4/21/2011

User-Agent in padBuster.pl

Quick note for those, who perform penetration testing of ASP.NET applications and try to exploit Padding Oracle Attack with padBuster.pl, but always receive 403 Forbidden response from either WebResource.axd or ScriptResource.axd. This is most probably because of incorrect User-Agent or, actually, it's absence. To fix, you need to add user-agent to LWM. Just change the following code of makeRequest() function from
$lwp = LWP::UserAgent->new(env_proxy => 1,
                            keep_alive => 1,
                            timeout => 30,
       requests_redirectable => [],
                            );
 
to
$lwp = LWP::UserAgent->new(env_proxy => 1,
                            keep_alive => 1,
                            timeout => 30,
       requests_redirectable => [],
                            agent => 'Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20110406 Firefox/4.0',
                            );
 
or whatever UA you need.
I actually think this should be added to padBuster.pl as an option.