Hi,
Thanks you for your response.
For sure, we can work together on this subject in order to better
understand the attack context and how to test it.
I have read the links below in order to have an overview of an attack on
"host" header.
-
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
-
https://www.pentesterlab.com/from_sqli_to_shell_II/from_sqli_to_shell_II.pdf
This is my understanding of the audit behavior:
** Check 1
Send a HTTP request with double "host" header in this order:
host: example.com
host: evil.com
** Check 2
Send a HTTP request with the header "X-Forwarded-Host" with value "evil.com"
** Check 3
Send a HTTP request with the header "X-Forwarded-For" with value "evil.com"
For each case check if the HTTP response body or headers contains any
reference to "evil.com" then "host" header manipulation seems to be
possible...
My understanding is it correct ?
Thanks in advance :)
--
Cordialement, Best regards,
Dominique Righetto
dominique.righe...@gmail.com
dominique.righe...@owasp.org
Twitter: @righettod
GPG: 0x323D19BA
http://www.righettod.eu
"No trees were killed to send this message, but a large number of electrons
were terribly inconvenienced."
On Mon, Jul 29, 2013 at 2:32 PM, D M <vints...@gmail.com> wrote:
> Dom,
>
> I was planning on working on the host header plugin. I did have a similar
> response from the mailing list, which is understandable see everyone is
> very busy.
>
> Maybe you and I can work on this further to get a better idea of how it
> will work?
>
>
> On Mon, Jul 29, 2013 at 8:24 AM, Andres Riancho
> <andres.rian...@gmail.com>wrote:
>
>> Dom,
>>
>> On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto
>> <dominique.righe...@gmail.com> wrote:
>> > Hi,
>> >
>> > I have spend the 2 last week trying to understand how to detect and how
>> to
>> > reproduce the integer overflow, unfortunately I wasn't able to fully
>> > understand both of them.
>>
>> I feel bad that I / we were unable to help you with that, sorry but
>> I'm focused on other things these days.
>>
>> > I will take another ticket: "HTTP Host header attacks - Audit plugin"
>> if
>> > it's available ?
>>
>> Take a look at the mailing list thread we started a while ago about
>> that, maybe you can take it from there.
>>
>> > Dom
>> >
>> > --
>> > Cordialement, Best regards,
>> > Dominique Righetto
>> > dominique.righe...@gmail.com
>> > dominique.righe...@owasp.org
>> > Twitter: @righettod
>> > GPG: 0x323D19BA
>> > http://www.righettod.eu
>> > "No trees were killed to send this message, but a large number of
>> electrons
>> > were terribly inconvenienced."
>> >
>> >
>> > On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <
>> andres.rian...@gmail.com>
>> > wrote:
>> >>
>> >> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
>> >> <dominique.righe...@gmail.com> wrote:
>> >> > Hi Tomas,
>> >> >
>> >> > Thanks you very much.
>> >> >
>> >> > I try to understand the objective of each of the value in
>> >> > ["-0000012345", "-2147483649", "-2147483648", "0000012345",
>> >> > "2147483647",
>> >> > "2147483648", "4294967295", "4294967296", "0000023456"].
>> >> >
>> >> > For values: 2147483647,2147483648,-2147483649,-2147483648
>> >> > I understand because it's a for testing around the limits of the
>> Integer
>> >> > type but for other values I dont understand why they are used and
>> from
>> >> > where
>> >> > they come from ?
>> >>
>> >> The most important part seems to be here [0]
>> >>
>> >> [0]
>> >>
>> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>> >>
>> >> > As I understand the vulnerability, according the all the stuff that
>> I
>> >> > can
>> >> > read, is the fact below:
>> >> >
>> >> > A parameter has a Integer overflow vuln if, in the case in which you
>> >> > submit
>> >> > a value over the max/min limit of the Integer, it return a very
>> small
>> >> > negative or positive value.
>> >> >
>> >> > Ex:
>> >> > You submit "2147483648" and the returned value is negative
>> >> > You submit "-2147483648" and the returned value is positive
>> >> >
>> >> > Can you confirm to me that's my understanding is correct ?
>> >>
>> >> I'm no good with these low level bugs, but my basic understanding of
>> >> the vuln makes me think that the best way to detect this vuln is:
>> >> * Send HTTP request with a test payload, lets say... 5 , save it
>> >> * Send HTTP request with a test for integer overflow, which if
>> >> successful would be the same as sending the number 5, (calculate that,
>> >> but it should be -(2^31-5) or something like that), save it
>> >> * Compare the two. If they are equal we're in a case where integer
>> >> overflow is present OR the input is not even used
>> >> * Send one more HTTP request with a number 8 (different from the
>> >> previous), compare with any of the previous ones. If it's different
>> >> then integer overflow is present.
>> >>
>> >> If you want to have lower false positives, after running through those
>> >> steps you could run one more test round, repeating step 1 and 2 with a
>> >> number different than 5.
>> >>
>> >> @Thomas: is this how you were doing it?
>> >>
>> >> > I apologize for all my questions but I really want to fully
>> understand
>> >> > the
>> >> > context of the vulnerability in order to take in account all the
>> cases
>> >> > into
>> >> > the plugin implementation and also learn new things.
>> >> >
>> >> > W3AF team is a very cool learning environment, I feel like a dwarf
>> among
>> >> > giants ;o)))))
>> >> >
>> >> > Thanks in advance.
>> >> >
>> >> > Best regards,
>> >> >
>> >> > Dom
>> >> >
>> >> >
>> >> >
>> >> > On 13/07/2013 15:48, Tomas Velazquez wrote:
>> >> >>
>> >> >> Hi Dominique,
>> >> >>
>> >> >> Months ago I code a poc of integer overflow, but it is unfinished.
>> >> >>
>> >> >> My code is based on skipfish detection:
>> >> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >>
>> >> >>
>> >> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>> >> >> <dominique.righe...@gmail.com <mailto:dominique.righe...@gmail.com>>
>>
>> >> >> wrote:
>> >> >>
>> >> >> Hi Andres,
>> >> >>
>> >> >> I'm working on integer overflow detection plugin and I try to
>> >> >> understand, in a audit plugin, how to access to injection points
>> >> >> detected by in discovery part.
>> >> >>
>> >> >> Can you give me some pointer or plugin example ?
>> >> >>
>> >> >> Thanks in advance
>> >> >>
>> >> >> Dom
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> ------------------------------------------------------------------------------
>>
>> >> >> See everything from the browser to the database with AppDynamics
>> >> >> Get end-to-end visibility with application monitoring from
>> >> >> AppDynamics
>> >> >> Isolate bottlenecks and diagnose root cause in seconds.
>> >> >> Start your free trial of AppDynamics Pro today!
>> >> >>
>> >> >>
>> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>
>> >> >> _______________________________________________
>> >> >> W3af-develop mailing list
>> >> >> W3af-develop@lists.sourceforge.net
>> >> >> <mailto:W3af-develop@lists.sourceforge.net>
>> >> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Andrés Riancho
>> >> Project Leader at w3af - http://w3af.org/
>> >> Web Application Attack and Audit Framework
>> >> Twitter: @w3af
>> >> GPG: 0x93C344F3
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>> ------------------------------------------------------------------------------
>>
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
