News Web Server Security Phishing Database Security Application Server Security Library Vulnerability Archive Secure Development Web Services Pen Test AJAX Application Firewalls
Main -> Internet Security News
TOPIC'S
Advertising
Old News
About
Resume
Contact
FAQ
Irc
Links
Articles
Translate
Interviews
Commentary
Books
Demos
Papers
Downloads
Advisories
Contributions
Security Services
Submit News
Syndicated News

Hosting generously provided by
www.mv.com




Pick Your Language


11/16/06 Attacking Permalinks
Everyone has seen urls such as http://site/2006/02/02 and you know that there's an application in the backend somewhere but figuring out how to attack those urls can be tricky. A few of you have probably tried attacking them by sending requests such as http://site/2006'>/02/02 and received a 404 page. I started thinking about this in conjunction with parameter identification. As an example you may be able to append things such as 'script.php?admin=true' and yield hidden administrative access (the classic example). Essentially you're appending a parameter and receiving a different application behavior. So I started to think 'in a url such as /2006/02/02 the '2006' portion states the year, what are some common year parameter names?'. I came up with 'y' and 'year'. The way that permalink url rewriting works is that your request for /2006/02/02 gets rewritten by the webserver and may be sent to a backend script such as 'index.php?year=2006&month=02&day=02'.

Knowing that permalink internal rewrites use standard parameters, and knowing that 2006 is a year I started tinkering around and sending requests such as http://site/2006/02/02?year=-1. Now if the parameter isn't used the same page will be served, however if the response is different, then the application has processed your additional appended parameter. When you append the 'year' parameter to the permalink the internal redirection will appear as 'index.php?year=2006&month=02&day=02&year=-1'. Many applications will merge both parameters and combine the data within them (concatenation) before the data is processed. The order of the merge of course may vary (in this case '-12006' vs '2006-1') so ease of exploitation of a potential vuln may vary from application/framework. In a nutshell you append additional 'guessed' parameters based off of the data format between the // and if the application acts differently, then you now have a vector exposed for security testing purposes.

PS: If you haven't noticed I use permalinks however use mod_rewrite redirects to static files, so don't bother poking around :)

Link to this Story: 11/16/06 Attacking Permalinks
Link: Have a Site Suggestion, Material Request, or News? Submit it!
News RSS Feed: Web Security news RSS Feed



External Links:
Copyright 2000-2007 Cgisecurity.com.
Providing Web Security news since 2000.
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
Website Security Web Application Security solid state drives ssd ebay ebay topdeals nslookup online buy macbook air not work safe software security


Popular Links By Subject

Sponsored Link (Advertise)


Subscribe to CGISecurity.com


The Web Security Mailing List
  • Re: [WEB SECURITY] Scripting Question
  • Re: [WEB SECURITY] Scripting Question
  • Re: [WEB SECURITY] Scripting Question
  • Re: [WEB SECURITY] Scripting Question
  • Re: [WEB SECURITY] Scripting Question
  • [WEB SECURITY] WASC Web Application Security Statistics Project
  • Re: [WEB SECURITY] Scripting Question
  • [WEB SECURITY] Peach 2.1 BETA2 Released
  • RE: [WEB SECURITY] Scripting Question
  • [WEB SECURITY] widespread sql injection + javascript malware

    • Contact us
    Post News, get linkage!

    Name

    Email or Homepage:

    Subject

    Finish the word below: deadb33f

    Body