Penetration Testing mailing list archives

Re: [PEN-TEST] HTML source code and authentication

From: Yonatan Bokovza <Yonatan () XPERT COM>
Date: Mon, 18 Dec 2000 22:12:04 +0200

-----Original Message-----
From: Skinner, Tim L. [mailto:tskinner () LARSONALLEN COM]
Sent: Monday, December 18, 2000 9:13 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] HTML source code and authentication

Hi all,

I must first appologize about my general ignorance of HTML,
but I've been
asked to look into this.  I have a question regarding the
source code of a
web page that authenticates users.  The snipit of source code
from the web
page in question is as follows:

#<H2><font color=9771824>Member Sign On</font></H2>

So far, so good :)

#<form name="signon" action="/scripts/ibank.dll" method=post>

First off, try accessing site/scripts/ and site/scripts/ibank.dll
See if any interesting error messages are generated.

#<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn">

Hidden fields, as a general note, are begging for a tweak.
Play around with the site, see what other types of "Func" values
are there. Maybe you can disconnect other users with LogOff,
or find a function that will let you "update your details" without
authentication.

#<INPUT TYPE=HIDDEN NAME=Frames VALUE="150">

That's not obvious. Try increasing it to 1500, or reducing it to 5
and see what happens.

#<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3">

Hmmm, this could be interesting. "cu3" might be some directory
on the server, or the directory you came from, or any other
number of related paths. How about changing it to "/" or "..",
or just "cu2" and see if the error message gives out more
information.


It leaves me wondering if the referenced ibank.dll file is some
authentication program of some sort

Very probably so. This dll is used to analyze the results of your
POST command. It probably access Username/Password of some
sort and checks if your data matches anything.

and if the availability of this
information simply by clicking on 'view source' is a
potential problem.

Not as such. The dll will probably show up in the next URL, after you'll
click SUBMIT, but the Hidden Fields are Bad Thing (tm).

Furthermore, is there a way to obscure this information if it is risk?

Sure. Don't use Hidden Fields, make sure you've got the right access
controls to the /scripts directory and the ibank.dll file.

Note we haven't mentioned IIS security. Try:
server/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir

Well, that concludes our "Hacking in 45 seconds" lesson for today,
come back tomorrow for "SSH Hijacking for dummies". :)

Best Regards,

Yonatan Bokovza
IT Security Consultant
yonatan () xpert com
Xpert Trusted Systems
PGP Fingerprint:
1A96 EE70 11BB 5241 BE42  0831 6819 BAAF B9AD EDDF

Current thread:

[PEN-TEST] HTML source code and authentication Skinner, Tim L. (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Bennett Todd (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication c0ncept (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication NetW3.COM Consulting (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] HTML source code and authentication Adams, Gavin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Yonatan Bokovza (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Chris Tobkin (Dec 18)
  - Re: [PEN-TEST] HTML source code and authentication Martijn Prummel (Dec 19)