[WEB SECURITY] Parameter tampering with z/os n-tiers web application

Frederic Charpentier fcharpen at xmcopartners.com
Thu Jun 9 05:30:14 EDT 2005

hi, I'm new on the list.

My first question is :

During a pentest, I found a url with a mainframe' command passing 
throught a url parameter.

the URL  :
POST /Servlet.srv

Then, the servlet gives me the logon page of the mainframe ( the 
mainframe is behind the web server).

I saw that "login applid(tesre01) is a kind of a specific logon command 
for z/OS opening the application 'tesre01'.

My question is : " Which command could I inject instead of the 'applid' 
command to gain a access or just proof the mainframe is hackable ?"

I'm not a specialist in z/os, so if someone on the list have ideas...

Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list