Jump to content
M2G

Post/Get Parameter's Name Injection

Recommended Posts

Posted

When testing Web Applications, usually a security analyst will try to identify all the inputs to be injected like Cookies, POST/GET parameters, HTTP Headers, etc.

Once identified, the analyst will start injecting malicious data into those fields, something like:

Cookie: --attack string--

name= --attack string--

uri?name= --attack string--

EVERYTHING injected in the parameter's value, what about parameter's name? Does it worth?

Why a Developer would like to validate the input receive in the parameter's name?

As any other vulnerability, there are specific scenarios where this can be exploited, the most common one is when all the parameters received via GET or POST are used to generated a new URL:

java.util.Enumeration e = request.getParameterNames();
if (e.hasMoreElements()) {
String name = (String)e.nextElement();
String value = request.getParameter(name);
qs= name+"="+java.net.URLEncoder.encode(value,"utf-8");
while (e.hasMoreElements()) {
name = (String)e.nextElement();
value = request.getParameter(name);
[COLOR="#FF0000"]qs[/COLOR] += "&"+name+"="+java.net.URLEncoder.encode(value,"utf-8");
}
}

**** Notice only the parameter's value is being URLEncoded*************

Then, the Query String is concatenated in the iframe src attribute:

<iframe src="xxxx.com?search.aspx?[COLOR="#FF0000"]<%=qs%>[/COLOR]

So, let's try to inject XSS into parameter's name, like:

%22%20onmouseover%3d"alert(1111)">%20DANUX</iframe> <iframe a%3D"= 

Which will print out in the browser as:

<iframe src="xxxx.com?search.aspx?[COLOR="#00FF00"]" onmouseover="alert(1111)">DANUX</iframe> <iframe a="[/COLOR][COLOR="#FF0000"]"></iframe>[/COLOR]

The text highlighted in RED is the portion completed automatically by the application and you can see the html is properly formatted causing the XSS code being executed successfully, tested on FireFox 12.0.

As mentioned before, parameter's name injection is not widely tested by Security Analyst, not even by some Security Vendors, I tested my vulnerable App with WebInspect version 9.X and realized it does NOT test parameter's name:

param-name-injection.JPG

Sursa

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...