Web application security - the fast guide 1.1 | Page 107
Chapter 5 - Attack Execution the client
P a g e | 107
B. Being able to copy encrypted value from another request after
understanding what is the used algorithm
Attack process
A. Using a proxy capture a request or many requests to the same page with
the encrypted hidden field.
B. Alter the value with a new generated value after discovering the
encryption function or by an encrypted value stolen from other request.
C. Release the altered request.
Example:
In the previous example if we did try to change the hashed value passed in the
price token with another value captured from another product with lower price
we might be able to successfully buy a product with lower price.
If this was not possible trying the usage of (sha1) or (md5) or other known
hashing function to generate the price token for the altered price value.
5.18 forge Referer Header
Attacker page
Send Request
to a privileged
page faking
Referer Header
Send privileged
response
because application
considered it is a local
request from trusted
page
Figure 42: altering Referrer Header process
Application
Server