Ajax Security: Silent Transactions Attacks

Goal: 

perform silent transactions attacks against simple banking system. Due to architecture of Ajax, its transaction is silent which present vulnerability for attackers to perform injected attack scripts to steal client's money without authorization. 

Method: 

Using Burp Suite or other proxy tool to perform interception and XML injection attack. 

Step by step Guide

1. Study the source code, you can see  silentTransaction.js file which has two functions one for balance validation and the other for data submission, we can just use execute from address bar directly execute data submission function bypass validation. 

 

Lesson menu item

Lesson project

Lesson source class

SilentTransactions

silent-transactions

org.owasp.webgoat.plugin.SilentTransactions.java

You can view the silentTransaction.js file from below address
http://192.168.199.144:8080/WebGoat/plugin_extracted/plugin/SilentTransactions/js/silentTransaction.js

 

function submitData(accountNo, balance) {
    var url = document.getElementById("url").value;
    url = url + '&from=ajax&newAccount=' + encodeURIComponent(accountNo) + '&amount=' + balance + '&confirm=' + document.getElementById('confirm').value;
    //var url = '#attack/24/400&from=ajax&newAccount=' + accountNo + '&amount=' + balance + '&confirm=' + document.getElementById('confirm').value;
    if (typeof XMLHttpRequest != 'undefined') {
        req = new XMLHttpRequest();
    } else if (window.ActiveXObject) {
        req = new ActiveXObject('Microsoft.XMLHTTP');
    }
    req.open('GET', url, true);
    req.on-readystatechange = callback;
    req.send(null);
}

2. To perform the silient injection attack, 

a). just need to enter "javascript:submitData(32123,11987.09)" to Transfer to Account  field.

The syntax as shown in the silentTransaction.js file: 

submitData(accountNo, balance)


b). you can enter to address bar "javascript:submitData(32123,11987.09)"

 

Please publish modules in offcanvas position.