Re: View and edit hidden HTML form fields (fwd)

[sirkus <sirkus () sirkit net>]

On Thu, 2003-06-12 at 12:22, Tim Greer wrote:
> From: "sirkus" <sirkus () sirkit net>
> To: <webappsec () securityfocus com>
> Sent: Thursday, June 12, 2003 8:12 AM
> Subject: Re: View and edit hidden HTML form fields (fwd)
>
> >   Indeed. I certainly wasn't claiming any greatness on the part of the
> > program, especially since we're not a Window's shop -- it doesn't
> > particularly apply to me. My point was that while I may be comfortable
> > with using Perl/LWP and regular expressions as a coder, these are things
> > I use on a regular basis while doing assessments.  However, for others
> > (such as many who I work with that do not code) this provides a simple
> > way to demonstrate various simple client-side state weaknesses.
>
> I actually don't see how this reveals any weaknesses. Just seeing the fields
> or arguments/values passed to a script/program doesn't really mean anything.
> It can save a lame 'web site form based' cracker some effort, but that's
> about it.

Okay.. First, I was simply making a comment about the not-so-serious
program doing something simple in a slick manor. I know nothing about
the program other than the fact that it seems simpler at modifying form
inputs than using "View-Source".  It was a simple comment.  Second, I
didn't realize that I had suddenly become a spokesman for the program
and what it's capable of simply by making the comment. Please, I am not,
nor do I endorse it's use as an assessment tool.

  However, since I evidently need to qualify every comment with a full
explanation... Yes, tools like this can be used to test for client-side
state weaknesses. (Or what ever you would like to call it.)  By
modifying simple form field inputs, whether they are hidden or
not-so-hidden, this can reveal logic weaknesses used by web-app
developers to handle client-side-state information.  That's what
parameter manipulation is about. If some ignorant webapp developer is
still using hidden fields to store discount codes, shopping cart prices,
or other sensitive state information, simple tools like this is all you
would need to discover and exploit this type of "weakness". (And yes,
this is still quite prevalent, even in many "secure" applications.) 
Beyond this, "Just seeing the fields or arguments/values passed to a
program" DOES mean something.  This is the fundamental basis for
black-box learning of how an application is built, and possibly how to
assess it for security. (Yes, there's much more, but its a fundamental
piece.) 

  But to qualify this again, No, this particular tool is not one I would
recommend for attempting these types of web application security
assessments. From what I see, it's not an assessment tool. It's simply a
gadget.....

  Anyway. I don't mind talking about this stuff.. but I hate cluttering
the list up with pointless re-posts.  From now on, I'll try to qualify
my statements more effectively the first time so I can avoid the large
target on my back.

> Sure, it looks sort of neat for what it is. For a Windows desktop. Of
> course, my opinion is two things; Installing a program someone else wrote
> that I don't see the source to, is not going to happen. Secondly, using IE,
> you already have enough problems to not be wasting your time with silly
> tools like this. :-)

As before... I happen to have the same stance with IE.   Agreed.

Tim, you seem to be a decent guy. If you have any further concerns about
any of my yet unqualified statements, feel free to e-mail me.

sirkus AT sirkit DOT net


> Regards,
> Tim Greer  chatmaster () charter net
> Server administration, security, programming, consulting.