Stephen,
On Sat, May 12, 2012 at 3:31 PM, Stephen Breen <breen.mach...@gmail.com> wrote:
> After comparing the browser and w3af requests/responses in wireshark I was
> able to figure it out. When I send the request:
> http://www.example.com/?x=abc%26ZJkL%3DNrZp
> In w3af it is being converted to:
> http://www.example.com/?x=abc%2526ZJkL%253DNrZp
>
> i.e. my '%' characters are being url encoded into a '%25'.
Did you find the way to avoid that "double encoding" issue?
>
> On Wed, May 9, 2012 at 6:08 PM, Stephen Breen <breen.mach...@gmail.com>
> wrote:
>>
>> "Forgive me, I don't have the time to be brief" -- unfortunately this is
>> going to be a longish one.
>>
>> I'm confused about an issue I've been having trying to detect client side
>> parameter pollution vulnerabilities. Been stuck on this for a while.
>>
>> What I'm doing is for each parameter in a request, you inject an innocuous
>> parameter, for example if the request were:
>> http://www.example.com/?x=abc&y=xyz
>>
>> We could inject the parameter ZJkl=NrZp like so:
>> http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz
>> http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp
>>
>> Then we examine the response from each of those requests and check if
>> there are any links in the response that contain our injected parameter, so
>> for example, in the response body if we found the following, it would mean
>> the "x" parameter is vulnerable to parameter pollution:
>> http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz
>>
>> If this is the case, then we can use the fact that a server will discard a
>> duplicate parameter and use either the first or second occurrence to
>> overwrite other parameters in the requests for the forms and links on the
>> page.
>>
>> The problem I am having is that while my browser (firefox) will return
>> responses containing things like:
>> http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz
>>
>> When I use sendMutant or urlOpener.GET, the same request will result in
>> the URL in the response looking like this:
>> http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz
>>
>> The characters are not being decoded and I have no idea why! I thought
>> that the decoding would be done on the server side, is this done in the
>> browser? Does that mean these vulnerabilities will be browser specific? I'm
>> really not sure how this works behind the scenes.
>>
>> For a real example of this vulnerability I've been using the following URL
>> for testing:
>>
>> http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in
>>
>> If you look at the links to "More Search Results 1,2,3" etc... on the
>> bottom of the page, you will see that the parameter ZJkL=NrZp has been
>> injected into the links.
>>
>> Thanks!
>>
>>
>> On Wed, May 2, 2012 at 11:02 PM, Andres Riancho <andres.rian...@gmail.com>
>> wrote:
>>>
>>> Stephen,
>>>
>>> On Wed, May 2, 2012 at 4:10 PM, Stephen Breen <breen.mach...@gmail.com>
>>> wrote:
>>> > In case anyone else is interested in this, someone else has already
>>> > created
>>> > a system to scan and detect HTTP parameter pollution vulnerabilities.
>>> > They
>>> > don't provide the source for their tool but it can be found here:
>>> > http://papas.iseclab.org/cgi-bin/index.py
>>> >
>>> > Their paper describing how it works can be found here:
>>> > http://www.iseclab.org/people/embyte/papers/hpp.pdf
>>> >
>>> > I plan on reading it and taking a shot at implementation as a w3af
>>> > plugin.
>>>
>>> Great! For comparing HTTP response bodies (which I assume you'll have
>>> to do) take a look at levenshtein.py (relative_distance_boolean
>>> function).
>>>
>>> Regards,
>>>
>>> >
>>> > ------------------------------------------------------------------------------
>>> > Live Security Virtual Conference
>>> > Exclusive live event will cover all the ways today's security and
>>> > threat landscape has changed and how IT managers can respond.
>>> > Discussions
>>> > will include endpoint security, mobile security and the latest in
>>> > malware
>>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> > _______________________________________________
>>> > W3af-develop mailing list
>>> > W3af-develop@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>> >
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
