Find hidden input using Param Miner BurpSuite Extension

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello ethical hackers welcome back to this new video in which we're going to see how to brute force parameters and headers and cookies using paraminer verb extension this is a free extension which you can download and use on burp community edition as well a lot of time developers purposely or mistakenly leave special parameters headers or cookie names thinking that they are the only ones who know them they base their logic upon it for example you can have a parameter administrator this is a predictable parameter name but think about this use case just bear with me a developer just validates if a user is an admin or not based on a get parameter named admin so if you just brute force with this extension using admin equals true for example you land on an administrative page of course this is just too good to be true but you can find plenty of vulnerabilities based on those wrong assumptions that developers make let's just go ahead and install it as usual and nothing happens no new tab is there and that's normal because you can access the features of parameter miner from the other tools such as proxy repeater etc so here for example if we are targeting the post api complaints endpoint we've seen that in previous video when we talked about software vulnerability scanner so let's say we want to brute force this bear in mind that this is the live heroku app which is deployed by the maintainer of juice shop app so it's not a good idea to just go ahead and reinforce it but i'm just going to show you how it works and and then we can test it on a live website that we own usually goes this way you just right click and here you can see a whole new set of options that you get from the con contextual menu you can guess get parameters you can guess cookies headers json parameters and you have other options here so if you choose guess get parameters for example you get access to this intimidating panel which allows you to configure some options for example you have the thread pool size this is just how fast you want your tests to go you can choose a custom word list path let's say for example you have constructed a word list for this particular target so you can point it here and then you just hit ok i'm not going to do that instead i'm just going to use a local instance of web code which i'm running using the oauth top 10 lab that i provide as part of the oasp top 10 playlist which you can find on the hackerish youtube channel just you scroll down and you can find it in the description box here and you can just go ahead and download it so i have my instance running of web goat and let's take a random request first of all i'm just going to use my burp instance to proxy the requests and maybe just go to challenge 2 on the authentication bypass challenge it's just a random challenge so i'm going to enter a random answer for those questions and then submit the idea here is not to solve that challenge per se but to see how parameter minor works so we captured our post request which as you can see points to the auth bypass verify account we have post parameters we have cookies and we have some http headers let's say that we want to brute force parts of this request well let's right click and let's just say for the sake of this example we want to guess cookie parameters i'm going to leave these as default and then hit ok you can see that nothing happens but if you go to extender extensions and then parameter minor you can see that we have an output here we have loaded parameter minor and we are initiating a cookie brute force on this target and it says that it's completed we have no headers which means that everything went well but we don't find anything let's see how this extension works behind the scenes if you recall from a previous video i made we've installed logger plus plus which allows you to capture not only the requests through the proxy but every request that's ever made using burp suit including other extension and now let's just re-run our previous request this time we might target the headers instead and let's hit okay right away you can see we have a bunch of requests that are being issued and if you click on one of them you can see that indeed the request has changed the post to a get method as part of the testing that it does it tries to inject those two headers and then something in the get parameter although we instructed it to brute force only headers in this case you can see that we have the origin header which is set to an arbitrary domain name this is useful to test for cross origin resource sharing misconfigurations for example so it's trying different well-known http headers and trying to figure out if there are any http responses which might hint that this header is actually being evaluated in the back end or the proxy somewhere along the way i can spot the x forwarded for ip which is used for web proxies so let's now cheat a little bit and use a request which has a parameter remove it and then try to find it using parameter miner if we take the same one if we send it to the repeater and send the request we have this response so let's say that we remove the user id and resend it right away we see that we have a different response so let's see if we can use other values here i'm just going to input a random one and hit send we have a response which might be detected by parameter miner let's just give it a try let's remove this parameter and then try to brute force post requests right click and let's guess body parameter let's use the predefined word list that comes with primer and hit ok now if we go to extensions it says here that we are initiating a body brute force on our target in logger plus plus we should see some requests with random parameter names so for example we have user id blah blah equals so here for example you can see that it tried the parameter name zoom another one here called trigger another setting the scan has finished and as a result we have identified parameter user id parameter miner has detected that there is a parameter in the post body called user id likewise if you go to the target site map tabs and choose your target you can see that we have a new entry called secret input it says here that an unlinked input was identified in the first request we had user id with a random value and we got this response when we sent the second parameter the second request which didn't contain the user id the response was different so this clearly means for parameter minor that the parameter user id is somewhat evaluated by the backend so this is generally how it works but let's go even deeper it's always a good idea to read what the extension is offering and also to read about the documentation if there's any and i want to draw your attention to this phrase here it's particularly useful for finding web cache poisoning vulnerabilities so you might be wondering what is web cache poisoning vulnerabilities if you remember we barely touched upon it when we talked about parameter mining injecting random parameter names in the url part well let's give it a try and see if we can learn something new this is a blog post by james kettle or security researcher known for some novel vulnerabilities such as http request smuggling and he also works for the team behind burp suit he is also known for for web cache poisoning you can read about it in a great detail in the white paper and you can also watch his awesome talk so i encourage you to go through this blog post and learn about how caching works i'm not going to go through all the blog posts but in the basic poisoning section the author stated that parameter minor immediately spotted an unkeyed input in this case it was the exported host it was basically used by the application to generate a url inside a meta tag so in the response you can see that we have the value of the exported host header being injected into the meta tag so what he did was just inject a cross-site scripting payload and it automatically got injected in the meta tag as well the problem though is that you need to be the victim you need to send this from your own browser so you would exploit just yourself but thanks to cash poisoning you can poison the cash with this response and then someone else would fetch this endpoint and if he does then he will get that response because the cache just takes this part as a key to determine if the version that should be served to the user is the one stored in the cache notice that it's using a somewhat unique or random get parameter and that's to avoid poisoning other users so whenever you're trying to poke for cash poisoning vulnerabilities bear in mind that you should use random parameter names which are not likely to be used by the public so that you avoid exploiting them and that's why we have these kind of parameters here to make sure that even though we poison the cache it doesn't affect legitimate users if you found this content helpful make sure to like comment and subscribe to this channel so that you get updates whenever i publish a new video on ethical hacking and bug bounty hunting if you're new to hacking and want to learn the basics check out the free oas top 10 theory and hands-on training on the hackerish.com and apply your knowledge on the lab which supports it if you enjoy learning with videos i invite you to watch the awasp.10 youtube playlist however i encourage you to first try to solve the lab exercises so that you don't spoil them don't forget that there are supporting blog posts for most of the videos you watch on this youtube channel i also encourage you to subscribe to the friday newsletter on thehackerish.com to gain some new hacking knowledge at the end of the week if you enjoy listening while doing other things at the same time check out the hack for fun and profit podcast link in the description box until next time stay curious keep learning and go find some bugs

Info

Channel: thehackerish

Views: 9,765

Rating: undefined out of 5

Keywords: infosec, cybersecurity, bug bounty, burpsuite, burpsuite extensions, burp suite pro, hacking, web application, appsec, computer security, ethical hacking, pentest, penetration testing, java, vulnerable components, vulnerable software, bruteforce, enumeration, user input

Id: IYk7-xvOMOo

Channel Id: undefined

Length: 13min 19sec (799 seconds)

Published: Thu Dec 03 2020