Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

stupid IE7 question

From: jas1 () hotmail com
Date: 12 Dec 2006 11:18:39 -0000
Hi.

I am currently testing a proprietary (supposedly) secure web based application. The application was built around users 
with IE6.0 and above, one of the instances of this is that the URL is hidden from the end user when browsing the 
application. Of course you can ctrl-N or save the page locally to gain the URL, but most end users would not be looking 
for the URL. I advised a while back that the application should not be passing sensitive info via the URL in the first 
place. On a recent test I thought I would use IE7 and found that 'for security' reasons the URL is always displayed, 
greyed out. The issue here is that some internal/external proprietary applications will now display sensitive info via 
the URL that could cause 'serious' information disclosure - apart from relaying to the vendor to code their apps more 
securely, does anyone have any more suggestions please?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: