RE: Fail Open Authentication and Parameter Injection

I'll give a real world case which I found.

A web app was using the following comparison for chacking passwords :

and password like "$password%";

Don't ask me why they thought this was a good idea, I just know that they did it.

Even providing the first character of the password would have been sufficient, but I chanced upon it when the client sent me a wrapped url with the password parameter on the next line:

E.g. please start here: http://www.blah.com/mylogin.asp?username=myname &password=password

When I clicked on the URL (intending to paste the rest once the browser had started up), I was logged in!

Bizarre, but true!

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An example of parameter injection:

A web app that allows you to execute a traceroute from the web server to an arbitrary destination.

Takes an IP address as input, and executes something like:

/bin/sh -c "traceroute $ip > file"

Then reads file in, and includes it in the web page it displays to you.

Provide something like:

192.168.1.1 > /dev/null ; cat /etc/shadow

And with any luck, you will get the shadow file from the server instead of the traceroute output.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Rogan

-----Original Message-----
From: Indian Tiger [mailto:indiantiger@mailandnews.com] Sent: 21 February 2002 08:44 PM
To: webappsec@securityfocus.com
Subject: Fail Open Authentication and Parameter Injection

Hi,

I am learning Web Application Security Penetration Testing using WebGoat. I have some queries on this.

Fail Open Authentication
WebGoat's step 3 says: "Try removing password parameter with Achilles. " How it's possible. Is there any chance when server don't even check password if we remove password parameter.

Parameter Injection
What could be the scenario where a site is vulnerable to Parameter Injections.
I have given a thought on this but not able to think how exactly it works in practice.
Webgoat has given an example like this 'blah & netstat -a & ipconfig' But where a developer will be allowing to insert such values.

Any help on this would be highly appriciated.

Thanking You.
Sincerely,

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Indian Tiger, CISSP Received on Tue Mar 25 11:28:33 2003