Web application security - the fast guide 1.1 | Page 107

Chapter 5 - Attack Execution the client P a g e | 107 B. Being able to copy encrypted value from another request after understanding what is the used algorithm Attack process A. Using a proxy capture a request or many requests to the same page with the encrypted hidden field. B. Alter the value with a new generated value after discovering the encryption function or by an encrypted value stolen from other request. C. Release the altered request. Example:

TV plasma
Price: 299
Quantity: (Maximum quantity is 50)

In the previous example if we did try to change the hashed value passed in the price token with another value captured from another product with lower price we might be able to successfully buy a product with lower price. If this was not possible trying the usage of (sha1) or (md5) or other known hashing function to generate the price token for the altered price value. 5.18 forge Referer Header Attacker page Send Request to a privileged page faking Referer Header Send privileged response because application considered it is a local request from trusted page Figure 42: altering Referrer Header process Application Server