Path: /

According to the scan report:

Path: /	
Difficulties: JavaScript event handlers, JavaScript modifies request
Technologies: JavaScript
Vulnerabilities: Base64-encoded data in parameter, Request URL override

Vulnerability 1: Base64-encoded data in parameter

Capture the request using burpsuite:

GET / HTTP/2
Host: ginandjuice.shop
Cookie: AWSALB=gO1GP/e3IjoVcIErr9P4mYZTT/xltAeX4IpilXStxprtBEo2jAWb6cBlCG/z7auLuhT8CEX/+IlnSkeCeIuB7a+xcueIBOPeaOfrfSeVzxZGRYvktKN4rJ10HDS7; AWSALBCORS=gO1GP/e3IjoVcIErr9P4mYZTT/xltAeX4IpilXStxprtBEo2jAWb6cBlCG/z7auLuhT8CEX/+IlnSkeCeIuB7a+xcueIBOPeaOfrfSeVzxZGRYvktKN4rJ10HDS7; session=NhuTCEk9QfIBmai3R3KDG8jOY6RARw7L; TrackingId=eyJ0eXBlIjoiY2xhc3MiLCJ2YWx1ZSI6IlBZckdacDlvMUpTTDJPMloifQ==
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

In Burp Suite, when you select the TrackingID, you will observe that it is a Base64 encoded value. Burp Suite displays its decoded value.

Other way:

hURL --base64 "eyJ0eXBlIjoiY2xhc3MiLCJ2YWx1ZSI6IlBZckdacDlvMUpTTDJPMloifQ=="

Original string       :: eyJ0eXBlIjoiY2xhc3MiLCJ2YWx1ZSI6IlBZckdacDlvMUpTTDJPMloifQ==
base64 DEcoded string :: {"type":"class","value":"PYrGZp9o1JSL2O2Z"}

Although the TrackingId here has a type as class and a value as some random identifier, the purpose of the TrackingId is to track user activity. This feature is mostly used on shopping sites to keep a record of a user’s browsing history without requiring them to log in. This generally has low criticality. However, if any sensitive information, such as a username or password, is passed through the request in a Base64-encoded value, it becomes a high-criticality issue. Additionally, in some cases, changing the TrackingId value might allow an attacker to impersonate another user and potentially access their data.

Vulnerability 2: Request URL Override

In this, the requested URL can be overwritten by HTTP headers. An example is the X-Forwarded-Host header. The complications are not very severe but can lead to issues like cache poisoning. If anyone tries to load the poisoned content, they might see the content added by the attacker. Secondly, there will be many fake logs, making it difficult for administrators to identify legitimate ones and work on them.

I have used curl a command to test this.

My Internal IP is 10.0.2.15.

curl -H "X-Forwarded-Host: 10.0.2.15" https://ginandjuice.shop

Usage: To ensure the backend server knows the hostname originally requested by the client, the proxy includes the X-Forwarded-Host header in the forwarded request.

When a request is sent through a proxy, the Host header value may be modified by the proxy. To preserve and pass the original hostname requested by the client, the X-Forwarded-Host header contains the original host data.

In the output of the curl command, I cannot see anywhere IP address I have mentioned in X-Forwarded-Host. Also, I cannot Verify the content of log file as I don't know where a log file is.

Also, I don't get anything captured in Netcat listener.

nc -lnvp 80

This is a vulnerability according to the scan report but I cannot verify this.

PreviousRecon Website NextPath: /blog

Last updated 11 months ago

Was this helpful?

hashtagVulnerability 1: Base64-encoded data in parameter

hashtagVulnerability 2: Request URL Override

Vulnerability 1: Base64-encoded data in parameter

Vulnerability 2: Request URL Override