WebApp Sec mailing list archives
RE: Recent App Test
From: <stevenr () mastek com>
Date: Thu, 19 Aug 2004 21:29:55 +0530
Hi As per info given by you, the web server is just doing some thing of this sort <% response.sendRedirect( request.getParameter( "url" ) ); %> So in that case, your browser is making the request to the url. This is just like clicking a href, so don't think anything more can come out of this. Surely not the port scan etc... One point though, if they are printing the URL from the request directly (as in the code snippet above), then you have a possible candidate for XSS. Regards, Steven Rebello Mastek Limited, "This email is printed using 100% recycled electrons." -----Original Message----- From: ramatkal () hotmail com [mailto:ramatkal () hotmail com] Sent: Wednesday, August 18, 2004 1:35 PM To: webappsec () securityfocus com Subject: Recent App Test During a recent Application pen test I came across a url of the form: http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12 345 I changed the url parameter to something like url=www.google.com and google appeared in my browser. Next, i changed the url to url=www.whatismyip.com, hoping that the ip address of the webserver would be displayed, however, only my ip address was displayed. This means that my browser is loading the url parameter as opposed to the webserver script fethching the url and then displaying it for me in my browser right? Is this a security issue? Assuming that it was the actual webserver script fetching the url parameter and then displaying it for me, I've come up with a few vulnerabilities (listed below) and was hoping that people might like to share some of their ideas. 1) Can use vulnsite as a proxy (& hack other sites) 2) Can port scan using the vuln site by changing url=www.website.com to url=www.sitetoscan.com:port 3) Can connect to & port scan machines behind the firewall. Thanks in adance, Sol MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- Recent App Test ramatkal (Aug 19)
- Re: Recent App Test Adam Tuliper (Aug 20)
- Re: Recent App Test Rogan Dawes (Aug 20)
- Re: Recent App Test Bill Pennington (Aug 20)
- Re: Recent App Test Saqib . N . Ali (Aug 20)
- Message not available
- Re: Recent App Test Blake Schneider (Aug 21)
- <Possible follow-ups>
- Re: Recent App Test Amit Klein (Aug 20)
- RE: Recent App Test stevenr (Aug 20)