Scribd
Upload
156 views

HTTP (Request & Response) PDF

The document discusses Response To Request Injection (RTRI) attacks. It describes how RTRI works by exploiting vulnerabilities that allow unauthorized access by trusting user-supplied data in POST requests. The document outlines the steps of an RTRI attack against a merchant website, including discovery of vulnerable endpoints, crafting malicious requests, and obtaining approved admin access without authorization. Resources are provided for further understanding and practice with RTRI attacks.

Uploaded by

Andry Gonzalez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
156 views

HTTP (Request & Response) PDF

The document discusses Response To Request Injection (RTRI) attacks. It describes how RTRI works by exploiting vulnerabilities that allow unauthorized access by trusting user-supplied data in POST requests. The document outlines the steps of an RTRI attack against a merchant website, including discovery of vulnerable endpoints, crafting malicious requests, and obtaining approved admin access without authorization. Resources are provided for further understanding and practice with RTRI attacks.

Uploaded by

Andry Gonzalez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Agenda

I HTTP request and response


I Case Study: Response To Request Injection (RTRI)

1/26
HTTP Methods: GET vs POST

HTTP works as a request-response protocol between a client and


server. Two commonly used methods for a request-response
between a client and server are: GET and POST.
I GET - Requests data from a specified resource
I POST - Submits data to be processed to a specified resource

2/26
HTTP Headers: Request vs Response

image source: http://www.computing.dcu.ie/~humphrys/


Notes/Networks/tanenbaum/7-43.jpg
3/26
Tools to Monitor HTTP Traffic

I Wireshark
I Webscarab
I Paros Proxy
I Burp Suite
I and many other tools available.

4/26
Case Study: Response To Request Injection (RTRI) Attack

5/26
What is RTRI?

Response To Request Injection (RTRI) is classed as an


Insecure Direct Object Reference Vulnerability, where application
trusts user supplied data on a POST Request, even though it is
NEVER expected within a request.

6/26
Mark Litchfield’s Story

I One of the most successful hackers on hackerone.com:


https://hackerone.com/leaderboard/all-time
I By exploiting RTRI vulnerabilities in the past two years:
I From one program he received two $15,000 awards
I From another at total of $18,000
I A partial payment for another of just under $13,000
I The recent H1-702 event he recevied an award for $10,000

7/26
Step 1: Discovery

8/26
The Target Website

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/b-1(1).png
9/26
Merchant Login

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/b-2.png
10/26
Create an Affiliate Account

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/b-3.png
11/26
The HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-1.png
12/26
The HTTP Post Response

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-2.png
13/26
Create a Merchant Account

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/b-4.png
14/26
The HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-3.png
15/26
The HTTP Post Response

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-4.png
16/26
Self-Registration as an Unauthorized User

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/b-5.png
17/26
The HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-5.png
18/26
The HTTP Post Response - Account Status: Pending

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-6.png
19/26
Step 2: The Attack

20/26
The Attack - Craft a HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-7.png
21/26
The Attack - The HTTP Post Response

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/p-8.png
22/26
Account Status - Approved!

image source: https://www.bugbountyhq.com/ckfinder/


userfiles/images/b-6.png
23/26
Create Password

image source: https:


//www.bugbountyhq.com/ckfinder/userfiles/images/b7.png
24/26
Resource for Practice

I https://www.youtube.com/watch?v=RIHZH1VcS_U
I http://ctffiles.bughunters.club/smf-admin/

25/26
References

A large portion of the material is adapted from:


I Hunter Tip #1 Response To Request Injection (RTRI) - Mark
Litchfield https://www.bugbountyhq.com/front/
latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZmUT09/
I Response To Request Injection – HackBack CTF Solution -
Arbin Godar https://arbingodar.com/
response-to-request-injection-hackback-ctf-solution/
I HTTP Headers - https:
//www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
I Network programming in Java - Dr. Mark Humphrys
http://www.computing.dcu.ie/~humphrys/Notes/
Networks/java.html

26/26

You might also like