[WEB SECURITY] Parameter tampering with z/os n-tiers web application

Frederic Charpentier fcharpen at xmcopartners.com
Thu Jun 9 05:30:14 EDT 2005


hi, I'm new on the list.

My first question is :

During a pentest, I found a url with a mainframe' command passing 
throught a url parameter.

the URL  :
POST /Servlet.srv
codeLogon=logon+applid+(tesre01)

Then, the servlet gives me the logon page of the mainframe ( the 
mainframe is behind the web server).

I saw that "login applid(tesre01) is a kind of a specific logon command 
for z/OS opening the application 'tesre01'.

My question is : " Which command could I inject instead of the 'applid' 
command to gain a access or just proof the mainframe is hackable ?"

I'm not a specialist in z/os, so if someone on the list have ideas...

Fred.
-- 
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list