Re: Fail Open Authentication and Parameter Injection

Hi,

On your fail-open question, the idea is that the developer made a mistake coding the authentication module. By assuming that the password parameter was present (as it would always be under normal circumstances), the developer botched the error handling. Now if the parameter is not present, the authentication module throws an exception and "fails open"

Parameter injection can happen whenever a web application uses anything that contains an interpreter. Examples might be a shell command (like here), a database SQL engine, or a templating language. By injecting executable content (data that the interpreter interprets as commands), the attacker can trick the web application into doing something unintended. This can happen wherever the developer asks the user for a value that is then passed into the interpreter.

On both of these issues, you might be interested in the OWASP Top Ten paper available at http://aspectsecurity.com/topten

--Jeff

Jeff Williams
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
http://www.aspectsecurity.com

• Original Message ----- From: Indian Tiger To: webappsec@securityfocus.com Sent: Thursday, February 21, 2002 1:44 PM Subject: Fail Open Authentication and Parameter Injection

Hi,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I am learning Web Application Security Penetration Testing using WebGoat. I
have some queries on this.

Fail Open Authentication
WebGoat's step 3 says: "Try removing password parameter with Achilles. " How it's possible. Is there any chance when server don't even check password
if we remove password parameter.

Parameter Injection
What could be the scenario where a site is vulnerable to Parameter Injections.
I have given a thought on this but not able to think how exactly it works in
practice.
Webgoat has given an example like this 'blah & netstat -a & ipconfig' But where a developer will be allowing to insert such values.

Any help on this would be highly appriciated.

Thanking You.
Sincerely,

Indian Tiger, CISSP Received on Mon Mar 24 14:05:58 2003