WebApp Sec mailing list archives
RE: Is this exploitable?..
From: "Benjamin Livshits" <livshits () cs stanford edu>
Date: Thu, 16 Dec 2004 12:14:11 -0800
What worries me is a scenario in which parts of the HTTP request are somehow malicious. I.e. as is the case for XSS, if responseString is set to contain some user-supplied JavaScript, it may lead to problems if printed back to the browser verbatim. Coming up with an exploit scenario is the difficulty, though. -Ben
-----Original Message----- From: Peter Conrad [mailto:conrad () tivano de] Sent: Thursday, December 16, 2004 7:54 AM To: webappsec () securityfocus com Cc: Benjamin Livshits Subject: Re: Is this exploitable?.. Hi, Am Mittwoch, 15. Dezember 2004 23:42 schrieb Benjamin Livshits:It looks like responseString obtained from req is forgeableand thismay conceivably lead to a vulnerability down the line, itseems, whenresponseString is output with a call to out.print(responseString).please explain in what way the responseString is "forgeable". Yes, it does include all the original request headers. That's the point of a TRACE request. out.print() will write the *body* of the response, if that's what worries you. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- Is this exploitable?.. Benjamin Livshits (Dec 16)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Stephen de Vries (Dec 20)
- Re: Is this exploitable?.. Tim (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)