WebApp Sec mailing list archives
Re: Recent App Test
From: Amit Klein <amit.klein () sanctuminc com>
Date: Thu, 19 Aug 2004 14:42:11 +0300
Hi During a recent Application pen test I came across a url of the form:http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345 I changed the url parameter to something like url=www.google.com and
google appeared in my browser. Next, i changed the url to url=www.whatismyip.com, hoping that the ip address of the webserver would be displayed, however, only my ip address was displayed. This means that my browser is loading the url parameter as opposed to the webserver script fethching the url and then displaying it for me in my browser right? Is this a security issue?That depends. If the server makes the browser load that url using an HTTP redirection (i.e. via a 3xx response and the Location header, or via a 200 response with the Refresh header) then an HTTP Response Splitting attack may perhaps be possible. For more details on this attack and on its impact see "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attackes, and Related Topics", at the following URL:
http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdfIf, on the other hand, the server embeds the url in a frame, or in a meta tag that causes redirection, then it may perhaps be possible to simply mount a cross site scripting attack.
Good luck, -Amit Amit Klein Director of security and research, Sanctum W: +972-9-9586077 x225, F: +972-9-9576337 1 Sapir St., Ampa Bldg., Herzlia 46733 Israel amit.klein () sanctuminc com <blocked::mailto:amit.klein () sanctuminc com>
Current thread:
- Recent App Test ramatkal (Aug 19)
- Re: Recent App Test Adam Tuliper (Aug 20)
- Re: Recent App Test Rogan Dawes (Aug 20)
- Re: Recent App Test Bill Pennington (Aug 20)
- Re: Recent App Test Saqib . N . Ali (Aug 20)
- Message not available
- Re: Recent App Test Blake Schneider (Aug 21)
- <Possible follow-ups>
- Re: Recent App Test Amit Klein (Aug 20)
- RE: Recent App Test stevenr (Aug 20)