To determine how well the security proxies we tested protected against attackers, we had to unleash some attacks of our own. Here are details on our arsenal:
Forceful browsing: Making a request to a nonpublic directory to get a directory listing of contents. Our /inc/ directory on the server contained sensitive logic scripts.
Username/password SQL tampering: Attempting to log into the application by submitting a password that manipulates the SQL query into providing access for any valid user name, without needing the appropriate password.
Hidden field-price manipulation: The price of an item is passed to the shopping cart as a hidden form parameter; by changing the hidden value, we could change the price we were charged for the item.
URL query SQL manipulation: Manipulation of a URL query parameter to cause a SELECT/LIKE statement to display additional data.
PHP multipart DoS: (CVE-2002-0081) Certain versions of PHP contain buffer overflows as well as denial of service attacks within the multipart file upload code. By sending a multipart upload data with a malformed Content-Disposition header, we could cause PHP (and thus the Apache child process) to crash.
Cookie tampering: Our Web session IDs are tracked via cookies. By changing the value of the session ID, we could access other users' sessions. The test site used sequential session IDs, making it easy to guess valid values. Our application also uses a cookie to hold the user name of the logged in user; by changing the cookie value, we could change our login identity.
Cross-site scripting: JavaScript was inserted/appended into various query parameters in an attempt to have the JavaScript executed in the browser.
Server headers exposed: The server header (often referred to as a "banner") tells the attacker what version of Web server you are running--and, therefore, what vulnerabilities it might contain. PHP also adds an additional 'X-Powered-By: PHP/4.x' header. Partial failure means the product removed/replaced the standard server header but left the non-standard PHP header.
IIS ASP chunked encoding buffer overflow: (CAN-2002-0079) The ASP handler on IIS contains a buffer overflow on the handling of chunked post requests, letting us run arbitrary code or render the IIS ASP handler unusable.
IIS IDA handler leakage: (CAN-2000-0071) We made a simple request for "/.ida" in order to view any diagnostic error messages.
Feedback form SQL tampering: Execution of additional SQL queries, used to run a xp_cmdshell command on a MS SQL Server via a textarea form element.
IIS Unicode attack: (CVE-2000-0884) The Unicode attack let us run various executables outside the webroot. We ran the attack using the '/scripts/' and '/_vti_bin/' base directories.
Allows OPTIONS request: We made a simple OPTIONS request to see what methods the server reports allowed. This is a mild information leak that can aid an attacker in understanding how the Web server is configured.
IIS .printer buffer overflow: (CVE-2001-0241) A straight buffer overflow in the IIS .printer handler, which let us run arbitrary code.
Open FrontPage web: We used the FrontPage client to modify the HTML of pages found on the server. The test server was incorrectly configured to not require authentication (what is considered to be an "open" FrontPage Web).
Various form validity tampering: We used a test form containing various select, checkbox and radio input values to determine if the security proxy would ensure the values we submitted were legal, allowed values; for example, when given a select menu with choices "A," "B" and "C," we attempted to submit nonexistent value "D." We used both static and dynamically generated form values. Partial failure means the product can handle static values via hard-coded rule definitions but cannot handle dynamic values.
CVE IDs were included for attacks that exploit specific vulnerabilities; however, many of the attacks are more general in nature. Below are a few URLs explaining some of the general vulnerabilities we tried to exploit.
• Cross-site scripting
• SQL injection
• Cookie manipulation
• Form-field manipulation
• Session hijacking
RSS
