Quick note for those, who perform penetration testing of ASP.NET applications and try to exploit Padding Oracle Attack with padBuster.pl, but always receive 403 Forbidden response from either WebResource.axd or ScriptResource.axd. This is most probably because of incorrect User-Agent or, actually, it's absence. To fix, you need to add user-agent to LWM. Just change the following code of makeRequest() function from
$lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [], );
to
$lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [], agent => 'Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20110406 Firefox/4.0', );
or whatever UA you need.
I actually think this should be added to padBuster.pl as an option.
I actually think this should be added to padBuster.pl as an option.
2 comments:
Nice post, but it seems less, but very interesting to read and understand, hope post more blogs with more information Thank you...........visit our Erptree website for more details about Oracle Fusion Financials courses.
Such as very good information promoting content are provided and more skills are improved after refer that post.
Oracle Fusion HCM Technical Training in Ameerpet
Post a Comment