bypass javascript authentication

  • Dave

    I'm currently studying Mutillidae for personal purpose, trying to understand the PHP code.

    I got a question:
    With security toggled to level 1, I can bypass the javascript block using Burpsuite, as you pointed out in a video on youtube.

    Instead, with security toggled to 5, I cannot. :)  More specific, I  can bypass the javascript block, but the catch error from mysql is not actually forwarded back. In that way I'm not able to understand the sql query the systems uses.

    I'm trying to understand what part of the code makes this possible.

    I'm investigating index.php, login.php and process-login-attempt.php. 
    I also tried to investigate the different HTTP headers that are sent when login is submitted.

    Thanks and compliments for the great work!

  • Dave

    Well, I think I got it.
    It's true, on level 5 I can bypass javascript block using burpsuite, so that I can send to the server some special characters (like the famous ' ). On the server side those characters are well managed by PHP (real_escape_string() ). So what I get back from the server is an authentication error.  Am i right?

    So the question is: how can I deny my web application to be so chatty, and to prevent it to notify errors to everybody?

    I want an attacker not to easily understand that my we application is vulnerable, so that he must try with, say, some timing attacks.

  • Jeremy Druin
    Jeremy Druin

    The class that handles errors accepts an argument indicating the current service level. If the level changes, the class sets a private property with the new security level. When the method that writes out errors is called, the method checks this private property. The property tells the method how much information to give out.