WebApp Sec mailing list archives
Re: View and edit hidden HTML form fields (fwd)
From: sirkus <sirkus () sirkit net>
Date: 12 Jun 2003 14:02:06 -0500
On Thu, 2003-06-12 at 12:22, Tim Greer wrote:
From: "sirkus" <sirkus () sirkit net> To: <webappsec () securityfocus com> Sent: Thursday, June 12, 2003 8:12 AM Subject: Re: View and edit hidden HTML form fields (fwd)Indeed. I certainly wasn't claiming any greatness on the part of the program, especially since we're not a Window's shop -- it doesn't particularly apply to me. My point was that while I may be comfortable with using Perl/LWP and regular expressions as a coder, these are things I use on a regular basis while doing assessments. However, for others (such as many who I work with that do not code) this provides a simple way to demonstrate various simple client-side state weaknesses.I actually don't see how this reveals any weaknesses. Just seeing the fields or arguments/values passed to a script/program doesn't really mean anything. It can save a lame 'web site form based' cracker some effort, but that's about it.
Okay.. First, I was simply making a comment about the not-so-serious program doing something simple in a slick manor. I know nothing about the program other than the fact that it seems simpler at modifying form inputs than using "View-Source". It was a simple comment. Second, I didn't realize that I had suddenly become a spokesman for the program and what it's capable of simply by making the comment. Please, I am not, nor do I endorse it's use as an assessment tool. However, since I evidently need to qualify every comment with a full explanation... Yes, tools like this can be used to test for client-side state weaknesses. (Or what ever you would like to call it.) By modifying simple form field inputs, whether they are hidden or not-so-hidden, this can reveal logic weaknesses used by web-app developers to handle client-side-state information. That's what parameter manipulation is about. If some ignorant webapp developer is still using hidden fields to store discount codes, shopping cart prices, or other sensitive state information, simple tools like this is all you would need to discover and exploit this type of "weakness". (And yes, this is still quite prevalent, even in many "secure" applications.) Beyond this, "Just seeing the fields or arguments/values passed to a program" DOES mean something. This is the fundamental basis for black-box learning of how an application is built, and possibly how to assess it for security. (Yes, there's much more, but its a fundamental piece.) But to qualify this again, No, this particular tool is not one I would recommend for attempting these types of web application security assessments. From what I see, it's not an assessment tool. It's simply a gadget..... Anyway. I don't mind talking about this stuff.. but I hate cluttering the list up with pointless re-posts. From now on, I'll try to qualify my statements more effectively the first time so I can avoid the large target on my back.
Sure, it looks sort of neat for what it is. For a Windows desktop. Of course, my opinion is two things; Installing a program someone else wrote that I don't see the source to, is not going to happen. Secondly, using IE, you already have enough problems to not be wasting your time with silly tools like this. :-)
As before... I happen to have the same stance with IE. Agreed. Tim, you seem to be a decent guy. If you have any further concerns about any of my yet unqualified statements, feel free to e-mail me. sirkus AT sirkit DOT net
Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- View and edit hidden HTML form fields (fwd) bugtraq (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) dan cuthbert (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Alex Lambert (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) George W. Capehart (Jun 14)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- RE: View and edit hidden HTML form fields (fwd) Jordi Molina (Jun 13)
- RE: View and edit hidden HTML form fields (fwd) hans (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) riptide (Jun 17)
- <Possible follow-ups>
- RE: View and edit hidden HTML form fields (fwd) Oliver White (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) MK Cheung (Jun 12)