Black Watch Lab - Vulnerabilities

Black Watch Labs ID: BWL-00-01

 FAQ
Vulnerabilities
Register

Using Search Engines to Locate Millions of Vulnerable Web Applications

Perfecto's Black Watch Labs Advisory #00-01 (17-Feb-2000)

Name:
Using Search Engines to Locate Millions of Vulnerable Web Applications

Black Watch Labs ID:
BWL-00-01

Date Released:
17-Feb-2000

Products affected:
Various.

Number of affected sites:
Millions

Category:
Web Applications (HTML): almost all possible subcategories.

Summary:
Search Engines (e.g. AltaVista and InfoSeek) can be used to reveal potential application-level vulnerabilities in indexed web sites.
Easily formed queries which incorporate the "signature" of a suspected vulnerability can be used to list the sites which match the signature, that is, which contain the "suspicious" content. In some cases, hundreds of thousands of web sites can be located with one query.

It is important to stress that submitting such queries to the search engines do not actually exploit either the search engines or the web-pages that are referenced in their query results. These queries merely point out the web pages which contain material that may be used to exploit the web-sites themselves.


Analysis:
- It is assumed that a vast amount of web-sites are indexed in some search engines. Moreover, some search engines (e.g. InfoSeek) allow queries that are confined to the links within the indexed pages. These search engines are then used to locate pages (with sites) that contain either sensitive material by itself (i.e. if the search engine indexed private pages), or pages that contain "special" links. These special links are "suspicious", in the sense that they contain some specific words or constructs that may enable an attacker to exploit the target of the link.

- Sensitive Arguments in Forms and Queries: Many sites contain forms and query links with "sensitive" parameters, i.e. parameters that, upon being modified by an attacker, can lead to exposure or exploit. For example, a form that contains a parameter named "price" may be used to indicate a price of an item to the processing script. If this parameter is changed, in an attempt to buy the item at a lower price, the processing script (on the server) may not diagnose it, and may process the lower price as if it was the legitimate price, hence providing the attacker with the item/goods at a lower than intended price ("E-Shoplifting").

It should be noted, though, that the mere existence of a parameter by name of "price" does not verify that the application is vulnerable, or does the absence of all suspicious parameters indicate the contrary.

Suspicious patterns within links and forms include: "price" (E-Shoplifting), "formmail" (indication of Matt's FormMail script), which allows sending email from the webserver to a third-party , "recipient" (may indicate an argument to a script that sends email to that address).

Solution:
Web sites which implement Web application security are protected from these types of hacks. Check now to test if your site is vulnerable to malicious searches and view specific instructions for fixes.


References and Links:
AltaVista Search Engine: http://www.altavista.com/
InfoSeek Search Engine: http://www.infoseek.com/
Analog web statistics: http://www.statslab.cam.ac.uk/~sret1/analog/
ServerStats web statistics: http://www.kitchen-sink.com/serverstat/index
WebTrends web statistics: http://www.webtrends.com/products/Log/default.htm
Matt's Script Archive (FormMail): http://www.worldwidemart.com/scripts/formmail.shtml
Introductory texts to SQL: http://w3.one.net/~jhoffman/sqltut.htm , http://databases.about.com/compute/databases/library/weekly/aa112299.htm?iam=mt


About Black Watch Labs (https://www.perfectotech.com/blackwatchlabs)
Black Watch Labs is a research group operated by Perfecto Technologies Ltd., the leader in web application security management. Black Watch Labs was established to further the knowledge of web application security within the Internet community.

About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web Application Security Management. AppShield, Perfecto's initial product offering, is the first to provide extreme security for web applications in dynamic eBusiness environments. Privately held, Perfecto is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Goldman Sachs, DLJ, Walden, and Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Website at www.perfectotech.com or by calling the Company directly at (408) 855 9500.


Copyright � 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirely, provided the information, this notice and all other Perfecto Technologies marks remain intact.


Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND OTHER COUNTRIES.


NO WARRANTY

Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice. Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent, trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://www.the-vision-of-harmony.org/
  12. https://www.pantheonpress.com/
  13. https://thefinancialgraduate.com/
  14. https://www.thenutkitchen.com/
  15. https://altiboutique.com/
  16. https://ambushsweden.com/
  17. https://goingonforgod.com/
  18. https://lasdopestattorney.com/
  19. https://www.sewardne.com/
  20. https://www.tehranfestival.com/
  21. https://brysonchristianmontessorischool.com/
  22. https://www.excalibureurope.com/
  23. https://www.originallotsoflox.com/
  24. https://www.wavespace-berlin.com/
  25. https://www.michiganmediates.org/
  26. https://www.yourmyrtlebeachproperty.com/
  27. https://metrcconference.com/
  28. https://biotechscope.com/
  29. https://jzbrasil.com/
  30. https://saafootball.org/
  31. https://griefergames.info/
  32. https://ampalauragarcianoblejas.com/
  33. sbobet
  34. judi parlay
  35. togel kamboja
  36. Pengeluaran Cambodia
  37. judi bola
  38. Togel Kamboja
  39. keluaran Kamboja
  40. slot thailand
  41. togel kamboja
  42. keluaran kamboja
  43. togel Kamboja
  44. slot demo
  45. keluaran cambodia
  46. togel cambodia
  47. live draw macau
  48. slot thailand
  49. pengeluaran kamboja
  50. judi bola
  51. sbobet
  52. slot demo
  53. togel sdy
  54. demo slot
  55. keluaran kamboja
  56. judi sbobet
  57. slot qris
  58. slot qris 5000
  59. slot qris
  60. slot deposit 5000
  61. slot qris
  62. pintarbersamamedan.org
  63. slot qris gacor
  64. slot qris 5000
  65. generasitogel
  66. live draw kamboja
  67. slot deposit qris
  68. toto macau
  69. pengeluaran macau
  70. macau pools
  71. slot server thailand super gacor
  72. slot qris 5k
  73. toto hk
  74. toto sdy
  75. toto sgp