# Business Logic Vulnerabilities - Lab #6 Inconsistent handling of exceptional input | Long Video ## Метаданные - **Канал:** Rana Khalil - **YouTube:** https://www.youtube.com/watch?v=ALq4h7l0Uw0 ## Содержание ### [0:00](https://www.youtube.com/watch?v=ALq4h7l0Uw0) Segment 1 (00:00 - 05:00) hi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number six in the business logic vulnerabilities module titled inconsistent handling of exceptional input all right before we continue with the video I'd like to announce that this video is part of a course that I offer on my Academy now you might be wondering why would I buy a course that is made available for free on YouTube well there are four reasons why you might want to do that number one is that you gain Early Access to recorded material as soon as I record new videos I make them available through my course right away whereas on YouTube they'll only be released on a weekly schedule reason number two is that you gain access to a Discord Channel where you can ask questions the Discord channel is divided into topics that we cover in the course and if you run into any issues you get to ask questions about anything related to the course material reason number three is that you no longer have to deal with YouTube ads or sponsor messages and last but not least reason number four is you get to support me any revenue generated from this course will go back into maintaining the academy and creating more videos and courses that will be made available for free on my YouTube channel so if you're interested in buying the course make sure to check out the link in the description and that is it let's go back to our video if you do not have an account on the web Security Academy you can get one by visiting the URL portswigger net / web security and clicking on the sign up button I already have an account and I am logged in so to access the exercise I'm going to click on Academy select all labs and then do a search on the business logic vulnerabilities labs and go to lab number six titled inconsistent handling of exceptional input all right let's get started Ed this lab doesn't adequately validate user input you can exploit a logic flaw in its account registration process to gain access to administrative functionality to solve the lab access the admin panel and delete Carlos so the target goal over here is to exploit some kind of business logic flaw in the account registration function which will allow us to escalate our privileges to administrator and then delete the Carlos user all right let's access the lab now notice over here this is the built-in browser in burp and so all my requests are already being recorded in my bur proxy okay the first thing that I'm going to do is try to find the admin panel that the exercise is talking about if you were using the professional version in burp what you could do is go to Target and then go to the application and then click on engagement tools and select discover content so that it tries to find um other directory that are not directly visible in the application but we're using the professional version so what we're going to do is we're just going to simply try and fuz the application and see if we could find the admin directory so the first thing that I'm going to try is slash admin hit enter and it looks like that is a valid directory because we get the message admin interface only available if logged in as a don't want to cry user so it could see over here that we're not logged in as a user and it tells us that the admin panel which is available at the/ admin endpoint is only available to users that are under the don't want to cry domain so let's hit the register functionality and try to register a user with this specific email address now if it doesn't validate that this email address really Belongs to Me by sending me some kind of registration link then I should be able to access the admin functionality once I create the account so let's say test and then let's say test at don't want to cry. com and then test again and hit register it says please check your emails for your account registration link let's see if it'll allow me to log in without clicking on that registration link because I don't have access to that email address so test and then test again and it says invalid username or password so that didn't work you do have to confirm your registration by clicking on the email that is sent to you and so I need to use an email that I have access to now the nice thing about the web Security Academy is it's usually self-sufficient um meaning that everything that you need is in the academy itself and so it already gave you access to an email address and anything that gets sent to the email address would appear over here and you could see over here it says it also displays all emails that are for this specific uh domain and all subdomains so that'll come in handy in a bit let's use this email ### [5:00](https://www.youtube.com/watch?v=ALq4h7l0Uw0&t=300s) Segment 2 (05:00 - 10:00) address and again let's register test one and then the email address is attacker at exploit server. net and then the password let's say is test and hit register it tells me to check for the registration link hit enter this looks good we get the registration link let's enter it over here and it says account registration is successful and now I should be able to log to my account so one and then test hit log in and it tells me your email address is attacker at so on so. net all right so if we go to the Post request right over here uh you could see it takes in a csrf token and then the username and password and it displays the um account page for you now what I'm going to do is I'm going to try to access the admin panel Channel again from over here but it likely won't work because I don't have an email address that is registered with the don't want to cry domain and so I need to find an exploit in a vulnerability in the application that allows me to register a user under that domain now if we go back to the register functionality and see how it works you could see over here it's a post request it takes in the username the email address and the password so it doesn't look like this itself is vulnerable so one thing that you could try is see if the application validates user input over here and the way I'm going to do that is by sending it exceptionally high input and seeing if the application accepts that input so I'm going to go to my account again and then log out okay and then from there I'm going to click on register and let's say test two and then again test uh t. ca and I think we use test. CA so let's say Test 2 at test. c and then password is test hit register let's take this post request send it to repeater and then from there what I'm going to do is I'm going to take my user supplied email address which is this one over here let's copy that put it in here and URL encode the at sign so percent 40 and I'm going to send this to Intruder now in Intruder we're going to automate the process of sending um an input with a large number of characters so the first thing we're going to do is clear everything over here and then I'm going to highlight this go to payloads and then from payloads I'm going to say character blocks and um what this will do is it'll add the character a 100 times in the first request and then I'm going to ask it in each request to increase that character count by 100 so in the first request it'll do it 100 times in the second request it will do 200 times in the third request it'll do 300 times and so on so my guess is if we go up to 500 and it doesn't give me an error that means there's no validation on the number of characters that the email address can have so let's click on start attack click okay and it looks like we got the same length of response and so my guess is it worked let's see if we get the uh registration email and we do so you could see over here we did it five times and so we have five different registration emails so I'm going to click right over here and click on my account and log into that account to see if the email address really worked so uh the request we were performing was a username called Test 2 and the password was test and you could see over here this is the email address so username was Test 2 and password was test hit log and this is interesting so over here it tells me your email address is just this right over here but the email address that I put in here was this entire thing so we definitely have characters missing which means that it's truncating a portion of my input and that might be really helpful for me to able to bypass certain controls in the ### [10:00](https://www.youtube.com/watch?v=ALq4h7l0Uw0&t=600s) Segment 3 (10:00 - 15:00) application so let's see how many characters it accepts so let's copy this entire string right over here and put it in here and let's highlight all of this you could see over here in Visual Studio it counts uh the number of characters so we have 255 characters which means after the 255th character it truncates everything that is um in the email and so to quick the application into thinking that I have a don't want to cry email address what I'm going to do is I'm going to go back to burp and copy my domain name which is this one right over here the zero is part of the URL encoding I'm going to put a dot and then don't want to cry. com and we'll need an at sign right over here so the idea over here is to register using an email address that contains my domain so that the email gets sent to my domain however when the application sets your email address what it's going to do is if you have a correct number of characters over here it should truncate everything that is after the 255th character and so I need to make sure that the m is the 255 fifth character and the rest gets truncated so to do that how many characters is this that's 17 characters so we're looking at 255 - 17 which is equal to 238 so I need to put 238 A's before this at sign so let's copy that and look for 238 A's and here we go let's copy that here and put it in here all right so now because the application does not handle exceptional input properly what's going to happen is once it reaches the 255th character it'll truncate everything else and so it should truncate this entire thing and so it'll appear to my application that I do have an account that is um under the don't want to cry domain so let's copy this and this is such a clubber vulnerability to uh exploit let's go here go to repeater and then actually the session ID and the csrf token probably changed and so let's log out click on register again this time let's say test four and again test. test let's say five doca it doesn't really matter and then test click register I just need this post request for the new session ID and the new csrf token so over here what I'm going to do is I'm going to replace the email address with the email address that I just created and you might need to URL encode certain characters so the at sign definitely needs to be URL encoded so perc 40 and hit send you get a 200 okay if you click on render it says please check your emails for your account registration link if we go back to our exploit server we should see a new email and we do so click on register it successfully registered the account so I'm going to go to my account and then log in and that was test 4 and then the password was test hit log in and we made a mistake so you could see over here it added a DOT sign which means that we're missing one more a and so it's seeing me as under the domain at don't cry. com dot however I need to be at just at don't to cry. com and so what I'm going to do is I'm going to add one more a and we could actually we'll have to redo that in burp so let's copy that go back to burp log out from here go to proxy go to register again let's say test six and then test 6 at t. ca and then test again and then use that post request and send it to repeater and then in repeater just replace the email address with the one that we just created and this should have the correct number of A's so percent 40 ### [15:00](https://www.youtube.com/watch?v=ALq4h7l0Uw0&t=900s) Segment 4 (15:00 - 16:00) hit send we get a 200 okay that's good let's go to our exploit server and we get a new email let's click on it click register actually click my account and then log in using that account so test six and then the password was test hit log in and Okay so we've got the correct domain and you could see the admin panel is now visible to us because the application sees us as a user that has an email address in the don't want to cry domain all right so now we access the admin panel and we have the ability to delete users so we'll delete Carlos and here we go it says congratulations you solv the lab so we successfully completed the exercise by exploiting the vulnerability manually usually we script the vulnerability in Python however because this does require having access to your own email client and I like my uh scripts to be self-sufficient that means I would have to create my own email client and then parse it and then extract the email from there and I'm pretty sure the academy doesn't allow you to use any random email client plus the scripting portion would be way out of scope for these videos and so for this video we won't be scripting the exploit and python in the next video we'll look at a more complex case of a business log vulnerability if you like the video hit the Subscribe and share button so that the video reaches a wider audience also make sure to check out my course if you're interested in seeing more videos like this one thank you and see you in the next video --- *Источник: https://ekstraktznaniy.ru/video/38684*