Penetration Testing mailing list archives
Re: Web App Script Capture
From: Anthony Cicalla <anthony.cicalla () gmail com>
Date: Sat, 3 Oct 2009 03:03:09 -0700
it's really nice when you can use the traversal to just look at the history file on a nix box and aquire the root login password as a result. It can still be quite common which as stated before makes owning the box pretty easy. Anthony On Thu, Oct 1, 2009 at 7:04 AM, Mike Duncan <Mike.Duncan () noaa gov> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Kibler wrote:Mike Duncan wrote:What you have to worry about in these situations is information disclosure. Using the path traversal, an attacker can fingerprint the OS, applications/daemons installed, and even the versions in some cases. Using this information, further attacks can be made on the system itself.I know. In fact, with this particular app, I am able to upload arbitrary files and get full system remote access with very little effort.Oh, I thought by your original message you meant that file uploading was not an option. I guess what you meant is that there is not actual form to upload a file.However, since it is an open source app, I took a "short cut" by looking at the code to see how session cookies are created, so I can hijack sessions to upload files. I would like to use this vulnerable app as a demo, but I can readily anticipate the feedback of "you cheated. you could never do this with a closed source app."What would they say to you using OleDbg or gdb in your analysis of software? They are missing the point of Open Source if they are saying that you are cheating. The point IS to see the source and pass along the issues or fix them yourself. If it was a closed source application, then you are at the devices of the developer who may/not be around/care that you found the issue(s). Additionally, every other good attacker on the planet (like yourself) would use the same means. You do not need to see the source either to investigate how sessions are stored. Trial and error would definitely bring this issue to light (i.e. SQLi is normally trial and error in the beginning). Many dynamic analysis tools would most likely pick up on this issue as well. Maybe you could build on that too -- perhaps tell them how you can achieve the same goal without looking at the source.What I want to demonstrate is that once I have path traversal, I can steal just about anything -- except for script source code. I haven't figured out a work-around for that problem (stealing source code). Thus, my question.You might wanna see if there is another application installed on the server which will allow you to accomplish your goals. By using traversal, you should be able to see what OS and application versions are installed and then you can work from there. Thus, demonstrating that path traversal is more dangerous than most of your audience thought. I am sure you will get feedback to the sound of "well, we will just patch everything else" leaving the attack vector open, but this is security through obscurity really. To further illustrate your point, point out videos or texts online showing the dangers of traversals or even examples.JonHTH. Mike Duncan ISSO, Application Security Specialist Government Contractor with STG, Inc. NOAA :: National Climatic Data Center -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrEtvYACgkQnvIkv6fg9hbKTQCfYprCfliOPqxDoEq3g/i8/l4C 7BEAn1R1pkg0a4QcG7eGJrUuF1T0srXW =Faf1 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Anthony, ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Web App Script Capture Jerome Athias (Oct 02)
- <Possible follow-ups>
- Re: Web App Script Capture Mike Duncan (Oct 02)
- Re: Web App Script Capture Jon Kibler (Oct 02)
- Re: Web App Script Capture Mike Duncan (Oct 02)
- Re: Web App Script Capture Anthony Cicalla (Oct 04)
- Re: Web App Script Capture arvind doraiswamy (Oct 04)
- Re: Web App Script Capture Jon Kibler (Oct 04)
- Re: Web App Script Capture Jerome Athias (Oct 05)
- Re: Web App Script Capture Jon Kibler (Oct 02)
- Re: Web App Script Capture Jerome Athias (Oct 04)
- Re: Web App Script Capture Zed Qyves (Oct 05)