[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Header information

From: "Brian Shura" <bshura@xxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Header information
Date: Tue, 1 Jul 2008 17:50:41 -0500
------=_NextPart_000_001E_01C8DBA2.FB24FFB0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Ricky,

Chances are the site requires some kind of browser add-on to insert the
ConsumerID header into every request, which is why you're not seeing this
header in Fiddler when you hit this page.  Either that or it uses AJAX calls
to submit requests with the ConsumerID header.

 

I would suggest using Fiddler to insert the whole header, case-sensitive,
into the request and see what happens ("ConsumerID: 0").  Also, Paros, Burp,
and some of the other security proxy tools will allow you to automatically
add this header to every request.  With Fiddler you would have to write some
code to make it do this, but with the other tools it's just a configuration
item.  

 

Brian

 

  _____  

From: Ricky [mailto:nik2233@rediffmail.com] 
Sent: Tuesday, July 01, 2008 8:40 AM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Header information

 

  
Hi All,

While doing a code review of the application, i came across a scenario, in
which Id is taken from header. 

If the id is '0' then user is Admin else normal user.

My doubt: Is the code below is vulnerable to elevation of privilege.(by
changing the value to 0) 

Also, which tool i can use to cross verify it in the browser.

I tried to change consumerID variable using some tool including fiddler and
few others, but unable to see the "consumerID" variable

<%
// Get the consumer Id from the headers
// and render the JSP if the consumer is not a Admin

String consumerID = request.getHeader("ConsumerID");

if((consumerID != null && !consumerID.equals("0"))) 
{
%>
     <jsp:doBody />
<%
}
%>

Thanks in advance

~Nik

 

No virus found in this incoming message.
Checked by AVG.
Version: 8.0.101 / Virus Database: 270.4.3/1527 - Release Date: 6/30/2008
6:07 PM


------=_NextPart_000_001E_01C8DBA2.FB24FFB0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Ricky,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Chances are the site requires some =
kind of
browser add-on to insert the ConsumerID header into every request, which =
is why
you&#8217;re not seeing this header in Fiddler when you hit this page. =
&nbsp;Either
that or it uses <st1:City w:st=3D"on"><st1:place =
w:st=3D"on">AJAX</st1:place></st1:City>
calls to submit requests with the ConsumerID =
header.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>I would suggest using Fiddler to =
insert
the whole header, case-sensitive, into the request and see what happens =
(&#8220;ConsumerID:
0&#8221;). &nbsp;Also, <st1:place w:st=3D"on">Paros</st1:place>, Burp, =
and some
of the other security proxy tools will allow you to automatically add =
this
header to every request. &nbsp;With Fiddler you would have to write some =
code
to make it do this, but with the other tools it&#8217;s just a =
configuration
item.&nbsp; <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Brian<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Ricky
[mailto:nik2233@rediffmail.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, July 01, =
2008 8:40
AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
websecurity@webappsec.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [WEB SECURITY] =
Header
information</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp; <br>
Hi All,<br>
<br>
While doing a code review of the application, i came across a scenario, =
in
which Id is taken from header. <br>
<br>
If the id is '0' then user is Admin else normal user.<br>
<br>
My doubt: Is the code below is vulnerable to elevation of privilege.(by
changing the value to 0) <br>
<br>
Also, which tool i can use to cross verify it in the browser.<br>
<br>
I tried to change consumerID variable using some tool including fiddler =
and few
others, but unable to see the &quot;consumerID&quot; variable<br>
<br>
&lt;%<br>
// Get the consumer Id from the headers<br>
// and render the JSP if the consumer is not a Admin<br>
<br>
String consumerID =3D request.getHeader(&quot;ConsumerID&quot;);<br>
<br>
if((consumerID !=3D null &amp;&amp; !consumerID.equals(&quot;0&quot;))) =
<br>
{<br>
%&gt;<br>
&nbsp; &nbsp; &nbsp;&lt;jsp:doBody /&gt;<br>
&lt;%<br>
}<br>
%&gt;<br>
<br>
Thanks in advance<br>
<br>
~Nik<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D3
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>No
virus found in this incoming message.<br>
Checked by AVG.<br>
Version: 8.0.101 / Virus Database: 270.4.3/1527 - Release Date: =
6/30/2008 6:07
PM</span></font><o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_000_001E_01C8DBA2.FB24FFB0--
References:
- [WEB SECURITY] Header information
  - From: Ricky
Prev by Date: Re: [WEB SECURITY] Header information
Next by Date: [WEB SECURITY] [tool] ratproxy - passive web application security assessment tool
Previous by thread: Re: [WEB SECURITY] Header information
Next by thread: [WEB SECURITY] New Paper: More than 600 million users surf at high risk
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site