Taras, On Fri, Jun 8, 2012 at 9:42 AM, Taras <ox...@oxdef.info> wrote: > Andres, > > I see some work on implementing Parameter Pollution Plugin for w3af. > Just want to point on performance problem in similar area. Currently w3af > don't know anything about repeated parameters in query string and post data, > e.g. http://foo.com/test.php?a=1&a=2&a=3...&a=N.
Well, that's actually not true. There was some work done towards supporting repeated parameter names; if that stopped working it's a bug, but the code is "prepared" to support repeated parameter names. > After grabbing such fuzzrequests w3af will try to audit them (create mutants > and so on) and will inject payload **sequentially** from 1 to N: > > http://foo.com/test.php?a=XSS&a=2&a=3...&a=N. > http://foo.com/test.php?a=1&a=XSS&a=3...&a=N. > http://foo.com/test.php?a=1&a=2&a=XSS...&a=N. > http://foo.com/test.php?a=1&a=2&a=3...&a=XSS. > > Imho, it is useless and takes a lot of time even when N is not really big > number, e.g. N=20 So, it DOES know something about repeated parameter names :D > So where we can fix it? in _createMutantsWorker? May be we will add some > limit? So, what's your point? Is it that the XSS plugin is slow or that "It makes sense to analyze the first 5 parameters in the case of repeated parameter names but nothing else after that" ? Maybe both? :) Regarding the possibility about just trying to inject into some of the parameters in a script that uses repeated parameter names... not really sure about that idea. Could you please explain the logic behind it? What makes it less probable for w3af to find a "XSS" in repeated parameter #12 than in repeated parameter #1 ? Regards, > On 05/15/2012 07:27 PM, Stephen Breen wrote: >> >> I did, the most efficient way I could think to do it required the >> following changes to dataContainer.py and queryString.py. Basically all >> I did was add a _safeEncodeChars field to the dataContainer and make >> sure it was used when doing URL encoding: >> >> Index: core/data/dc/dataContainer.py >> =================================================================== >> --- core/data/dc/dataContainer.py (revision 5002) >> +++ core/data/dc/dataContainer.py (working copy) >> @@ -38,7 +38,7 @@ >> >> super(DataContainer, self).__init__() >> self.encoding = encoding >> - >> + self._safeEncodeChars = '' >> if isinstance(init_val, DataContainer): >> self.update(init_val) >> elif isinstance(init_val, dict): >> @@ -80,7 +80,7 @@ >> >> @return: string representation of the DataContainer Object. >> ''' >> - return enc_dec.urlencode(self, encoding=self.encoding) >> + return enc_dec.urlencode(self, >> encoding=self.encoding,safe=self._safeEncodeChars) >> >> def __unicode__(self): >> ''' >> >> >> Index: core/data/dc/queryString.py >> =================================================================== >> --- core/data/dc/queryString.py (revision 5002) >> +++ core/data/dc/queryString.py (working copy) >> @@ -43,4 +43,4 @@ >> >> @return: string representation of the QueryString object. >> ''' >> - return enc_dec.urlencode(self, encoding=self.encoding, safe='') >> \ No newline at end of file >> + return enc_dec.urlencode(self, encoding=self.encoding, >> safe=self._safeEncodeChars) >> \ No newline at end of file >> >> In my audit plugin, to avoid encoding the % character I do this before I >> create the mutants: >> >> def audit(self, freq): >> dc = freq.getDc() >> dc._safeEncodeChars +='%' >> for param in dc: >> mutants = createMutants(freq,['%26ZJkL%3DNrZp'],True,[param]) >> >> After these changes it works MOST of the time. When I give w3af a URL >> with a bunch of parameters, it generates 2 fuzzable requests if no >> discovery plugins are used; one request is the URL I provided, one has >> parameters that w3af seemed to pick randomly. For some reason the >> safeEncodeChars are ignored for the request w3af created. To fix this I >> had to add the % character to the default safe characters of the >> urlencode function. I don't like this fix very much and would like to >> figure out why it is necessary but here is the diff that makes it work >> for now: >> >> Index: core/data/parsers/encode_decode.py >> =================================================================== >> --- core/data/parsers/encode_decode.py (revision 5002) >> +++ core/data/parsers/encode_decode.py (working copy) >> @@ -71,7 +71,7 @@ >> return CHAR_REF_PATT.sub(entitydecode, text) >> >> >> -def urlencode(query, encoding, safe='/<>"\'=:()'): >> +def urlencode(query, encoding, safe='/<>"\'=:()%'): >> ''' >> This is my version of urllib.urlencode. It adds "/" as a safe >> character >> and also adds support for "repeated parameter names". >> >> >> On Tue, May 15, 2012 at 11:45 AM, Andres Riancho >> <andres.rian...@gmail.com <mailto:andres.rian...@gmail.com>> wrote: >> >> Stephen, >> >> On Sat, May 12, 2012 at 3:31 PM, Stephen Breen >> <breen.mach...@gmail.com <mailto:breen.mach...@gmail.com>> wrote: >> > After comparing the browser and w3af requests/responses in >> wireshark I was >> > able to figure it out. When I send the request: >> > http://www.example.com/?x=abc%26ZJkL%3DNrZp >> > In w3af it is being converted to: >> > http://www.example.com/?x=abc%2526ZJkL%253DNrZp >> > >> > i.e. my '%' characters are being url encoded into a '%25'. >> >> Did you find the way to avoid that "double encoding" issue? >> >> > >> > On Wed, May 9, 2012 at 6:08 PM, Stephen Breen >> <breen.mach...@gmail.com <mailto:breen.mach...@gmail.com>> >> > wrote: >> >> >> >> "Forgive me, I don't have the time to be brief" -- unfortunately >> this is >> >> going to be a longish one. >> >> >> >> I'm confused about an issue I've been having trying to detect >> client side >> >> parameter pollution vulnerabilities. Been stuck on this for a >> while. >> >> >> >> What I'm doing is for each parameter in a request, you inject an >> innocuous >> >> parameter, for example if the request were: >> >> http://www.example.com/?x=abc&y=xyz >> <http://www.example.com/?x=abc&y=xyz> >> >> >> >> We could inject the parameter ZJkl=NrZp like so: >> >> http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz >> <http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz> >> >> http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp >> <http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp> >> >> >> >> Then we examine the response from each of those requests and >> check if >> >> there are any links in the response that contain our injected >> parameter, so >> >> for example, in the response body if we found the following, it >> would mean >> >> the "x" parameter is vulnerable to parameter pollution: >> >> http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz >> <http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz> >> >> >> >> If this is the case, then we can use the fact that a server will >> discard a >> >> duplicate parameter and use either the first or second occurrence >> to >> >> overwrite other parameters in the requests for the forms and >> links on the >> >> page. >> >> >> >> The problem I am having is that while my browser (firefox) will >> return >> >> responses containing things like: >> >> http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz >> <http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz> >> >> >> >> When I use sendMutant or urlOpener.GET, the same request will >> result in >> >> the URL in the response looking like this: >> >> http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz >> <http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz> >> >> >> >> The characters are not being decoded and I have no idea why! I >> thought >> >> that the decoding would be done on the server side, is this done >> in the >> >> browser? Does that mean these vulnerabilities will be browser >> specific? I'm >> >> really not sure how this works behind the scenes. >> >> >> >> For a real example of this vulnerability I've been using the >> following URL >> >> for testing: >> >> >> >> >> >> http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in >> >> <http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in> >> >> >> >> If you look at the links to "More Search Results 1,2,3" etc... >> on the >> >> bottom of the page, you will see that the parameter ZJkL=NrZp >> has been >> >> injected into the links. >> >> >> >> Thanks! >> >> >> >> >> >> On Wed, May 2, 2012 at 11:02 PM, Andres Riancho >> <andres.rian...@gmail.com <mailto:andres.rian...@gmail.com>> >> >> wrote: >> >>> >> >>> Stephen, >> >>> >> >>> On Wed, May 2, 2012 at 4:10 PM, Stephen Breen >> <breen.mach...@gmail.com <mailto:breen.mach...@gmail.com>> >> >>> wrote: >> >>> > In case anyone else is interested in this, someone else has >> already >> >>> > created >> >>> > a system to scan and detect HTTP parameter pollution >> vulnerabilities. >> >>> > They >> >>> > don't provide the source for their tool but it can be found >> here: >> >>> > http://papas.iseclab.org/cgi-bin/index.py >> >>> > >> >>> > Their paper describing how it works can be found here: >> >>> > http://www.iseclab.org/people/embyte/papers/hpp.pdf >> >>> > >> >>> > I plan on reading it and taking a shot at implementation as a >> w3af >> >>> > plugin. >> >>> >> >>> Great! For comparing HTTP response bodies (which I assume >> you'll have >> >>> to do) take a look at levenshtein.py (relative_distance_boolean >> >>> function). >> >>> >> >>> Regards, >> >>> >> >>> > >> >>> > >> >> ------------------------------------------------------------------------------ >> >>> > Live Security Virtual Conference >> >>> > Exclusive live event will cover all the ways today's security >> and >> >>> > threat landscape has changed and how IT managers can respond. >> >>> > Discussions >> >>> > will include endpoint security, mobile security and the latest >> in >> >>> > malware >> >>> > threats. >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >>> > _______________________________________________ >> >>> > W3af-develop mailing list >> >>> > W3af-develop@lists.sourceforge.net >> <mailto:W3af-develop@lists.sourceforge.net> >> >>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >>> > >> >>> >> >>> >> >>> >> >>> -- >> >>> Andrés Riancho >> >>> Project Leader at w3af - http://w3af.org/ >> >>> Web Application Attack and Audit Framework >> >>> Twitter: @w3af >> >>> GPG: 0x93C344F3 >> >> >> >> >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >> >> >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > Taras > http://oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
