the end point now,it creates a new username for each request.Not sure if this is the cleanest approach but serves the purpose for now :)
Best Regards,
Rakesh Kirola
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/17a54616-5339-4167-b65b-5b5e18947231n%40googlegroups.com.
Simon Bennetts
Sep 15, 2022, 3:32:03 AM9/15/22
to OWASP ZAP User Group
Good to hear its working for you :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages