WebApp Sec mailing list archives
Re: View and edit hidden HTML form fields (fwd)
From: "Tim Greer" <chatmaster () charter net>
Date: Thu, 12 Jun 2003 12:13:42 -0700
From: "sirkus" <sirkus () sirkit net> To: "Tim Greer" <chatmaster () charter net> Cc: <webappsec () securityfocus com>
On Thu, 2003-06-12 at 12:22, Tim Greer wrote:From: "sirkus" <sirkus () sirkit net> To: <webappsec () securityfocus com> Sent: Thursday, June 12, 2003 8:12 AM Subject: Re: View and edit hidden HTML form fields (fwd)Indeed. I certainly wasn't claiming any greatness on the part of the program, especially since we're not a Window's shop -- it doesn't particularly apply to me. My point was that while I may be comfortable with using Perl/LWP and regular expressions as a coder, these are
things
I use on a regular basis while doing assessments. However, for others (such as many who I work with that do not code) this provides a simple way to demonstrate various simple client-side state weaknesses.I actually don't see how this reveals any weaknesses. Just seeing the
fields
or arguments/values passed to a script/program doesn't really mean
anything.
It can save a lame 'web site form based' cracker some effort, but that's about it.Okay.. First, I was simply making a comment about the not-so-serious program doing something simple in a slick manor.
You needn't justify yourself. I wasn't getting on your case. I think maybe you got the wrong impression. I was only presenting other ideas.
I know nothing about the program other than the fact that it seems simpler at modifying form inputs than using "View-Source". It was a simple comment.
You don't need ot justify yourself. I'm not sure where you misunderstood my response.
Second, I didn't realize that I had suddenly become a spokesman for the program and what it's capable of simply by making the comment. Please, I am not, nor do I endorse it's use as an assessment tool.
I have absolutely no idea what you're talking about and I can't imagine where you got the impression you did.
However, since I evidently need to qualify every comment with a full explanation...
You don't, I didn't insinuate you needed to. You misunderstood me.
Yes, tools like this can be used to test for client-side state weaknesses. (Or what ever you would like to call it.) By modifying simple form field inputs, whether they are hidden or not-so-hidden, this can reveal logic weaknesses used by web-app developers to handle client-side-state information.
Right.
That's what parameter manipulation is about.
Right.
If some ignorant webapp developer is still using hidden fields to store discount codes, shopping cart prices, or other sensitive state information, simple tools like this is all you would need to discover and exploit this type of "weakness". (And yes, this is still quite prevalent, even in many "secure" applications.)
Well, lame programming logic is lame programming logic. This doesn't rally do a lot, is all I was saying.
Beyond this, "Just seeing the fields or arguments/values passed to a program" DOES mean something.
Yes, if the program in insecure.
This is the fundamental basis for black-box learning of how an application is built, and possibly how to assess it for security. (Yes, there's much more, but its a fundamental piece.)
Well, if people practiced very common, very simple, obvious logic in their programs/scripts, that wouldn't be an issue. Of course, it is, so it's an issue. I simply was saying it seemed like a silly program to me for the reasons that it's not going to do anything bu same someone time from viewing the source of a form.
But to qualify this again, No, this particular tool is not one I would recommend for attempting these types of web application security assessments. From what I see, it's not an assessment tool. It's simply a gadget.....
Right, it can save you a few seconds from viewing the source and allow you to test things quicker because of that. it's not a security tool, it's to make it a little faster than viewing the source to try to test the security.
Anyway. I don't mind talking about this stuff..
Nor do I.
but I hate cluttering the list up with pointless re-posts.
Okay, but I didn't ask or expect you to. And, I was simply responding to you.
From now on, I'll try to qualify my statements more effectively the first time so I can avoid the large target on my back.
If you think that's what happened, I don't know what to say or think. Nonetheless, it's really none of my business. I made some simple, quick comments, nothing to belittle you. perhaps you were hounded by some arrogant security person previously and just were a little on the defensive?
Sure, it looks sort of neat for what it is. For a Windows desktop. Of course, my opinion is two things; Installing a program someone else
wrote
that I don't see the source to, is not going to happen. Secondly, using
IE,
you already have enough problems to not be wasting your time with silly tools like this. :-)As before... I happen to have the same stance with IE. Agreed. Tim, you seem to be a decent guy. If you have any further concerns about any of my yet unqualified statements, feel free to e-mail me.
No big deal. I hope you understand now that I wasn't responding to belittle you. Nothing more than just an interest to participate in the discussion. Cheers. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- View and edit hidden HTML form fields (fwd) bugtraq (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) dan cuthbert (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Alex Lambert (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) George W. Capehart (Jun 14)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- RE: View and edit hidden HTML form fields (fwd) Jordi Molina (Jun 13)
- RE: View and edit hidden HTML form fields (fwd) hans (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) riptide (Jun 17)
- <Possible follow-ups>
- RE: View and edit hidden HTML form fields (fwd) Oliver White (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) MK Cheung (Jun 12)