WackoPicko/Parameter-Manipulation
From Aldeid
| You are here: | Parameter Manipulation
|
Contents |
Description
This attack consists of sending arbitrary values (fuzzing) to a URL that accepts parameters to analyze the behavior of the application. Depending on the way the application is coded, it enables to make deductions (e.g. existence of a userid).
Proof of Concept
A simple test consists of connecting to the application by fuzzing arbitrary values to analyze the HTTP returned code.
The example below shows a 200 OK, telling us that userid #1 exists:
$ telnet 192.168.100.24 80 Trying 192.168.100.24... Connected to 192.168.100.24. Escape character is '^]'. GET /users/sample.php?userid=1 HTTP/1.1 Host: 127.0.0.1 HTTP/1.1 200 OK Date: Tue, 18 Jan 2011 21:49:31 GMT Server: Apache/2.2.17 (Unix) PHP/5.3.4 X-Powered-By: PHP/5.3.4 Set-Cookie: PHPSESSID=u7nlio84alfpdlcjuagmfjcd61; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2678 Content-Type: text/html
But it seems that userid #34 doesn't exist (404 returned)
$ telnet 192.168.100.24 80 Trying 192.168.100.24... Connected to 192.168.100.24. Escape character is '^]'. GET /users/sample.php?userid=34 HTTP/1.1 Host: 127.0.0.1 HTTP/1.1 404 Not Found Date: Tue, 18 Jan 2011 21:50:26 GMT Server: Apache/2.2.17 (Unix) PHP/5.3.4 X-Powered-By: PHP/5.3.4 Set-Cookie: PHPSESSID=j0avgessgvmc0udkc692nfhb73; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 108 Content-Type: text/html
How to detect?
Various fuzzers can help identifying such vulnerabilities.
How to protect against it?
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Comments
Share this article • Tweet it! • Email this • Digg it • Share on Facebook
