Sigint Consulting said:
> However we can once again bypass this by including our CR character
> before our string like so:
>
> perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
> 192.168.1.3 80
>
> No alert is generated from the string above.
[...]
> We are not sure how much this may buy an attacker as the CR character
> may mess up any requests to the webserver, further research is needed
> on this.
I performed this research while developing NFR's web signatures, and found
that all web servers I tested (several years ago) handled end-of-lines using
"\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
interprets "index.php" in the example above as an actual filename, I for one
would be very interested in knowing about it.
> However we can once again bypass this by including our CR character
> before our string like so:
>
> perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
> 192.168.1.3 80
>
> No alert is generated from the string above.
[...]
> We are not sure how much this may buy an attacker as the CR character
> may mess up any requests to the webserver, further research is needed
> on this.
I performed this research while developing NFR's web signatures, and found
that all web servers I tested (several years ago) handled end-of-lines using
"\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
interprets "index.php" in the example above as an actual filename, I for one
would be very interested in knowing about it.
--
Dodge
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
iD8DBQFEgMbW4Cw5+cTF6YkRAh3VAKDZCtsLrPZthsEtRAIZfjMESLRwzgCgqFYY
KZIGg1MXl+qhCy/XlafY8jA=
=e5VM
-----END PGP SIGNATURE-----
[ reply ]