Black Watch Labs ID: BWL-00-01
   
   Perfecto's Black Watch Labs Advisory #00-01 (17-Feb-2000)
   
   Name:
   Using Search Engines to Locate Millions of Vulnerable Web Applications
   
   Black Watch Labs ID: 
   BWL-00-01
   
   Date Released: 
   17-Feb-2000
   
   Products affected:
   Various.
   
   Number of affected sites:
   Millions
   
   Category: 
   Web Applications (HTML): almost all possible subcategories.
   
   Summary: 
   Search Engines (e.g. AltaVista and InfoSeek) can be used to reveal potential application-level vulnerabilities in
   indexed web sites.
   Easily formed queries which incorporate the "signature" of a suspected vulnerability can be used to list the sites
   which match the signature, that is, which contain the "suspicious" content. In some cases, hundreds of thousands of
   web sites can be located with one query.
   
   It is important to stress that submitting such queries to the search engines do not actually exploit either the search
   engines or the web-pages that are referenced in their query results. These queries merely point out the web pages
   which contain material that may be used to exploit the web-sites themselves.
   
   Analysis:
   - It is assumed that a vast amount of web-sites are indexed in some search engines. Moreover, some search engines
   (e.g. InfoSeek) allow queries that are confined to the links within the indexed pages. These search engines are then
   used to locate pages (with sites) that contain either sensitive material by itself (i.e. if the search engine indexed
   private pages), or pages that contain "special" links. These special links are "suspicious", in the sense that they
   contain some specific words or constructs that may enable an attacker to exploit the target of the link.
   
   - Sensitive Arguments in Forms and Queries: Many sites contain forms and query links with "sensitive" parameters, i.e.
   parameters that, upon being modified by an attacker, can lead to exposure or exploit. For example, a form that
   contains a parameter named "price" may be used to indicate a price of an item to the processing script. If this
   parameter is changed, in an attempt to buy the item at a lower price, the processing script (on the server) may not
   diagnose it, and may process the lower price as if it was the legitimate price, hence providing the attacker with the
   item/goods at a lower than intended price ("E-Shoplifting").
   
   It should be noted, though, that the mere existence of a parameter by name of "price" does not verify that the
   application is vulnerable, or does the absence of all suspicious parameters indicate the contrary.
   
   Suspicious patterns within links and forms include: "price" (E-Shoplifting), "formmail" (indication of Matt's FormMail
   script), which allows sending email from the webserver to a third-party , "recipient" (may indicate an argument to a
   script that sends email to that address).
   
   Solution:
   Web sites which implement Web application security are protected from these types of hacks. Check now to test if your
   site is vulnerable to malicious searches and view specific instructions for fixes.
   
   References and Links:
   AltaVista Search Engine: http://www.altavista.com/
   InfoSeek Search Engine: http://www.infoseek.com/
   Analog web statistics: http://www.statslab.cam.ac.uk/~sret1/analog/
   ServerStats web statistics: http://www.kitchen-sink.com/serverstat/index.html
   WebTrends web statistics: http://www.webtrends.com/products/Log/default.htm
   Matt's Script Archive (FormMail): http://www.worldwidemart.com/scripts/formmail.shtml
   Introductory texts to SQL: http://w3.one.net/~jhoffman/sqltut.htm ,
   http://databases.about.com/compute/databases/library/weekly/aa112299.htm?iam=mt
   
   About Black Watch Labs (http://www.perfectotech.com/blackwatchlabs)
   Black Watch Labs is a research group operated by Perfecto Technologies Ltd., the leader in web application security
   management. Black Watch Labs was established to further the knowledge of web application security within the Internet
   community.
   
   About Perfecto Technologies (www.perfectotech.com)
   Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web
   Application Security Management. AppShield, Perfecto's initial product offering, is the first to provide extreme
   security for web applications in dynamic eBusiness environments. Privately held, Perfecto is funded by blue-chip
   venture capital firms and industry leaders, including Sequoia Capital, Goldman Sachs, DLJ, Walden, and Intel
   Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Website at
   www.perfectotech.com or by calling the Company directly at (408) 855 9500.
   
   Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
   Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirely,
   provided the information, this notice and all other Perfecto Technologies marks remain intact.
   
   Specific Limitations on Use of the Black Watch Labs Advisories
   THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON
   THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE
   PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY
   PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE,
   INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER
   PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
   OTHER COUNTRIES.
   
   NO WARRANTY
   
   Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice.
   Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not
   limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
   of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent,
   trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever
   arising out of or in connection with the use or spread of this information. Any use of this information is at the
   user's own risk.