I got found a SQL referrer header bug…. well do you even know what I mean? let me say it clearly, I found an SQL injection vulnerability in the referrer header of a website, and it happens to be a valid bug, but here is the interesting part it was an automated attack, I mean I didn’t do a thing, just a live scan. well, here is how it happened as we all know burp suite is one of the popular tools used by penetration testers to carry out different tasks during penetration testing, well but as we all know one of the best ways to achieve good exploitation is to have a good knowledge on your target, and how do you know a lot about your target?
Reconnaissance as we all know is what helps us to have a good profile about our target giving us information about things we need to know or things that might be classified. anyway, we know reconnaissance is divided into active and passive, well active means performing a live scan, injecting payload, writing script etc. to get sensitive information, while passive is more of scanning the target for leftover info or old information found randomly somewhere in the cloud. well now I know you might be wondering yeah, I know all this stuff so what’s new? well wait for it… so here is the amazing part, do you know that with burp suite you can perform a passive and active scan?
Well if you do, lucky you, and if you don’t, then it’s time to learn so when performing a scan in burp suite we have the crawl and audit or audit all those configs and stuff, now I know you know this part but when the scan starts and it starts to appear with a list of directories, and all those paths, at that moment there is a passive/active scan going on, but that’s not the interesting part, this is it for every page you could perform both an active and passive scan that way you scan the whole thing be lucky to find a bug as I did, I found an SQL injection in referrer header, which I sent to the repeater to tryout another SQL injection payload to be sure it wasn’t a false positive and guess what it wasn’t, Eureka! so, remember burp suite is as powerful as you want it to be for your web exploitation.