Web Applications and HTTP Status Codes
If it's returning 200 on both an unauthorized page (302 Redirects to 200 login page), and an authorized page (discovered authorized page), there are some things you can do:
- You can look for what happens on a successful login. Make a fake account, log in. See what does not get included on the real page, and what doesn't. That how you'll find your unique string.
- Keep in mind: if there is a WAF or something, it could just start redirecting all of your incoming requests to 3xx/4xx, whether it's for valid or invalid requests.
- Parse the HTTP response for HTML code or a string that would not appear on the login page, OR a string that ONLY appears on the Login page.
- For example, the string "Unauthorized," or "Please Log In" could appear. You would want to exclude responses with those strings.
Both can be done using Python, or any scripting/programming language you want to use, including bash. Bash will, however, be much slower.
Could you provide an example please?
Sure. See below.
1. Using Python
You will have to edit this. It's quick example code.
import pycurl
import urllib
import sys
from StringIO import StringIO
c = pycurl.Curl()
html = StringIO()
c.setopt(pycurl.WRITEFUNCTION, html.write)
c.setopt(c.VERBOSE, 0)
def send_req(url):
field = urllib.urlencode(payload)
c.setopt(c.URL, url)
c.setopt(c.VERBOSE, 0)
c.perform()
if "successful non-login-page string to search for" in html.getvalue():
html = StringIO() # Reset
return True
return False
with open("dir-or-file-list.txt") as f:
for line in f:
if send_req("http://haxlogin.page/" + line + ") == True:
print "[!] Found a valid page: %s" % line
I don't have time to check if this Python works, it's just a general example on how you could make it work with Python, so you'll need to edit it.
2. Using Burp Suite Pro
With Burp Intruder, on the attack dialog, you can use a filter
. Imagine 2xx returns "Unauthorized" as the unique code/string. You will want to exclude "Unauthorized" from the search like so:
Filter:
- Filter by search term "Unauthorized", negative search
- Filter by status code: 2xx [success]
3. Using OWASP Dirbuster
Options -> Advanced Options -> Scan Options -> Fail Case String -> Enter a string that appears only on the login page
302 Redirects
Keep in mind: many applications perform a 302 redirect after posting something successfully.
That doesn't necessarily mean a 302 redirect is bad, or that you didn't find anything. Use curl -L
to follow the redirect and see where that gets you.
You will likely also want to check the contents of the redirected page so you don't miss anything.