Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Recent App Test

from [Amit Klein] Network Security [Permanent Link]
Subject: Re: Recent App Test
Date: Thu, 19 Aug 2004 14:42:11 +0300 
Hi

During a recent Application pen test I came across a url of the form:
http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345
I changed the url parameter to something like url=www.google.com and
google appeared in my browser. Next, i changed the url to
url=www.whatismyip.com, hoping that the ip address of the webserver
would be displayed, however, only my ip address was displayed.

   This means that my browser is loading the url parameter as opposed
   to the webserver script fethching the url and then displaying it for
   me in my browser right? Is this a security issue?


That depends. If the server makes the browser load that url using an HTTP redirection (i.e. via a 3xx response and the Location header, or via a 200 response with the Refresh header) then an HTTP Response Splitting attack may perhaps be possible. For more details on this attack and on its impact see "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attackes, and Related Topics", at the following URL:
http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf

If, on the other hand, the server embeds the url in a frame, or in a meta tag that causes redirection, then it may perhaps be possible to simply mount a cross site scripting attack.

Good luck,
-Amit


Amit Klein
Director of security and research, Sanctum
W: +972-9-9586077 x225, F: +972-9-9576337
1 Sapir St., Ampa Bldg., Herzlia 46733 Israel
amit.klein@sanctuminc.com <blocked::mailto:amit.klein@sanctuminc.com>


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ArtistScope, Sajeeva S. Arangalla
Next by Date:  Re: Recent App Test, Rogan Dawes
Previous by Thread:  Re: Recent App Test, Blake Schneider
Next by Thread:  RE: Recent App Test, stevenr
Indexes:  [Date] [Thread] [Top] [All Lists]