tag:blogger.com,1999:blog-8539880144347728238.post5918442440155881869..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: Buby Script Basics Part 3Unknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8539880144347728238.post-87740465121113416942011-05-11T07:40:54.775-04:002011-05-11T07:40:54.775-04:00Thanks again, I'm using your advices to try to...Thanks again, I'm using your advices to try to bypass some anti-CSRF mechanism (HDIV j2EE framework). Actually, in each POST request I need to send a token that looks like random_name = random_value. So with buby, I'm trying to gather this information from the response (with nokogiri HTML parser)then send it. However, it's little bit complex. Have you ever seen this kind of defensive means ?M00dyhttp://www.blogger.com/profile/06204872005613480203noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-51914533204225293122011-05-11T07:55:47.800-04:002011-05-11T07:55:47.800-04:00Ahh, so you are probably using mechanize to search...Ahh, so you are probably using mechanize to search the response (via xpath) or something like that for the nonce value? So like:<br><br>res = agent.get('http://www.example.com)<br>res.search(//p[@class='something']) #Then search the response<br><br>So I'm assuming you'd like to send, based off that random key/value in the response, a request that includes it in the POST params. Or at least I think that is what you are saying. I have seen those protections and is a really good example of when to use Buby. Otherwise fuzzing becomes extremely painful and slows down the vuln discovery phase.cktrickyhttp://www.blogger.com/profile/16815248087217800849noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-22642020928695626332011-05-11T08:50:24.100-04:002011-05-11T08:50:24.100-04:00...one thing I forgot to add, you'd need to be......one thing I forgot to add, you'd need to be able to re-use this token per request (re-usable). I've seen this where you can replay for a specific resource but not for another on the same site. So you could send a 100 or 300 requests using this token but only to one specific page/action on the site. Also, you'd need to be attempting to automate the process a bit otherwise per request you could send to scanner and avoid the code/buby stuff altogether (keeping things like the cookies and the token itself off limits). Hmmm, I'm thinking this would be a good topic to cover in Part 4.cktrickyhttp://www.blogger.com/profile/16815248087217800849noreply@blogger.com