Black Watch Labs Security Advisory #00-01 (Feb 17, 2000) - Search Engines (e.g. AltaVista and InfoSeek) can be used to reveal potential application-level vulnerabilities in indexed web sites. Easily formed queries which incorporate the "signature" of a suspected vulnerability can be used to list the sites which match the signature, that is, which contain the "suspicious" content. In some cases, hundreds of thousands of web sites can be located with one query. Check your site with the Site Checker, available here.
b23b5c9a49d3431454f6f18165fc7b311b2ec51ba209fb0c03bbdb689e5d4cb5
Black Watch Labs ID: BWL-00-01
Perfecto's Black Watch Labs Advisory #00-01 (17-Feb-2000)
Name:
Using Search Engines to Locate Millions of Vulnerable Web Applications
Black Watch Labs ID:
BWL-00-01
Date Released:
17-Feb-2000
Products affected:
Various.
Number of affected sites:
Millions
Category:
Web Applications (HTML): almost all possible subcategories.
Summary:
Search Engines (e.g. AltaVista and InfoSeek) can be used to reveal potential application-level vulnerabilities in
indexed web sites.
Easily formed queries which incorporate the "signature" of a suspected vulnerability can be used to list the sites
which match the signature, that is, which contain the "suspicious" content. In some cases, hundreds of thousands of
web sites can be located with one query.
It is important to stress that submitting such queries to the search engines do not actually exploit either the search
engines or the web-pages that are referenced in their query results. These queries merely point out the web pages
which contain material that may be used to exploit the web-sites themselves.
Analysis:
- It is assumed that a vast amount of web-sites are indexed in some search engines. Moreover, some search engines
(e.g. InfoSeek) allow queries that are confined to the links within the indexed pages. These search engines are then
used to locate pages (with sites) that contain either sensitive material by itself (i.e. if the search engine indexed
private pages), or pages that contain "special" links. These special links are "suspicious", in the sense that they
contain some specific words or constructs that may enable an attacker to exploit the target of the link.
- Sensitive Arguments in Forms and Queries: Many sites contain forms and query links with "sensitive" parameters, i.e.
parameters that, upon being modified by an attacker, can lead to exposure or exploit. For example, a form that
contains a parameter named "price" may be used to indicate a price of an item to the processing script. If this
parameter is changed, in an attempt to buy the item at a lower price, the processing script (on the server) may not
diagnose it, and may process the lower price as if it was the legitimate price, hence providing the attacker with the
item/goods at a lower than intended price ("E-Shoplifting").
It should be noted, though, that the mere existence of a parameter by name of "price" does not verify that the
application is vulnerable, or does the absence of all suspicious parameters indicate the contrary.
Suspicious patterns within links and forms include: "price" (E-Shoplifting), "formmail" (indication of Matt's FormMail
script), which allows sending email from the webserver to a third-party , "recipient" (may indicate an argument to a
script that sends email to that address).
Solution:
Web sites which implement Web application security are protected from these types of hacks. Check now to test if your
site is vulnerable to malicious searches and view specific instructions for fixes.
References and Links:
AltaVista Search Engine: http://www.altavista.com/
InfoSeek Search Engine: http://www.infoseek.com/
Analog web statistics: http://www.statslab.cam.ac.uk/~sret1/analog/
ServerStats web statistics: http://www.kitchen-sink.com/serverstat/index.html
WebTrends web statistics: http://www.webtrends.com/products/Log/default.htm
Matt's Script Archive (FormMail): http://www.worldwidemart.com/scripts/formmail.shtml
Introductory texts to SQL: http://w3.one.net/~jhoffman/sqltut.htm ,
http://databases.about.com/compute/databases/library/weekly/aa112299.htm?iam=mt
About Black Watch Labs (http://www.perfectotech.com/blackwatchlabs)
Black Watch Labs is a research group operated by Perfecto Technologies Ltd., the leader in web application security
management. Black Watch Labs was established to further the knowledge of web application security within the Internet
community.
About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web
Application Security Management. AppShield, Perfecto's initial product offering, is the first to provide extreme
security for web applications in dynamic eBusiness environments. Privately held, Perfecto is funded by blue-chip
venture capital firms and industry leaders, including Sequoia Capital, Goldman Sachs, DLJ, Walden, and Intel
Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Website at
www.perfectotech.com or by calling the Company directly at (408) 855 9500.
Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirely,
provided the information, this notice and all other Perfecto Technologies marks remain intact.
Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON
THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE
PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY
PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE,
INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER
PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
OTHER COUNTRIES.
NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice.
Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not
limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent,
trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever
arising out of or in connection with the use or spread of this information. Any use of this information is at the
user's own risk.