WebApp Sec mailing list archives
Re: Fail Open Authentication and Parameter Injection
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Mon, 24 Mar 2003 13:55:30 -0500
Hi, On your fail-open question, the idea is that the developer made a mistake coding the authentication module. By assuming that the password parameter was present (as it would always be under normal circumstances), the developer botched the error handling. Now if the parameter is not present, the authentication module throws an exception and "fails open" Parameter injection can happen whenever a web application uses anything that contains an interpreter. Examples might be a shell command (like here), a database SQL engine, or a templating language. By injecting executable content (data that the interpreter interprets as commands), the attacker can trick the web application into doing something unintended. This can happen wherever the developer asks the user for a value that is then passed into the interpreter. On both of these issues, you might be interested in the OWASP Top Ten paper available at http://aspectsecurity.com/topten --Jeff Jeff Williams jeff.williams () aspectsecurity com Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: Indian Tiger To: webappsec () securityfocus com Sent: Thursday, February 21, 2002 1:44 PM Subject: Fail Open Authentication and Parameter Injection Hi, I am learning Web Application Security Penetration Testing using WebGoat. I have some queries on this. Fail Open Authentication WebGoat's step 3 says: "Try removing password parameter with Achilles. " How it's possible. Is there any chance when server don't even check password if we remove password parameter. Parameter Injection What could be the scenario where a site is vulnerable to Parameter Injections. I have given a thought on this but not able to think how exactly it works in practice. Webgoat has given an example like this 'blah & netstat -a & ipconfig' But where a developer will be allowing to insert such values. Any help on this would be highly appriciated. Thanking You. Sincerely, Indian Tiger, CISSP
Current thread:
- Fail Open Authentication and Parameter Injection Indian Tiger (Mar 24)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 24)
- <Possible follow-ups>
- RE: Fail Open Authentication and Parameter Injection Dawes, Rogan (ZA - Johannesburg) (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Gary Gwin (Mar 27)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)
- RE: Fail Open Authentication and Parameter Injection Ramirez, Manuel N (CORP, DDEMESIS) (Mar 25)