Re: View and edit hidden HTML form fields (fwd)

["Tim Greer" <chatmaster () charter net>]

From: "sirkus" <sirkus () sirkit net>
To: "Tim Greer" <chatmaster () charter net>
Cc: <webappsec () securityfocus com>

> On Thu, 2003-06-12 at 12:22, Tim Greer wrote:
> > From: "sirkus" <sirkus () sirkit net>
> > To: <webappsec () securityfocus com>
> > Sent: Thursday, June 12, 2003 8:12 AM
> > Subject: Re: View and edit hidden HTML form fields (fwd)
> >
> > >   Indeed. I certainly wasn't claiming any greatness on the part of the
> > > program, especially since we're not a Window's shop -- it doesn't
> > > particularly apply to me. My point was that while I may be comfortable
> > > with using Perl/LWP and regular expressions as a coder, these are
things
> > > I use on a regular basis while doing assessments.  However, for others
> > > (such as many who I work with that do not code) this provides a simple
> > > way to demonstrate various simple client-side state weaknesses.
> >
> > I actually don't see how this reveals any weaknesses. Just seeing the
fields
> > or arguments/values passed to a script/program doesn't really mean
anything.
> > It can save a lame 'web site form based' cracker some effort, but that's
> > about it.
>
> Okay.. First, I was simply making a comment about the not-so-serious
> program doing something simple in a slick manor.

You needn't justify yourself. I wasn't getting on your case. I think maybe
you got the wrong impression. I was only presenting other ideas.

> I know nothing about
> the program other than the fact that it seems simpler at modifying form
> inputs than using "View-Source".  It was a simple comment.

You don't need ot justify yourself. I'm not sure where you misunderstood my
response.

>  Second, I
> didn't realize that I had suddenly become a spokesman for the program
> and what it's capable of simply by making the comment. Please, I am not,
> nor do I endorse it's use as an assessment tool.

I have absolutely no idea what you're talking about and I can't imagine
where you got the impression you did.

>   However, since I evidently need to qualify every comment with a full
> explanation...

You don't, I didn't insinuate you needed to. You misunderstood me.

> Yes, tools like this can be used to test for client-side
> state weaknesses. (Or what ever you would like to call it.)  By
> modifying simple form field inputs, whether they are hidden or
> not-so-hidden, this can reveal logic weaknesses used by web-app
> developers to handle client-side-state information.

Right.

> That's what
> parameter manipulation is about.

Right.

> If some ignorant webapp developer is
> still using hidden fields to store discount codes, shopping cart prices,
> or other sensitive state information, simple tools like this is all you
> would need to discover and exploit this type of "weakness". (And yes,
> this is still quite prevalent, even in many "secure" applications.)

Well, lame programming logic is lame programming logic. This doesn't rally
do a lot, is all I was saying.

> Beyond this, "Just seeing the fields or arguments/values passed to a
> program" DOES mean something.

Yes, if the program in insecure.

> This is the fundamental basis for
> black-box learning of how an application is built, and possibly how to
> assess it for security. (Yes, there's much more, but its a fundamental
> piece.)

Well, if people practiced very common, very simple, obvious logic in their
programs/scripts, that wouldn't be an issue. Of course, it is, so it's an
issue. I simply was saying it seemed like a silly program to me for the
reasons that it's not going to do anything bu same someone time from viewing
the source of a form.

>   But to qualify this again, No, this particular tool is not one I would
> recommend for attempting these types of web application security
> assessments. From what I see, it's not an assessment tool. It's simply a
> gadget.....

Right, it can save you a few seconds from viewing the source and allow you
to test things quicker because of that. it's not a security tool, it's to
make it a little faster than viewing the source to try to test the security.

>   Anyway. I don't mind talking about this stuff..

Nor do I.

> but I hate cluttering
> the list up with pointless re-posts.

Okay, but I didn't ask or expect you to. And, I was simply responding to
you.

>  From now on, I'll try to qualify
> my statements more effectively the first time so I can avoid the large
> target on my back.

If you think that's what happened, I don't know what to say or think.
Nonetheless, it's really none of my business. I made some simple, quick
comments, nothing to belittle you. perhaps you were hounded by some arrogant
security person previously and just were a little on the defensive?

> > Sure, it looks sort of neat for what it is. For a Windows desktop. Of
> > course, my opinion is two things; Installing a program someone else
wrote
> > that I don't see the source to, is not going to happen. Secondly, using
IE,
> > you already have enough problems to not be wasting your time with silly
> > tools like this. :-)
>
> As before... I happen to have the same stance with IE.   Agreed.
>
> Tim, you seem to be a decent guy. If you have any further concerns about
> any of my yet unqualified statements, feel free to e-mail me.

No big deal. I hope you understand now that I wasn't responding to belittle
you. Nothing more than just an interest to participate in the discussion.
Cheers.

--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.