A naukri.com initiative
Hackernoon
4w
76
Image Credit: Hackernoon
A Pentester Took Apart a Website’s Code to Prove It Was Totally Pointless
- A penetration tester came across an online casino that verified the signature of requests on the server side and managed to figure out the generation algorithm of the signature itself.
- Regardless of the purpose the developers had in mind when they added this parameter, it seems to be pointless. The signature itself is generated on the client side, and any client-side action can be subject to reverse-engineering.
- The tester resolved the request signature generation algorithm and wrote an extension for Burp Suite that automates all the dirty work.
- The extension can automatically generate HMAC SHA256, allowing the tester to get rid of manual work when sending requests, but it has the disadvantage of not being universal.
- To make the extension universal, the tester added two functions extracting the CSRF token and UserID and by update the token itself in the sent headers.
- The signature function takes all the custom parameters that are sent in the request, adds the standard user_id, currentTime, csrf_token to them, and sign them all together using ; as a separator.
- The final body of the request is generated and sent onward.
- The article concludes by highlighting the importance of writing custom extensions and presents the source code of the extension the tester wrote.
Read Full Article
4 Likes
For uninterrupted reading, download the app