[WEB SECURITY] SQL injection question, also vulnerabel to XSS

Tue Dec 4 14:52:04 EST 2007

Luis,

 Regarding your question about XSS. Having the issue exist on an intranet application means the attack surface has now been limited. Only users with access to the intranet are vulnerable to the exploitation of the issue. However the exploitation can come from any where... 

Last time I checked a user, accessing the internet on a machine hosted on the intranet, is succeptable to attack.

 For example:
 - Victim goes to internet Site A hosting malicious runtime code.

 ( For this example we are talking about a GET but the same thing cant be done for a POST just requires a little JS spice.)

 - Victims browser parses and executes: <img src:"http://intra.net.site/***/***.***?attack=%3Cscript%3Eyour%20script%20here%3C%2Fscript%3E">

 - Victims browser makes the following request on users behalf: http://intra.net.site/***/***.***?attack=%3Cscript%3Eyour%20script%20here%3C%2Fscript%3E

 - The attack is executed upon parsing of <script> your script here </scirpt> in the response body.

 The attack is utilizing the XSS hole on the intranet application, even though the attack was delivered from an external application.

Hope that helps,

~Daniel

Luis Matus <matus.investiga at gmail.com> wrote: Well, let me clarify. The information that I am able to see when I
change the variable value, it's info I shouldn't be able to see.

I have also find an XSS vulnerability.  The application request
information to the user , wich will be show in some kind of  results
pane, wich doesn't validate special chars. So I tried the most simple
string i know alert(123) and it works. But I don't
know how to expose this issue to my superior, since this is app is
going to be use in an intranet,  and I don't know how could this be an
major issue.

2007/12/4, White, Dain P :
> Now, I am not an expert, but this sure seems to me to be at least a hackable URL, and at most a privilege escalation. I think a lot would depend on what type of data you're seeing. If you're looking at a content page, and change the ID to another number and see a different content page - that's just the application doing what it does, and at best I'd call it a hackable URL. However, if you're logged in at the time and viewing something only you should see, and by changing the URL you are able to see someone else's content, well, that's another matter.
>
> I don't know as if I'd call this a SQL injection, at least without some more information. If the application is looking for a integer, and you supply an integer, then you're not really injecting into the application, you're just using it the way it's designed.
>
> I have an RSS feed that displays a variable amount of items based on a URL variable DisplayCount. If you change that value from 10-20 - you just get 20 rows back, rather than 10. Is that an injection? I don't really think so. Is it insecure? Probably - - even though I am doing everything I can to make sure the application doesn't just blindly run with variables like a toddler with scissors, nothing is "secure" against the folks on this list! Is it secure enough to let me sleep at night knowing I did my best? Sure.
>
> (And no, I am not giving you "hats" a URL to poke at;)
>
> All of that being said of course, if your application is displaying content you shouldn't be able to see, then I would say it's a serious issue, definitely an exploit.
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

---------------------------------
Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20071204/6ba94250/attachment.html>