Hunter Tip #2 Nullie the Elephant
来源:互联网 发布:金红米i7手机数据参数 编辑:程序博客网 时间:2024/06/06 03:03
Nullie the Elephant
Summary:
This is a quick paper about another typical attack I find that has proved successful throughout my own bug hunting. It is likely this may often be over looked by Bug Hunters. So I am sharing another tip with you.
Description:
Unfortunately I do not have any real examples I can show you as the programs have stated “no disclosure”. That being said, I recently discovered another successful attack using this method in a financial services program, so I will talk around this discovery. In this attack, I wanted to gain access to other people’s card information.
Below is an example of POST data within a normal request. (I have reduced the POST data to the relevant fields)
This would return a lot of user information, to include
- First name
- Last name
- Home phone number
- Cell phone number
- Full postal address
- Email address
- Date Of Birth
- Card Rewards
- Secret Question – why ??
- Secret Answer – definitely why ??
So the first stage would be to simply enumerate the CardNumber parameter. However this replied with:
We’re sorry, but your information doesn’t match your profile. Please retry using your first name, last name, your account number and mobile numbers
So at this stage, we would need to know quite a lot of information to get access to the card. In a real attack scenario, this would essentially be game over.
However, I persisted and sent:
Same error, I tried again with
Same error.
This time I sent a true NULL value (note the absence of the quotation marks)
It passed the application server side checks and returned me the following information. Clearly in this request, we did not send the First Name / Last Name / Phone Number, but it happily returned us the values.
- First name
- Last name
- Home phone number
- Cell phone number
- Full postal address
- Email address
- Date Of Birth
- Card Rewards
- Secret Question
- Secret Answer
I have seen this work on a number of applications. So when in doubt, always try a NULL
原文链接:https://www.bugbountyhq.com/front/latestnews/MUlhdGtuMjF3b0FKekdwSlBlR0RUUT09/
- Hunter Tip #2 Nullie the Elephant
- The Elephant Man——Chapter 2 The Card
- #286 (Div. 2) C. Mr. Kitayuta, the Treasure Hunter
- Mr. Kitayuta, the Treasure Hunter
- Hunter Tip #1 Response To Request Injection (RTRI)
- Asset Hunter 2
- Codeforces Round #286 (Div. 2) C. Mr. Kitayuta, the Treasure Hunter
- Codeforces Round #286 (Div. 2)C. Mr. Kitayuta, the Treasure Hunter
- Codeforces Round #286 (Div. 2) C. Mr. Kitayuta, the Treasure Hunter——dp
- Codeforces Round #286 (Div. 2) C. Mr. Kitayuta, the Treasure Hunter+dp+优化
- Codeforces Round #286 (Div. 2) C Mr. Kitayuta, the Treasure Hunter ( DP )
- Codeforces Round #286 (Div. 2) C. Mr. Kitayuta, the Treasure Hunter(经典的DP)
- Codeforces Round #286 (Div. 2) C. Mr. Kitayuta, the Treasure Hunter dp+范围压缩
- Codeforces Round #286 (Div. 2) C. Mr. Kitayuta, the Treasure Hunter dp
- cf286C Mr. Kitayuta, the Treasure Hunter dp
- CF_505C Mr. Kitayuta, the Treasure Hunter
- dp Codeforces505C Mr. Kitayuta, the Treasure Hunter
- Elephant
- static静态代码块执行顺序
- 零编程经验的我是如何找到工作的
- Android面试复习
- 详细探究Spark的shuffle实现
- Bitmap index引发的死锁
- Hunter Tip #2 Nullie the Elephant
- XML 解析
- Router
- IP地址,子网掩码,默认网关,路由,形象生动阐述
- 51. N-Queens
- js操作函数,判断传递参数合法性和个数
- Timus Online Judge:1119. Metro
- Android Studio(DDMS)中的那些招
- C#连接MySQL数据库