|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Is this exploitable?..
From: Benjamin Livshits (livshits
cs.stanford.edu)
Date: Thu Dec 16 2004 - 14:14:11 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
What worries me is a scenario in which parts of the HTTP request are
somehow malicious. I.e. as is the case for XSS, if responseString is set
to contain some user-supplied JavaScript, it may lead to problems if
printed back to the browser verbatim.
Coming up with an exploit scenario is the difficulty, though.
-Ben
> -----Original Message-----
> From: Peter Conrad [mailto:conradtivano.de]
> Sent: Thursday, December 16, 2004 7:54 AM
> To: webappsecsecurityfocus.com
> Cc: Benjamin Livshits
> Subject: Re: Is this exploitable?..
>
>
> Hi,
>
> Am Mittwoch, 15. Dezember 2004 23:42 schrieb Benjamin Livshits:
> >
> > It looks like responseString obtained from req is forgeable
> and this
> > may conceivably lead to a vulnerability down the line, it
> seems, when
> > responseString is output with a call to out.print(responseString).
>
> please explain in what way the responseString is "forgeable".
> Yes, it does include all the original request headers. That's
> the point of a TRACE request.
> out.print() will write the *body* of the response, if that's
> what worries you.
>
> Bye,
> Peter
> --
> Peter Conrad Tel: +49 6102 / 80 99 072
> [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
> Bahnhofstr. 18 http://www.tivano.de/
> 63263 Neu-Isenburg
>
> Germany
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]