Penetration Testing mailing list archives
Re: Web App Pen Test Results
From: "Jürgen R. Plasser" <plasser () hexagon at>
Date: Mon, 06 Nov 2006 11:42:47 +0100
tsax68 () hotmail com wrote:
We recently had our web app scanned with WebInspect and given the results. Thankfully, the findings aren't too severe :0, but I do have a question. One of the findings is labeled:302 Error Message Cross-Site ScriptingSummary: The handling of certain HTTP requests that produce "302 object moved" responses allows attackers to launch cross-site scripting attacks. When the server receives and HTTP request for a directory without a trailing slash, it returns a 302 object moved error message, redirecting the client to the requested directory, with a forward slash. Also included in the body of the HTTP response are any GET parameters that were included in the original request. These parameters are not properly sanitized for malicious content before being returned to the client. My question is, Is this being reported as an Apache issue or is this a web app issue? I'm trying to figure out how to fix, but I'm not sure which direction to go web server or app.........
I don't think this is an Apache issue, more a kind of Apache configuration issue (mod_rewrite), which I rather would locate in the web app domain than on the server side.
This kind of vulnerabilities are open for HTTP response splitting attack vectors.
-Jürgen -- Jürgen R. Plasser Hexagon Business Solutions GmbH Information Security & Software Quality http://www.hexagon.at ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Web App Pen Test Results tsax68 (Nov 03)
- Re: Web App Pen Test Results Jürgen R. Plasser (Nov 06)
- Re: Web App Pen Test Results Scott Hazel (Nov 06)