Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Is this exploitable?..

from [Tim] Network Security [Permanent Link]
Subject: Re: Is this exploitable?..
Date: Mon, 20 Dec 2004 19:57:54 -0500 
It looks like responseString obtained from req is forgeable and this may
conceivably lead to a vulnerability down the line, it seems, when
responseString is output with a call to out.print(responseString).

Please advise.



I don't entirely follow the context of that code snippet, but could it
be exploitable via HTTP Response Splitting?  It seems headers are
simply copied, but if there was any transparent decoding of the strings
in the request object (and no re-encoding) before hand, then someone
could inject arbitrary data, including whole requests.  Example:

GET /index.html%0d%0a%0d%0a%0d%0aHTTP/1.1%20200%20Found%0d%0a...  HTTP/1.1
Host: www.example.com


Then, if the URL is decoded in the request object, and simply tacked on
to the response string, then there could be issues.  But I have no idea
if this is happening.  It is pure speculation, to give you an idea of
what to look for.

See this paper for more details:
  http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf

good luck,
tim
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SQL injection (no single quotes used), Sverre H. Huseby
Next by Date:  RE: SQL injection (no single quotes used), Scovetta, Michael V
Previous by Thread:  Re: Is this exploitable?.., Stephen de Vries
Next by Thread:  Warning about accessing / attacking phising and spoofing sites, Amir Herzberg
Indexes:  [Date] [Thread] [Top] [All Lists]