Re: Recent App Test

[Rogan Dawes <discard () dawes za net>]

ramatkal () hotmail com wrote:

> During a recent Application pen test I came across a url of the form:
>
>  
>
> http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345
>
>  
>
> I changed the url parameter to something like url=www.google.com and google appeared in my browser. Next, i changed the 
> url to url=www.whatismyip.com, hoping that the ip address of the webserver would be displayed, however, only my ip 
> address was displayed.
>
>
>
> This means that my browser is loading the url parameter as opposed to the webserver script fethching the url and then 
> displaying it for me in my browser right? Is this a security issue?

Basically this means that someone could include undesirable content as 
part of that site. e.g. send someone a link to the company's site, that 
includes some pornographic/racist/etc content. The original person will 
think that the original site is serving that content, and reputational 
damage will result.

Note that this is NOT the webserver retrieving the page, and relaying it 
to you, your browser is fetching the page. So, you cannot use this to 
anonymously portscan hosts on the internet. You probably CAN use this to 
do cross site scripting, if you explore reformatting the URL, and 
including some HTML or script elements in that parameter.

Look at the exact response to that request, using something like 
webscarab or another intercepting proxy, and see exactly where the url 
parameter is placed in the response. That will guide you in manipulating 
the parameters appropriately.

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"