Earlier this year we were hired to perform an Overt Web Application Penetration Test for one of our banking customers (did you click that?).This customer is a reoccurring customer and so we know that they have Web Application Firewalls and Network Intrusion Prevention Systems in play.We also know that they are very security savvy and that they respond to attacks promptly and appropriately.
Because this test was Overt in nature (non-stealth) we began testing by configuring Acunetix to use burpsuite-pro as a proxy.Then we ran an automated Web Application Vulnerability Scan with Acunetix and watched the scan populate burpsuite-pro with information.While the scan results were mostly fruitless we were able to pick up with manual testing and burpsuite-pro.
While the automated scans didn’t find anything our manual testing identified an interesting Blind SQL Injection Vulnerability.This blind SQL Injection vulnerability was the only vulnerability that we discovered that had any real potential.
It’s important understand to the difference between standard SQL Injection Vulnerabilities and Blind SQL Injection Vulnerabilities.A standard SQL Injection Vulnerability will return useful error information to the attacker and usually display that information in the attackers web browser.That information helps the attacker debug and refine the attack.Blind SQL Injection Vulnerabilities return nothing, making them much more difficult to exploit.
Since the target Web Application was protected by two different Intrusion Prevention Technologies, and since the vulnerability was a Blind SQL Injection Vulnerability, we knew that exploitation wasn’t going to be easy.To be successful we’d first need to defeat the Network Intrusion Prevention System and then the Web Application Firewall.
Defeating Network Intrusion Prevention Systems is usually fairly easy.The key is to find an attack vector that the Network Intrusion Prevention System can’t monitor.In this case (like most cases) […]