Keep an eye out for the JavaScript
Two things I want to cover in this article and both concerns JavaScript.
A while ago I learnt the importance of intercepting the JavaScript responses with respect to the file upload filter from my colleague.
Burp Suite by default does not intercept the requests sent for JavaScript files. So firstly, it is important to intercept those requests and responses and see if they contain any JavaScript client-side filters.
For that, you need to do the below changes.
Remove the ^js$| from the entries and save.
The above will enable you to intercept the outgoing js requests and consequently the responses. These responses can be tampered with or the specific logic (particularly, the file upload filter) can be omitted away to disable client-side filters.
A colleague of mine was able to upload the file by removing the allowed extensions (.docx, .pdf) and adding his own (.bat, .exe) in the received JavaScript response itself. I am aware that we could achieve the same other ways by uploading the file with the valid extension and then tampering with the request in Burp. But it’s not always that easy. Sometimes the file content is encrypted upon upload in the request itself, simply putting your payload there and forwarding the request won’t work since the server expects only the encrypted request. Such challenges can be circumvented by tampering with the JavaScript logic in the response before it reaches the client side by the above-suggested method.
Also, you can disable the JavaScript on the front end altogether by the below method. But note that doing so might render the application unfunctional.
This also adds to the fact that client-side controls are completely in the attacker’s control.
Recommended by LinkedIn
If you want to do a lab that involves the above, do the ‘Task 11’ of the room ‘Upload Vulnerabilities’ on TryHackMe.
2. Comb through the JavaScript files.
Whenever you are loading a web page keep the Network tab (Developer Tools) in view and see the js file it loads and open the files in the ‘Sources panel’ to peruse through the code.
Reading through the code enabled me to acquire crucial data such as Firebase database URLs, restricted endpoints, and application logic.
Refer to this article for the Firebase database exploit: https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1
I was put into the above practice by watching the below video. I highly recommend you watch it.
Earlier I used to open the CSS and js files by finding the link to them after viewing the source code in the browser. The method shown in this video is much better, it is elegant and efficient.
I hope you have learnt something from my experience. Thank you!