Monday, February 9, 2015

Server Side HTTP Redirection, SMTP Injection, HTTP Parameter Injection, HTTP Parameter Pollution - Notes

==============================================================================

Server Side HTTP Redirection

==============================================================================

Vulnerability exists when the APPLICATION SERVER uses an Attacker controllable input and incorporates it into a URL and retrieves it using a back-end HTTP Request.

  • Attacker may use the Application Server as Proxy to connect to a Internal Network resource which are not accessible directly
  • Attacker may use this to attack 3rd party systems
  • Attack may connect to other services on the Application Server itself, circumventing Firewall restrictions & exploiting trust relationships.
  • Attacker can use it to include external Attack Scripts
Attack : If you are able to identify a vulnerable parameter
  • Try to port scan the internal network using Burp Intruder.
  • Try to connect to other services on Application Server using 127.0.0.1

==============================================================================

HTTP Parameter Injection

==============================================================================

Vulnerability exists when user supplied "Parameters" are used as "Parameters" to a BackEnd HTTP Request.

  • Attacker may Inject additional Parameters ( URL encoded ), which are then submitted to the backend service. This might interfere with the application logic.
  • These additional parameters may not cause any error ( Unlike SOAP Injection)
  • Attack Requires knowledge of backend parameters or access to Code (Whitebox Testing / 3rd party component)
Example :      from=1234&to=54321&amount=1000%26FundsCleared%3DTrue&Submit=submit

==============================================================================

HTTP Parameter POLLUTION ( too many parameters)

==============================================================================

Vulnerability exists because, different web servers behave differently when they receive multiple parameters with the same name. Below are the common behaviors

1. First instance of the parameter is used
2. Last instance of the parameter is used
3. Parameter values are concatenated
4. Parameter values are inserted into an array

Success of Attack depends on how the target server handles multiple parameters

Example

Attacker Submits the following

from=1234&to=54321&amount=1000%26FundsCleared%3DTrue&Submit=submit

After Processing the following is submitted to the back end Service

from=1234&to=54321&amount=1000&FundsCleared=True&FundsCleared=False&Submit=submit

==============================================================================

Attack against RESTstyle URL Rewriting 

==============================================================================
When REST Style parameters are used where parameters are placed in filepath instead of the query string), the translation processing might be vulnerable to HTTP Parameter Injection & HTTP Parameter Pollution

Example:

/app/user/adam         (RESTStyle URL)  gets translated to the below URL
app/profile.php?mode=view&user=adam   

If the Attacker sets his name as    /adam%26mode=edit, then it gets translated to the following

app/profile.php?mode=view&user=adam&mode=edit

The success of attack depends on how multiple parameters are handled by the server.

==============================================================================

Email Header Manipulation

==============================================================================

  • Some applications offer a facility to email the support staff.
  • The application sends a SMTP message to the email server.
  • Vulnerability exists when the message submitted by the user is not filtered or sanitized by the application.
  • Email functionality allows the sender to submit his emailID, Subject, Message
PHP mail() command
  • constructs the email and performs the SMTP conversation with mail server
  • additional_headers parameter specifies the "TO, CC, BCC" by separating each header with a new line.
  • Sender ID:      abc@gmail.com%0ABcc:all@website.com

==============================================================================

SMTP Command Injection

==============================================================================
When the application itself performs the SMTP Conversation, it is possible to Inject SMTP Commands.

  • SMTP client issues "DATA" command and then sends the Message Headers & Body.
  • To finish the message, a single DOT (.) is sent after a new line (CRLF)











SMTP INJECTION

  • Text in Red is the Injected content.
  • Injected content is URL-Encoded and Injected in the Subject Header.
  • This constructs two email messages
  • Email message ends with a DOT after a NEW LINE.

MAIL FROM: abc@gmail.com
RCPT TO: support@gmail.com
DATA
From: abc@gmail.com
To:   support@site.com
Subject: Feedback
Site is not working
.
MAIL FROM: abc@attacker.com
RCPT TO: all@site.com
DATA
From: abc@attacker.com
To:   all@site.com
Subject: ATTACK
This is an Attack
.

Preventing an SMTP Injection

1. Email message should be checked against, regular expressions
2. Subject should not contain new Line
3. Length of Subject should be Limited
4. Alternatively, provide hardcoded subject messages
5. Lines containing a single dot should be disallowed.

==============================================================================

8 comments:

  1. ACTIVE & FRESH CC FULLZ WITH BALANCE
    Price $5 per each CC

    US FRESH, TESTED & VERIFIED SSN LEADS
    $1 PER EACH

    *Time wasters or cheap questioners please stay away
    *You can buy for your specific states too
    *Payment in advance

    CC DETAILS
    =>CARD TYPE
    =>FIRST NAME & LAST NAME
    =>CC NUMBER
    =>EXPIRY DATE
    =>CVV
    =>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
    =>PHONE NUMBER,DOB,SSN
    =>MOTHER'S MAIDEN NAME
    =>VERIFIED BY VISA
    =>CVV2

    SSN LEADS INFO
    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank NAME | DL Number | Home Owner | IP Address |MMN | Income

    Contact Us

    -->Whatsapp > +923172721122
    -->Email > leads.sellers1212@gmail.com
    -->Telegram > @leadsupplier
    -->ICQ > 752822040

    *Hope for the long term deal
    *If you buy leads in bulk, I'll definitely negotiate
    *You can ask me for sample of Lead for demo

    US DUMP TRACK 1 & 2 WITH PIN CODES ALSO AVAILABLE

    ReplyDelete
  2. If you are using Hotmail mail and want to enable MFA in outlook then, you will need to go to the Microsoft user management page. Now, sign in with your username and password. After that, select the accounts for which you want MFA. And, look for the “enable” link appears on the right-hand bottom and click on this link and you will see a dialog box. If you are facing any issue then, call on +44-800-368-9064 to get instant help if any required.
    Hotmail Support Number UK

    ReplyDelete
  3. If you want to set your Gmail time zone then, in that case, follow the Settings link Gmail. Now, go to the Accounts Tab and then, follow the Google Account Settings link appears under the Other Google Account settings. Now, follow the edit your personal info link appears under the Email address. Choose the Correct time zone appears under Time Zone. Call on +44-800-368-9067 to get connected with the technical team in case if you are facing any issue.
    Gmail Login UK

    ReplyDelete
  4. SELLING Fresh and valid USA ssn fullz
    99% connectivity with quality
    *If you have any trust issue before any deal you may get few to test
    *Every leads are well checked and available 24 hours
    *Fully cooperate with clients
    *Any invalid info found will be replaced

    *Format of Fullz/leads/profiles
    °First & last Name
    °SSN
    °DOB
    °(DRIVING LICENSE NUMBER)
    °ADDRESS
    (ZIP CODE,STATE,CITY)
    °PHONE NUMBER
    °EMAIL ADDRESS


    ****Contact Me****
    *ICQ :748957107

    *Gmail :taimoorh944@gmail.com

    *Telegram :@James307

    Cost for lead cost $2 for each
    Price can be negotiable if order in bulk

    *Contact soon!
    *Hope for a long term Business
    *Thank You!

    ReplyDelete

  5. This professional hacker is absolutely reliable and I strongly recommend him for any type of hack you require. I know this because I have hired him severally for various hacks and he has never disappointed me nor any of my friends who have hired him too, he can help you with any of the following hacks:

    -Phone hacks (remotely)
    -Credit repair
    -Bitcoin recovery (any cryptocurrency)
    -Make money from home (USA only)
    -Social media hacks
    -Website hacks
    -Erase criminal records (USA & Canada only)
    -Grade change

    Email: cybergoldenhacker at gmail dot com

    ReplyDelete
  6. Very helpful and straightforward blog mate! Well done

    ReplyDelete
  7. We have the fresh and valid USA ssn leads
    99% connectivity with quality
    ====================
    *If you have any trust issue you can buy few to test
    *Every leads are well checked and available 24 hours
    *Fully cooperate with clients
    ====================
    >> SSN+DOB
    >> SSN+DOB+DL
    >> Premium high score fullz (also included relative info)
    ====================
    TUTORIALS AVAILABLE FOR
    SPAMMING
    CARDING
    CASHOUTS
    MOBILE DEPOSITS
    >APPLE PAY & ANDROID TAP CASH
    >BANK TRANSFER
    >HOW TO CASHOUT DUMPS+PINS
    >MOBILE DEPOSIT
    ====================
    >SAFE SOCKS5 (USA)
    >SMTP Linux Root
    -->DUMPS+PINS
    (How to use & create dumps with pins track 1 & 2)
    =====================
    Also SELLING
    >SERVER I.P's & proxies in bulk
    >USA EMAILS Combo
    >Fresh Leads for tax returns & w-2 form filling
    >CC's with CVV's (vbv & non-vbv)
    >USA Photo ID'S (Front & back)
    >Payment mode BTC, ETH, LTC, & USDT

    Telegram : @Cyberz_Phoenix
    ICQ : @1001829652a
    WICKR : @cyberzphoenix

    ReplyDelete
  8. We produce only high-quality Registered Passports, ID Cards, Driver’s License, IELTS Certificate, VISA’s, Resident Permit, Birth Certificate, Diplomas SSN, TOEFL, Exit/Entry Stamps, etc that can be used legally both nationally and internationally. It will be produce with 100% authenticity like the original documents. We also use new biometric technologies for all types of our documents.

    Documents duplicate service:
    Documents duplicates producing means we will clone real existing documents and replace the information's with your provided details to suit your activities, database considering on your age, sex, nationality, etc. It will contain real name of parents of the person, address, some other useful information which can be asked at the airport and customs by immigration, ect.

    Documents registration service:
    For some Countries we can offer to register your new documents in the government database after it will be produced. In fact it will be the official issued documents and you can use it like the original ones. But the price for registered documents will be higher than for the regular documents producing.

    Visa/Stamps Affixion Service:
    We provide a possibility to affix almost all kind of stamps/VISAs into the passports to fill you more confident. We don't provide this kind of service separately from passport producing.

    IELTS Certificates:
    We offer high qualitative English test certificates without exam. Certificates will be original and registered in official database. All certificates we issue carries a band scores level of your choosing (6.5-9.0). IELTS is accepted by more than 10,000 organizations in over 145 countries.

    This includes:
    Universities, Schools, Training Colleges and Tertiary Institutes
    Government departments and agencies
    Professional and industry bodies
    Companies and employers.

    Contact:
    Wickr ID:::::::::: Spidoplug
    Email:::::::::::::: firstclassdocuments20@gmail.com
    Website:::::::::::www.documentsonline.store

    ReplyDelete