Agenda

I HTTP request and response

I Case Study: Response To Request Injection (RTRI)

1/26
HTTP Methods: GET vs POST

HTTP works as a request-response protocol between a client and

server. Two commonly used methods for a request-response
between a client and server are: GET and POST.
I GET - Requests data from a specified resource
I POST - Submits data to be processed to a specified resource

2/26
HTTP Headers: Request vs Response

image source: http://www.computing.dcu.ie/~humphrys/

Notes/Networks/tanenbaum/7-43.jpg
3/26
Tools to Monitor HTTP Traffic

I Wireshark
I Webscarab
I Paros Proxy
I Burp Suite
I and many other tools available.

4/26
Case Study: Response To Request Injection (RTRI) Attack

5/26
What is RTRI?

Response To Request Injection (RTRI) is classed as an

Insecure Direct Object Reference Vulnerability, where application
trusts user supplied data on a POST Request, even though it is
NEVER expected within a request.

6/26
Mark Litchfield’s Story

I One of the most successful hackers on hackerone.com:

https://hackerone.com/leaderboard/all-time
I By exploiting RTRI vulnerabilities in the past two years:
I From one program he received two $15,000 awards
I From another at total of $18,000
I A partial payment for another of just under $13,000
I The recent H1-702 event he recevied an award for $10,000

7/26
Step 1: Discovery

8/26
The Target Website

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/b-1(1).png
9/26
Merchant Login

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/b-2.png
10/26
Create an Affiliate Account

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/b-3.png
11/26
The HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-1.png
12/26
The HTTP Post Response

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-2.png
13/26
Create a Merchant Account

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/b-4.png
14/26
The HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-3.png
15/26
The HTTP Post Response

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-4.png
16/26
Self-Registration as an Unauthorized User

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/b-5.png
17/26
The HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-5.png
18/26
The HTTP Post Response - Account Status: Pending

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-6.png
19/26
Step 2: The Attack

20/26
The Attack - Craft a HTTP Post Request

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-7.png
21/26
The Attack - The HTTP Post Response

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/p-8.png
22/26
Account Status - Approved!

image source: https://www.bugbountyhq.com/ckfinder/

userfiles/images/b-6.png
23/26
Create Password

image source: https:

//www.bugbountyhq.com/ckfinder/userfiles/images/b7.png
24/26
Resource for Practice

I https://www.youtube.com/watch?v=RIHZH1VcS_U
I http://ctffiles.bughunters.club/smf-admin/

25/26
References

A large portion of the material is adapted from:

I Hunter Tip #1 Response To Request Injection (RTRI) - Mark
Litchfield https://www.bugbountyhq.com/front/
latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZmUT09/
I Response To Request Injection – HackBack CTF Solution -
Arbin Godar https://arbingodar.com/
response-to-request-injection-hackback-ctf-solution/
I HTTP Headers - https:
//www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
I Network programming in Java - Dr. Mark Humphrys
http://www.computing.dcu.ie/~humphrys/Notes/
Networks/java.html

26/26