The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Some applications do not employ the standard query string format (which

was described in Chapter 3), but employ their own custom scheme, which

may use nonstandard query string markers and field separators, may embed

other data schemes such as XML within the query string, or may effectively

place the query string within what appears to be the directory or filename por-

tion of the URL. Here are some examples of nonstandard query string formats

that the authors have encountered in the wild:

■■

/dir/file;foo=bar&foo2=bar2

■■

/dir/file?foo=bar$foo2=bar2

■■

/dir/file/foo%3dbar%26foo2%3dbar2

■■

/dir/foo.bar/file

■■

/dir/foo=bar/file

■■

/dir/file?param=foo:bar

■■

/dir/file?data=

%3cfoo%3ebar%3c%2ffoo%3e%3cfoo2%3ebar2%3c%2ffoo2%3e

If a nonstandard query string format is being used, then you will need to

take account of this when probing the application for all kinds of common vul-

nerabilities. For example, when testing the final URL in this list, if you were to

ignore the custom format and simply treat the query string as containing a sin-

gle parameter called 

data

, and so submit various kinds of attack payloads as

the value of this parameter, you would miss many kinds of vulnerability that

may exist in the processing of the query string. If, conversely, you dissect the

format and place your payloads within the embedded XML data fields, you

may immediately discover a critical bug such as SQL injection or path 

traversal.

A final class of entry points for user input includes any out-of-band channel

by which the application receives data that you may be able to control. Some

of these entry points may be entirely undetectable if you simply inspect the

HTTP traffic generated by the application, and finding them usually requires

an understanding of the wider context of the functionality that the application

implements. Some examples of web applications that receive user-controllable

data via an out-of-band channel include:

■■

A web mail application which processes and renders email messages

received via SMTP.

■■

A publishing application that contains a function to retrieve content via

HTTP from another server.

■■

An intrusion detection application that gathers data using a network

sniffer and presents this using a web application interface.

Download 5,76 Mb.

Do'stlaringiz bilan baham: