RE: Recent App Test

[<stevenr () mastek com>]

Hi 

As per info given by you, the web server is just doing some thing of
this sort 

<%
response.sendRedirect( request.getParameter( "url" ) );
%>


So in that case, your browser is making the request to the url. This is
just like clicking a href, so don't think anything more can come out of
this. Surely not the port scan etc...

One point though, if they are printing the URL from the request directly
(as in the code snippet above), then you have a possible candidate for
XSS.

Regards, 
Steven Rebello
Mastek Limited,
"This email is printed using 100% recycled electrons." 


-----Original Message-----
From: ramatkal () hotmail com [mailto:ramatkal () hotmail com] 
Sent: Wednesday, August 18, 2004 1:35 PM
To: webappsec () securityfocus com
Subject: Recent App Test



During a recent Application pen test I came across a url of the form:

 

http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12
345

 

I changed the url parameter to something like url=www.google.com and
google appeared in my browser. Next, i changed the url to
url=www.whatismyip.com, hoping that the ip address of the webserver
would be displayed, however, only my ip address was displayed.



This means that my browser is loading the url parameter as opposed to
the webserver script fethching the url and then displaying it for me in
my browser right? Is this a security issue?





Assuming that it was the actual webserver script fetching the url
parameter and then displaying it for me, I've come up with a few
vulnerabilities (listed below) and was hoping that people might like to
share some of their ideas.

   

1) Can use vulnsite as a proxy (& hack other sites)

2) Can port scan using the vuln site by changing url=www.website.com to
url=www.sitetoscan.com:port

3) Can connect to & port scan machines behind the firewall.

 



Thanks in adance,

Sol





MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically 
indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and 
attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended 
person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any 
action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This 
e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the 
recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in 
error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~