Sunday, August 24, 2014

Web Hacking 101: URL/URI Modification

Modifying a URI is very simple and can be an easy way to break things or do things you might not normally be able to. The main thing people always seem to mix up is a URL and a URI. A URL is quite simply the domain.

example.com
www.example.com

A URI contains all the other information. This information can be broken down into lots of useful information. The URI contains the protocol, domain, directory location, file, port, anchor, and query string. A lot of this stuff is optional, like a directory location, file, port, query string, anchor and most browsers don't need a protocol unless it's something other than HTTP. Here's the breakdown.

protocol://subdomain.domain.topLevelDomain:port/path/to/file.extension?query=string&with=multipleValues#anchor

Common protocols you will see are HTTP (Hyper text transport protocol), HTTPS (http with TLS/SSL encryption), and FTP (file transfer protocol). Modern browsers figure out what port to use based on the protocol, making including the port unnecessary unless it does not use the default protocol port. The file protocol can also be used to browse local files on your computer.

Domains are broken down into subdomains, domains and top level domains. The top level domains have meanings but most people ignore them. They can be used for country codes (.co.uk or the like) or the type of site it is (.com commercial, .org non profit organization, etc.). The middle domain is whatever you want it to be. Then the subdomain is often used for organizing and breaking down a site. Especially useful when different resources are on different servers but you want them under the same domain.

As mentioned before, the port is unnecessary unless you are using a nonstandard port. I've done this when testing different servers side by side and some may do this to obfuscate things for security (not very strong security) It can also be used to avoid blocked ports on firewalls and the like.

The file path may not actually be a file path. Servers can implement rewrite rules to change the behavior. Careful observation should reveal if rewrite rules are used.

The actual file need not be shown, as servers can set what file name to default to if no name is present. Rewrite rules can also change this. Extensions don't need to reflect the actual file type as well, it depends on how the server is set up.

Query strings are not always apparent when rewrite rules are used. The premise behind the query string is to send plain old GET data. This is kind of like sending form data, only visible so people can link to things with information already entered. This is generally where you want to look for security holes.

Finally we have the anchor. This can be whatever information you want, but more often than not, it simply leads to an anchor on the page to scroll it to where you need.

All of these values can be modified. Let's say you go to a site and are trying to buy something. The URI looks like this.

http://www.insecurebuy.com/buystuff.php?item=expensiveComputer&price=10000

Well, there's something interesting. Maybe we can modify the price and get the expensive computer for free? While most things won't be that straight forward, learning to modify the URI can lead you to find hidden treasures, security holes or simply alter the appearance of some sites to fool people. However you look at it, modifying the URI is a good place to start in exploring a site and learning how it works and possibly how to manipulate it.

Tuesday, August 19, 2014

Web Hacking 101: View Source

There are a few hacking/security sites out there that let you go through challenges to learn. I'm just making posts off of them to refresh my memory because I haven't looked at this stuff in a while. This is square one.

To view the source on a web browser, you simply go to the site, right click on the page and select "View Source" or "View Page Source" on that menu. Most often, the keyboard shortcut to this is Ctrl+U.

The source you are seeing is just the HTML, maybe some CSS and JavaScript. Maybe a few other things depending on the site.

The value in this is because a lot of web software leaves comments to help designers and developers figure things out, and this can give anyone some insight into things going on behind the scenes. This particular source is static and from the start of when the page loaded. To view the dynamic source, DOM inspectors can be used and are pretty much default for major browsers. I personally prefer using the Firebug addon for Firefox because it's what I'm used to and it's easy to use.


Tag Cloud

.NET (1) A+ (2) addon (6) Android (4) anonymous functions (5) application (10) arduino (1) artificial intelligence (2) bash (4) c (7) camera (1) certifications (4) cobol (1) comptia (4) computing (2) css (2) customize (16) encryption (2) error (19) exploit (17) ftp (3) funny (2) gadget (3) games (2) Gtk (1) GUI (5) hardware (7) haskell (15) help (8) HTML (6) irc (2) java (5) javascript (21) Linux (20) Mac (5) malware (2) math (8) network (9) objects (2) OCaml (1) perl (4) php (9) plugin (7) programming (42) python (24) radio (1) regex (3) security (25) sound (1) speakers (1) ssh (3) story (1) Techs from the Crypt (2) telnet (2) tools (15) troubleshooting (5) Ubuntu (4) Unix (4) virtualization (1) web design (14) Windows (8) wx (2)