report/chapters/conclusion.tex

\phantomsection
\addcontentsline{toc}{section}{Conclusions}
\section*{Conclusions}
\label{sec:conclusion}

\addcontentsline{toc}{subsection}{Final state of the challenge}
\subsection*{Final state of the challenge}
\label{subsec:conclusion_final}

The \textit{\gls{http} Response Splitting challenge} has been successfully validated. We achieved to find the hidden token, which was the session identifier of the website administrator. 

\addcontentsline{toc}{subsubsection}{Work done}
\subsubsection*{Work done}
\label{subsubsec:conclusion_final_work}

We started by various enumeration of the technology, languages and environment information that we found about our target. Then, we searched how to complete our goal with the most appropriate tools and/or techniques, based on our knowledge and our researches. We finally wrote a little application in order to launch our attack.

\addcontentsline{toc}{subsubsection}{Work to be completed, improvements}
\subsubsection*{Work to be completed, improvements}
\label{subsubsec:conclusion_final_improvement}

The \textit{Node} application can be improved, with parameters to enter the \textit{user-session} \gls{cookie} value or to define the endpoints to inject. We could also handle the possible errors returned by \textit{axios} when receiving the server responses. The verbosity of the script could also be improved.

We did not adapt our application with the concepts written above, because this is not the main objective of this practical work. We achieved to write an exploit, which is sufficient. If we took more time, a better application could of been developed, although not mandatory.

Regarding the \gls{javascript} malicious payload, we could have made it differently. With this method, the browser is redirected to the Web address we defined, so the client can see that she/he has been potentially hacked. We could of find another way that operates in total opacity: we could of take the content of the administration page with the \texttt{401} error page and include a resource in the Web page, with an address on a server that we control. This way, the browser makes a request to fetch the resource, and the \gls{cookie} we are looking for would have been in the request.

\addcontentsline{toc}{subsection}{Choices made}
\subsection*{Choices made} 
\label{subsec:conclusion_choices}

The choice to use the \textit{http://req} platform to record the request of the target was a good choice, but if would have been better to use a server that we control.

\addcontentsline{toc}{subsection}{Personal feedback}
\subsection*{Personal feedback}
\label{subsec:conclusion_feedback}

I genuinely enjoyed to complete this challenge. The Web is one of my favorite field in my domain and I wanted to deepen some subjects I do not know yet. I did not had a lot of difficulties to resolve, and I found appropriate help through resources across the Web, without taking shortcuts.
init 2020-11-13 09:42:04 +01:00			`\phantomsection`
			`\addcontentsline{toc}{section}{Conclusions}`
			`\section*{Conclusions}`
			`\label{sec:conclusion}`

			`\addcontentsline{toc}{subsection}{Final state of the challenge}`
			`\subsection*{Final state of the challenge}`
			`\label{subsec:conclusion_final}`

			`The \textit{\gls{http} Response Splitting challenge} has been successfully validated. We achieved to find the hidden token, which was the session identifier of the website administrator.`

			`\addcontentsline{toc}{subsubsection}{Work done}`
			`\subsubsection*{Work done}`
			`\label{subsubsec:conclusion_final_work}`

			`We started by various enumeration of the technology, languages and environment information that we found about our target. Then, we searched how to complete our goal with the most appropriate tools and/or techniques, based on our knowledge and our researches. We finally wrote a little application in order to launch our attack.`

			`\addcontentsline{toc}{subsubsection}{Work to be completed, improvements}`
			`\subsubsection*{Work to be completed, improvements}`
			`\label{subsubsec:conclusion_final_improvement}`

			`The \textit{Node} application can be improved, with parameters to enter the \textit{user-session} \gls{cookie} value or to define the endpoints to inject. We could also handle the possible errors returned by \textit{axios} when receiving the server responses. The verbosity of the script could also be improved.`

			`We did not adapt our application with the concepts written above, because this is not the main objective of this practical work. We achieved to write an exploit, which is sufficient. If we took more time, a better application could of been developed, although not mandatory.`

			Regarding the \gls{javascript} malicious payload, we could have made it differently. With this method, the browser is redirected to the Web address we defined, so the client can see that she/he has been potentially hacked. We could of find another way that operates in total opacity: we could of take the content of the administration page with the \texttt{401} error page and include a resource in the Web page, with an address on a server that we control. This way, the browser makes a request to fetch the resource, and the \gls{cookie} we are looking for would have been in the request.

			`\addcontentsline{toc}{subsection}{Choices made}`
			`\subsection*{Choices made}`
			`\label{subsec:conclusion_choices}`

			`The choice to use the \textit{http://req} platform to record the request of the target was a good choice, but if would have been better to use a server that we control.`

			`\addcontentsline{toc}{subsection}{Personal feedback}`
			`\subsection*{Personal feedback}`
			`\label{subsec:conclusion_feedback}`

			`I genuinely enjoyed to complete this challenge. The Web is one of my favorite field in my domain and I wanted to deepen some subjects I do not know yet. I did not had a lot of difficulties to resolve, and I found appropriate help through resources across the Web, without taking shortcuts.`