Segfault ethical hacking week 5

 

Web System Structure Overview

 Web (Static Resource Server)

• Delivers static files to the client (e.g., HTML, CSS, JS, images)
• Web Server Role: Responds to client requests with files(e.g., Apache, Nginx)

WAS (Web Application Server)

• Handles dynamic processing (e.g., login, user interaction, DB access)
• Languages used: ASP, JSP, PHP, Python, etc.
• Executes business logic

DB (Database)

• Stores data persistently (e.g., user info, posts)

• Language used to interact with DB: SQL

Relationship Between Client and Server

Client (Web Browser: Edge, Chrome, etc.)
    ↔ Web Server (Static files)
        ↔ WAS (Dynamic logic)
            ↔ DB (Data storage)
Front-End (FE): Visible UI — HTML, CSS, JavaScript

• Back-End (BE): Business logic (e.g., verifying login credentials)

Login and Session Concepts

    Requesting from Web Server

• Like sending a letter asking for a file

• Since the server doesn’t know who is requesting, it uses cookies in the header to identify the user

    Cookie (Client-side storage)

• Stored on the client 
• Issue: Vulnerable to theft or hijacking (can lead to unauthorized access

    

    Session (Server-side storage)

• Server creates a session ID to identify each user

• Session data is stored on the server; only session ID is passed via cookie
• Safer than using only cookies




Burp Suite (Web Proxy Tool)

• Intercepts communication between the client and web server
• Allows you to view and modify HTTP requests/responses
• Useful for testing vulnerabilities and simulating attacks

    SQL Injection

• SQL: Language used to communicate with the database
• Injection: To insert malicious code
• SQL Injection: An attack that injects malicious SQL queries into input fields to manipulate or steal data from the DB

Assesment 

1. Login Bypass 1

Provides doldol / dol1234.

SQL Injection

ID: normaltic1' or '1'='1
Password: any string

2. Login Bypass 2

Provides doldol / dol1234.

SQL Injection

ID: normaltic2'#
Password: any string

3. Get Admin

Log in with doldol / dol1234.
The cookie is set to the same value as the ID.
After intercepting the request and replacing the ID in the cookie with admin, the flag was successfully obtained.

4. Pin Code Bypass

Let’s analyze the overall logic.

GET /3/step1.php HTTP/1.1

GET /3/step2.php HTTP/1.1

In step 2, you need to enter the correct password to proceed.

By guessing the next step, it was possible to discover the endpoint:

GET /3/step3.php HTTP/1.1

Accessing the endpoint directly by entering it manually led to obtaining the flag.

5. Pin Code Crack

The PIN code consists of 4 digits ranging from 0 to 9.
This means there are 10,000 possible combinations.
It makes the system very attractive for a brute-force attack.

If there are no mechanisms in place—such as temporarily locking login attempts after too many failures from a specific IP—then the system is vulnerable to a brute-force attack.
Brute Force Vulnerability.

You can perform a brute-force attack like this using Burp Intruder.

Among all the requests, there was one with a different response length — that was the correct PIN code: 1021.