WebApp Sec mailing list archives
RE: Parameter name injection - Not tested by WebInspect 9.x
From: "Dafydd Stuttard" <dafydd.stuttard () portswigger net>
Date: Thu, 9 Aug 2012 11:32:37 +0100
At the risk of self-promotion, I blogged about this type of attack a while ago: http://blog.portswigger.net/2008/08/attacking-parameter-names.html Also, needless to say, Burp Scanner tests parameter names for all kinds of input-based attacks. Cheers Dafydd Stuttard (PortSwigger) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Danux Sent: 09 August 2012 07:39 To: webappsec () securityfocus com Subject: Parameter name injection - Not tested by WebInspect 9.x Old technique but still out of testers' radar. Ninety nine percent (99%) of tools concentrate on identifying and injecting malicious code into parameter values, also 99% of Developers concentrate on html encoding parameter values specially to prevent client-side attacks, but what about parameter names? is it worth to test/protect them? Definitely it is. Highly exploitable in content management frameworks which creates links or other DOM objects on the fly. Surprisingly, WebInspect 9.x do not care about testing parameter names, at least not when using its XSS-scan policy. Do you have experience with other tools in this matter? I prepared an example of this attack if interested: http://danuxx.blogspot.com/2012/07/postget-parameters-name-injection.html Enjoy it. -- DanUx This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Parameter name injection - Not tested by WebInspect 9.x Danux (Aug 09)
- RE: Parameter name injection - Not tested by WebInspect 9.x Dafydd Stuttard (Aug 09)