Black Watch Labs ID: BWL-00-01 Perfecto's Black Watch Labs Advisory #00-01 (17-Feb-2000) Name: Using Search Engines to Locate Millions of Vulnerable Web Applications Black Watch Labs ID: BWL-00-01 Date Released: 17-Feb-2000 Products affected: Various. Number of affected sites: Millions Category: Web Applications (HTML): almost all possible subcategories. Summary: Search Engines (e.g. AltaVista and InfoSeek) can be used to reveal potential application-level vulnerabilities in indexed web sites. Easily formed queries which incorporate the "signature" of a suspected vulnerability can be used to list the sites which match the signature, that is, which contain the "suspicious" content. In some cases, hundreds of thousands of web sites can be located with one query. It is important to stress that submitting such queries to the search engines do not actually exploit either the search engines or the web-pages that are referenced in their query results. These queries merely point out the web pages which contain material that may be used to exploit the web-sites themselves. Analysis: - It is assumed that a vast amount of web-sites are indexed in some search engines. Moreover, some search engines (e.g. InfoSeek) allow queries that are confined to the links within the indexed pages. These search engines are then used to locate pages (with sites) that contain either sensitive material by itself (i.e. if the search engine indexed private pages), or pages that contain "special" links. These special links are "suspicious", in the sense that they contain some specific words or constructs that may enable an attacker to exploit the target of the link. - Sensitive Arguments in Forms and Queries: Many sites contain forms and query links with "sensitive" parameters, i.e. parameters that, upon being modified by an attacker, can lead to exposure or exploit. For example, a form that contains a parameter named "price" may be used to indicate a price of an item to the processing script. If this parameter is changed, in an attempt to buy the item at a lower price, the processing script (on the server) may not diagnose it, and may process the lower price as if it was the legitimate price, hence providing the attacker with the item/goods at a lower than intended price ("E-Shoplifting"). It should be noted, though, that the mere existence of a parameter by name of "price" does not verify that the application is vulnerable, or does the absence of all suspicious parameters indicate the contrary. Suspicious patterns within links and forms include: "price" (E-Shoplifting), "formmail" (indication of Matt's FormMail script), which allows sending email from the webserver to a third-party , "recipient" (may indicate an argument to a script that sends email to that address). Solution: Web sites which implement Web application security are protected from these types of hacks. Check now to test if your site is vulnerable to malicious searches and view specific instructions for fixes. References and Links: AltaVista Search Engine: http://www.altavista.com/ InfoSeek Search Engine: http://www.infoseek.com/ Analog web statistics: http://www.statslab.cam.ac.uk/~sret1/analog/ ServerStats web statistics: http://www.kitchen-sink.com/serverstat/index.html WebTrends web statistics: http://www.webtrends.com/products/Log/default.htm Matt's Script Archive (FormMail): http://www.worldwidemart.com/scripts/formmail.shtml Introductory texts to SQL: http://w3.one.net/~jhoffman/sqltut.htm , http://databases.about.com/compute/databases/library/weekly/aa112299.htm?iam=mt About Black Watch Labs (http://www.perfectotech.com/blackwatchlabs) Black Watch Labs is a research group operated by Perfecto Technologies Ltd., the leader in web application security management. Black Watch Labs was established to further the knowledge of web application security within the Internet community. About Perfecto Technologies (www.perfectotech.com) Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web Application Security Management. AppShield, Perfecto's initial product offering, is the first to provide extreme security for web applications in dynamic eBusiness environments. Privately held, Perfecto is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Goldman Sachs, DLJ, Walden, and Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Website at www.perfectotech.com or by calling the Company directly at (408) 855 9500. Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved. Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirely, provided the information, this notice and all other Perfecto Technologies marks remain intact. Specific Limitations on Use of the Black Watch Labs Advisories THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND OTHER COUNTRIES. NO WARRANTY Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice. Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent, trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.