Direct Object Reference attack with UNFold

It is not uncommon for two people sharing the same computer to be able to view and modify each other’s files. And while that may not be a problem on local computer in family surrounding, the situation becomes rather interesting on a web site.

What is the problem?

Since web sites are not much more than a bunch of files located on a remote server, you may ask a number of reasonable questions: Can you access files directly, as you would on a local machine? Can you go on level up or down in the directory tree? Can you gain access to files that belong to a different user or even to the administrator of the page? The answers to all these questions is, unsurprisingly, YES, if proper security mechanisms are not in place to prevent it.

Exploiting the problem!

For the purposes of this exercise we will use the Google’s Gruyere website, which has multiple vulnerabilities for us, hackers, to exploit legally.

The set-up

We start by opening UNFold and entering the web site’s address that we wish to exploit (https://google-gruyere.appspot.com in this case) in the Enter target bar, hit Lock target and then Options.

In the menu, we choose both “Spider” and “Bruteforce” options:

Scrolling down a bit, we see the customization properties for Bruteforce. Here we want add directory names from an existing list – in this case I will use Dictionary List 2.3 Small. We do this by clicking on Edit, under Folders, then Load a common list and finally choosing the list we want to use, then doing Load → User loaded lists → Use list.

As we are ready with the configuration, we click on Done.

The fun part

Now the set-up is ready, we can proceed to the actual part. Usually hacking is quite an involving activity, but with our tools it’s as easy as a push of a button – just click Start and UNFold will do the rest for you. While the entire process may take a reasonable amount of time (for this task and configuration – close to an hour), we are dynamically presented with the findings and even after a second there are such!

Some of those are just images that can be seen on the website – the content of the static folder, for instance, however, others – such as the robots.txt file or the whole code folder, are items that the regular user should know nothing about and, of course, of interest to hackers. Opening any of these files is as easy as double-clicking on it and, from there, it is up to your imagination what you want to do with this information.

Conclusion

While the usefulness of the findings will vary from site to site, it is a great way to start your whole attack as it might give you clues for your next step. For example, the /code/sanitize.py file from the exercise above shows how the site is doing their sanitization, which might suggest a way to bypass it and do an Injection attack. Or /183188204512/quitserver, which appears to be a script for stopping the server, making a DOS attack a matter of running it. And since this type of attack is made practically effortless with UNFold, you might as well try it!