SQL injection with JSON

A few days back while doing an assessment, I came across an application that used JSON based HTTP POST requests to retrieve data from their backend database. The application itself issued these requests using AJAX. JSON (JavaScript Object Notation) is used for serializing data over HTTP being transmitted between an application and server. Here is quick guide to JSON.

Now, in this particular application when certain fields are modified with some bad characters like single quote (‘) or double dash (--) it results in a stack trace which refers to some form of SQL error. From the looks and feel of the trace it’s probably a Microsoft IIS backend. 

Burp and SSH Tunneling

Imagine a situation where a web application that is being assessed has white listed the IP addresses that can access it and the IP address belongs to a remote network. In these scenarios, there is a need for our trusty BURP proxy's traffic to be tunneled through the remote machine.

BURP has a handy feature for tunneling all the traffic through a SOCKS proxy. SOCKS (SOCKet Secure) is a protocol used for tunneling packets through a proxy server. Many SSH clients like PUTTY supports creation of a local SOCKS proxy that will tunnel all traffic through remote SSH server. In putty, there is a Tunnels option under Connection->SSH->Tunnel. The local SOCKS proxy port is to be added there as shown below.

cscamp ctf 2012 - crypto 100

Crypto 100 challenge requires decryption of a given ciphertext.

There is also an input field that takes in a plain text and responds with a ciphertext. By encrypting 'a' and 'A' we see that it provides the same output. Hence the cipher is case insensitive. The following code solves the challenge by generating a table of cipher text for a-z and then decrypts the given ciphertext using the mapping.

cscamp ctf 2012 - web 200

The web200 challenge requires an input which is a solution to an equation.

Also, submitting the answer after sometime results in a "too late" response. Inspecting the HTTP headers, there is a "Set-Cookie" and "EQ" header.

Hello World

Traditional blog inauguration