The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	160/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 156 157 158 159 160 161 162 163 ... 875

Bog'liq
3794 1008 4334

88

Chapter 4

■

Mapping the Application

70779c04.qxd:WileyRed 9/14/07 3:12 PM Page 88

Also of interest among the other parameters is the

isExpired

field. This

appears to be a Boolean flag specifying whether the search query should

include content which is expired. If the application designers did not expect

ordinary users to be able retrieve any expired content, changing this parame-

ter from 0 to 1 could identify an access control vulnerability (see Chapter 8).

The following URL, which allows users to access a content management

system, contains a different set of clues:

https://wahh-app.com/workbench.aspx?template=NewBranch.tpl&loc=

/default&ver=2.31&edit=false

Here, the

.aspx

file extension indicates that this is an ASP.NET application.

It also appears highly likely that the

template

parameter is used to specify a

filename, and the

loc

parameter is used to specify a directory. The possible file

extension

.tpl

appears to confirm this, as does the location

/default

, which

could very well be a directory name. It is possible that the application retrieves

the template file specified and includes the contents into its response. These

parameters may well be vulnerable to path traversal attacks, allowing arbi-

trary files to be read from the server (see Chapter 10).

Also of interest is the

edit

parameter, which is set to false. It may be that

changing this value to true will modify the registration functionality, poten-

tially enabling an attacker to edit items that the application developer did not

intend to be editable. The

ver

parameter does not have any readily guessable

purpose, but it may be that modifying this will cause the application to per-

form a different set of functions that may be exploitable by an attacker.

Finally, consider the following request, which is used to submit a question to

application administrators:

POST /feedback.php HTTP/1.1

Host: wahh-app.com

Content-Length: 389

from=user@wahh-mail.com&to=helpdesk@wahh-app.com&subject=

Problem+logging+in&message=Please+help...

As with the other examples, the

.php

file extension indicates that the func-

tion is implemented using the PHP language. Further, it is extremely likely

that the application is interfacing with an external email system, and it appears

that user-controllable input is being passed to that system in all relevant fields

of the email. The function may be exploitable to send arbitrary messages to

any recipient, and any of the fields may also be vulnerable to email header

injection (see Chapter 9).

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 156 157 158 159 160 161 162 163 ... 875