what you don't know can hurt you

BWL-00-01.txt

BWL-00-01.txt
Posted May 15, 2000
Authored by Black Watch Labs | Site perfectotech.com

Black Watch Labs Security Advisory #00-01 (Feb 17, 2000) - Search Engines (e.g. AltaVista and InfoSeek) can be used to reveal potential application-level vulnerabilities in indexed web sites. Easily formed queries which incorporate the "signature" of a suspected vulnerability can be used to list the sites which match the signature, that is, which contain the "suspicious" content. In some cases, hundreds of thousands of web sites can be located with one query. Check your site with the Site Checker, available here.

tags | web, vulnerability
MD5 | 9fbfd0d2e0985d6e96184db55903265c

BWL-00-01.txt

Change Mirror Download
   Black Watch Labs ID: BWL-00-01

Perfecto's Black Watch Labs Advisory #00-01 (17-Feb-2000)

Name:
Using Search Engines to Locate Millions of Vulnerable Web Applications

Black Watch Labs ID:
BWL-00-01

Date Released:
17-Feb-2000

Products affected:
Various.

Number of affected sites:
Millions

Category:
Web Applications (HTML): almost all possible subcategories.

Summary:
Search Engines (e.g. AltaVista and InfoSeek) can be used to reveal potential application-level vulnerabilities in
indexed web sites.
Easily formed queries which incorporate the "signature" of a suspected vulnerability can be used to list the sites
which match the signature, that is, which contain the "suspicious" content. In some cases, hundreds of thousands of
web sites can be located with one query.

It is important to stress that submitting such queries to the search engines do not actually exploit either the search
engines or the web-pages that are referenced in their query results. These queries merely point out the web pages
which contain material that may be used to exploit the web-sites themselves.

Analysis:
- It is assumed that a vast amount of web-sites are indexed in some search engines. Moreover, some search engines
(e.g. InfoSeek) allow queries that are confined to the links within the indexed pages. These search engines are then
used to locate pages (with sites) that contain either sensitive material by itself (i.e. if the search engine indexed
private pages), or pages that contain "special" links. These special links are "suspicious", in the sense that they
contain some specific words or constructs that may enable an attacker to exploit the target of the link.

- Sensitive Arguments in Forms and Queries: Many sites contain forms and query links with "sensitive" parameters, i.e.
parameters that, upon being modified by an attacker, can lead to exposure or exploit. For example, a form that
contains a parameter named "price" may be used to indicate a price of an item to the processing script. If this
parameter is changed, in an attempt to buy the item at a lower price, the processing script (on the server) may not
diagnose it, and may process the lower price as if it was the legitimate price, hence providing the attacker with the
item/goods at a lower than intended price ("E-Shoplifting").

It should be noted, though, that the mere existence of a parameter by name of "price" does not verify that the
application is vulnerable, or does the absence of all suspicious parameters indicate the contrary.

Suspicious patterns within links and forms include: "price" (E-Shoplifting), "formmail" (indication of Matt's FormMail
script), which allows sending email from the webserver to a third-party , "recipient" (may indicate an argument to a
script that sends email to that address).

Solution:
Web sites which implement Web application security are protected from these types of hacks. Check now to test if your
site is vulnerable to malicious searches and view specific instructions for fixes.

References and Links:
AltaVista Search Engine: http://www.altavista.com/
InfoSeek Search Engine: http://www.infoseek.com/
Analog web statistics: http://www.statslab.cam.ac.uk/~sret1/analog/
ServerStats web statistics: http://www.kitchen-sink.com/serverstat/index.html
WebTrends web statistics: http://www.webtrends.com/products/Log/default.htm
Matt's Script Archive (FormMail): http://www.worldwidemart.com/scripts/formmail.shtml
Introductory texts to SQL: http://w3.one.net/~jhoffman/sqltut.htm ,
http://databases.about.com/compute/databases/library/weekly/aa112299.htm?iam=mt

About Black Watch Labs (http://www.perfectotech.com/blackwatchlabs)
Black Watch Labs is a research group operated by Perfecto Technologies Ltd., the leader in web application security
management. Black Watch Labs was established to further the knowledge of web application security within the Internet
community.

About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web
Application Security Management. AppShield, Perfecto's initial product offering, is the first to provide extreme
security for web applications in dynamic eBusiness environments. Privately held, Perfecto is funded by blue-chip
venture capital firms and industry leaders, including Sequoia Capital, Goldman Sachs, DLJ, Walden, and Intel
Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Website at
www.perfectotech.com or by calling the Company directly at (408) 855 9500.

Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirely,
provided the information, this notice and all other Perfecto Technologies marks remain intact.

Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON
THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE
PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY
PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE,
INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER
PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
OTHER COUNTRIES.

NO WARRANTY

Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice.
Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not
limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent,
trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever
arising out of or in connection with the use or spread of this information. Any use of this information is at the
user's own risk.
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close