Re: Recent App Test

[Bill Pennington <bill.pennington () gmail com>]

Look at the source of the page, more than likely the url parameter is
being shoved into a frame or iframe and therefore your browser is
making the request.

One of the main issues with this is that you can spoof content. Like
if the site has a login you could dupe that page on your site, point
to it with the url parameter, then collect usernames and passwords. Or
just put up pictures of Britney Spears, the choose is yours :-)

On 18 Aug 2004 08:04:44 -0000, ramatkal () hotmail com
<ramatkal () hotmail com> wrote:
> During a recent Application pen test I came across a url of the form:
>
> http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345
>
> I changed the url parameter to something like url=www.google.com and google appeared in my browser. Next, i changed 
> the url to url=www.whatismyip.com, hoping that the ip address of the webserver would be displayed, however, only my 
> ip address was displayed.
>
> This means that my browser is loading the url parameter as opposed to the webserver script fethching the url and then 
> displaying it for me in my browser right? Is this a security issue?
>
> Assuming that it was the actual webserver script fetching the url parameter and then displaying it for me, I've come 
> up with a few vulnerabilities (listed below) and was hoping that people might like to share some of their ideas.
>
> 1) Can use vulnsite as a proxy (& hack other sites)
>
> 2) Can port scan using the vuln site by changing url=www.website.com to url=www.sitetoscan.com:port
>
> 3) Can connect to & port scan machines behind the firewall.
>
> Thanks in adance,
>
> Sol