Re: Recent App Test

[Amit Klein <amit.klein () sanctuminc com>]

Hi

   During a recent Application pen test I came across a url of the form:
    
   http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345
    
   I changed the url parameter to something like url=www.google.com and
   google appeared in my browser. Next, i changed the url to
   url=www.whatismyip.com, hoping that the ip address of the webserver
   would be displayed, however, only my ip address was displayed.

   This means that my browser is loading the url parameter as opposed
   to the webserver script fethching the url and then displaying it for
   me in my browser right? Is this a security issue?


That depends. If the server makes the browser load that url using an 
HTTP redirection (i.e. via a 3xx response and the Location header, or 
via a 200 response with the Refresh header) then an HTTP Response 
Splitting attack may perhaps be possible. For more details on this 
attack and on its impact see "Divide and Conquer - HTTP Response 
Splitting, Web Cache Poisoning Attackes, and Related Topics", at the 
following URL:
http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf

If, on the other hand, the server embeds the url in a frame, or in a 
meta tag that causes redirection, then it may perhaps be possible to 
simply mount a cross site scripting attack.

Good luck,
-Amit


Amit Klein
Director of security and research, Sanctum
W: +972-9-9586077 x225, F: +972-9-9576337
1 Sapir St., Ampa Bldg., Herzlia 46733 Israel
amit.klein () sanctuminc com <blocked::mailto:amit.klein () sanctuminc com>