Dom,
I was planning on working on the host header plugin. I did have a similar
response from the mailing list, which is understandable see everyone is very
busy.
Maybe you and I can work on this further to get a better idea of how it will
work?
On Mon, Jul 29, 2013 at 8:24 AM, Andres Riancho <andres.rian...@gmail.com>
wrote:
> Dom,
> On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto
> <dominique.righe...@gmail.com> wrote:
>> Hi,
>>
>> I have spend the 2 last week trying to understand how to detect and how to
>> reproduce the integer overflow, unfortunately I wasn't able to fully
>> understand both of them.
> I feel bad that I / we were unable to help you with that, sorry but
> I'm focused on other things these days.
>> I will take another ticket: "HTTP Host header attacks - Audit plugin" if
>> it's available ?
> Take a look at the mailing list thread we started a while ago about
> that, maybe you can take it from there.
>> Dom
>>
>> --
>> Cordialement, Best regards,
>> Dominique Righetto
>> dominique.righe...@gmail.com
>> dominique.righe...@owasp.org
>> Twitter: @righettod
>> GPG: 0x323D19BA
>> http://www.righettod.eu
>> "No trees were killed to send this message, but a large number of electrons
>> were terribly inconvenienced."
>>
>>
>> On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <andres.rian...@gmail.com>
>> wrote:
>>>
>>> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
>>> <dominique.righe...@gmail.com> wrote:
>>> > Hi Tomas,
>>> >
>>> > Thanks you very much.
>>> >
>>> > I try to understand the objective of each of the value in
>>> > ["-0000012345", "-2147483649", "-2147483648", "0000012345",
>>> > "2147483647",
>>> > "2147483648", "4294967295", "4294967296", "0000023456"].
>>> >
>>> > For values: 2147483647,2147483648,-2147483649,-2147483648
>>> > I understand because it's a for testing around the limits of the Integer
>>> > type but for other values I dont understand why they are used and from
>>> > where
>>> > they come from ?
>>>
>>> The most important part seems to be here [0]
>>>
>>> [0]
>>> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>>>
>>> > As I understand the vulnerability, according the all the stuff that I
>>> > can
>>> > read, is the fact below:
>>> >
>>> > A parameter has a Integer overflow vuln if, in the case in which you
>>> > submit
>>> > a value over the max/min limit of the Integer, it return a very small
>>> > negative or positive value.
>>> >
>>> > Ex:
>>> > You submit "2147483648" and the returned value is negative
>>> > You submit "-2147483648" and the returned value is positive
>>> >
>>> > Can you confirm to me that's my understanding is correct ?
>>>
>>> I'm no good with these low level bugs, but my basic understanding of
>>> the vuln makes me think that the best way to detect this vuln is:
>>> * Send HTTP request with a test payload, lets say... 5 , save it
>>> * Send HTTP request with a test for integer overflow, which if
>>> successful would be the same as sending the number 5, (calculate that,
>>> but it should be -(2^31-5) or something like that), save it
>>> * Compare the two. If they are equal we're in a case where integer
>>> overflow is present OR the input is not even used
>>> * Send one more HTTP request with a number 8 (different from the
>>> previous), compare with any of the previous ones. If it's different
>>> then integer overflow is present.
>>>
>>> If you want to have lower false positives, after running through those
>>> steps you could run one more test round, repeating step 1 and 2 with a
>>> number different than 5.
>>>
>>> @Thomas: is this how you were doing it?
>>>
>>> > I apologize for all my questions but I really want to fully understand
>>> > the
>>> > context of the vulnerability in order to take in account all the cases
>>> > into
>>> > the plugin implementation and also learn new things.
>>> >
>>> > W3AF team is a very cool learning environment, I feel like a dwarf among
>>> > giants ;o)))))
>>> >
>>> > Thanks in advance.
>>> >
>>> > Best regards,
>>> >
>>> > Dom
>>> >
>>> >
>>> >
>>> > On 13/07/2013 15:48, Tomas Velazquez wrote:
>>> >>
>>> >> Hi Dominique,
>>> >>
>>> >> Months ago I code a poc of integer overflow, but it is unfinished.
>>> >>
>>> >> My code is based on skipfish detection:
>>> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>>> >>
>>> >> Regards,
>>> >>
>>> >>
>>> >>
>>> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>>> >> <dominique.righe...@gmail.com <mailto:dominique.righe...@gmail.com>>
>>> >> wrote:
>>> >>
>>> >> Hi Andres,
>>> >>
>>> >> I'm working on integer overflow detection plugin and I try to
>>> >> understand, in a audit plugin, how to access to injection points
>>> >> detected by in discovery part.
>>> >>
>>> >> Can you give me some pointer or plugin example ?
>>> >>
>>> >> Thanks in advance
>>> >>
>>> >> Dom
>>> >>
>>> >>
>>> >>
>>> >> ------------------------------------------------------------------------------
>>> >> See everything from the browser to the database with AppDynamics
>>> >> Get end-to-end visibility with application monitoring from
>>> >> AppDynamics
>>> >> Isolate bottlenecks and diagnose root cause in seconds.
>>> >> Start your free trial of AppDynamics Pro today!
>>> >>
>>> >>
>>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>> >> _______________________________________________
>>> >> W3af-develop mailing list
>>> >> W3af-develop@lists.sourceforge.net
>>> >> <mailto:W3af-develop@lists.sourceforge.net>
>>> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>> >>
>>> >>
>>> >
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
