My Pentest Log -8- (A Little Tip)
Greetings from Caenopolis to all,
Today I want to tell you about the management I used to solve a problem I encountered while doing web-based penetration testing.
1. I have been informed by our project manager that I will conduct web-based security tests on private.com.
2. As always, I verified the scope form and started the pentest steps.
3. The target system was an application where various trainings could be uploaded and presented to employees or companies (ex: moodle).
4. In such applications, there are areas where many attack vectors can be tested, but some of the training platforms have a timeout structure.
5. What is this timeout?
To put it bluntly, if you do not show any activity in the system within a certain time period, the application will automatically terminate your session and redirect you to the login screen.
6. So what is the significance of this for us?
During security tests, we try many manipulations, for some we work for hours, while for others, we perform transactions on a per-second basis. However, we usually do these operations on our proxy tools (for example, burp suite, fiddler, etc.), not through the browser. Since we do not act on the browser while performing transactions through our proxy tools, the application will easily activate the timeout module and terminate our session after a certain time.
In addition, when we want to perform automated operations, we may face the same timeout problem.
7. The timeout problem, which I explained in the previous step, was encountered in private.com tests. If I did not perform any action on the browser within 5–10 minutes, the application was directly kicking me out, especially preventing automated tools from taking action in the background.
8. The tests were very tiring because of this problem, while I was thinking about what I can do, thanks to a few blogs I read before, I decided that browser-based “Auto Refresh” plugins could help me solve this problem.
9. I searched “Auto Refresh” add-ons directly on both chrome and firefox and came across “https://addons.mozilla.org/en-US/firefox/addon/tab-auto-refresh/" “Tab Auto Refresh” add-on.
10. I added the plugin I specified directly to my browser and solved the problem very easily.
11. In this way, the Tab Auto Refresh plugin will refresh the page between the time periods I set and keep my session alive, and I will be able to try specific vectors easily in the background through my proxy tool.
In summary:
If you encounter such annoying problems during the tests, you can think simply and solve the problem easily, all you have to do is google the problem correctly.
