Also, needless to say, Burp Scanner tests parameter names for all kinds of
input-based attacks.
Cheers
Dafydd Stuttard (PortSwigger)
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Danux
Sent: 09 August 2012 07:39
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Parameter name injection - Not tested by WebInspect 9.x
Old technique but still out of testers' radar. Ninety nine percent
(99%) of tools concentrate on identifying and injecting malicious code into
parameter values, also 99% of Developers concentrate on html encoding
parameter values specially to prevent client-side attacks, but what about
parameter names? is it worth to test/protect them?
Definitely it is. Highly exploitable in content management frameworks which
creates links or other DOM objects on the fly.
Surprisingly, WebInspect 9.x do not care about testing parameter names, at
least not when using its XSS-scan policy. Do you have experience with other
tools in this matter?
I prepared an example of this attack if interested:
http://danuxx.blogspot.com/2012/07/postget-parameters-name-injection.htm
l
Enjoy it.
--
DanUx
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
ago:
http://blog.portswigger.net/2008/08/attacking-parameter-names.html
Also, needless to say, Burp Scanner tests parameter names for all kinds of
input-based attacks.
Cheers
Dafydd Stuttard (PortSwigger)
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Danux
Sent: 09 August 2012 07:39
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Parameter name injection - Not tested by WebInspect 9.x
Old technique but still out of testers' radar. Ninety nine percent
(99%) of tools concentrate on identifying and injecting malicious code into
parameter values, also 99% of Developers concentrate on html encoding
parameter values specially to prevent client-side attacks, but what about
parameter names? is it worth to test/protect them?
Definitely it is. Highly exploitable in content management frameworks which
creates links or other DOM objects on the fly.
Surprisingly, WebInspect 9.x do not care about testing parameter names, at
least not when using its XSS-scan policy. Do you have experience with other
tools in this matter?
I prepared an example of this attack if interested:
http://danuxx.blogspot.com/2012/07/postget-parameters-name-injection.htm
l
Enjoy it.
--
DanUx
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]