Converting From GET To POST

Thu Sep 11 2014 23:27:28 GMT+0100 (BST)

When we do penetration tests we often need to convert GET requests to POST requests using the urlencoding or multipart encoding schemes. This however, is not a trivial task in most instances. This is why wrote several escapemode commands to help us out.

from get to post

To start converting between the various possible encoding mechanisms just press the ESC key to enter into escape mode. For the complete list of commands type ? or help. The commands that we will need for this exercise are called to_get, to_urlencoded, to_multipart. Each command can take any other type of request as input and convert it into the destination type it corresponds to.

For example, let's take this urlencoded POST request:

POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

a=b

...and convert it to a multipart form data POST request. The command that we need is to_multipart. The result of the command is this:

POST http://target/ HTTP/1.1
Content-Type: multipart/form-data; boundary=BULP3

--BULP3
Content-Disposition: form-data; name="a"

b
--BULP3--

As you can see this was super trivial. If we execute to_get command then we will convert all of this into a GET request preserving all keys and values. Any type of request can be used as input. It is very flexible and versatile.

Why Do You Need To Do That

The reason we sometimes need to convert the same request in different types is really to enable us to bypass security controls. For example, in PHP applications you can use $_GET or $_POST to retrieve a parameter from the url or from the body respectively. However, the developer may also choose to use $_REQUEST as a shortcut to both. Therefore if a check is performed on a $_GET parameter but the parameter is submitted in the body of a POST request we can bypass the control.

It gets even more interesting when you have to deal with WAFs (Web Application Firewalls). In some situations we can bypass completely the firewall by submitting the request as multipart form data. There are good reasons why but we will dive into this topic some other time.

So, the possibilities are endless. We belive that you will really enjoy this feature, especially if you do a lot of manual assessments.

Comments Powered ByDisqus