IPP Injection “vinnu”

Namaste
I m going to unveil a new technique developed by me to hack webapps and sites.Internal Parameter PoisoningYou might’ve heard about HPP-injection technique in web apps and websites.Now i m presenting a technique which can be subcategorized under the tree of HPP injection, The “IPP – Injection”.IPP stands for “Internal Parameter Poisoning” and is helpful in penetration testing.

The IPP injection employs the HPP injection technique and the variable name-value pair is directly injected into webserver using GET or POST requests.The aftermath of the injection depends upon the use and implementation of the application’s variable under attack.

For examples:

Suppose, anyhow i know any of variable’s name internalVar.Then, i can inject this variable for example in URL:
victimserver[dot]com?param1=value&internalVar=malformedvalue
U can also inject using POST (u can use the javascript injection to add a custom form to a webpage for this purpose).

Now let us proceed with a live example from Pentagon:

http://www.housing.navy.mil/pages.cfm?pg=hlc&num=2&section_id=2&sort=datUp&nextrow=11&CFID=2699653&CFTOKEN=48909620

But, how to know the names of internal variables:

Well, we can either do know them either by brute forcing/hit-and-trial or by causing the errors and exceptions in webapp.

For example in above site, when in specify a wrong value to the parameter
section_id=2
change it to :
section_id=2and
Open following URL:
http://www.housing.navy.mil/pages.cfm?pg=hlc&num=2&section_id=2and&sort=datUp&nextrow=11&CFID=2699653&CFTOKEN=48909620

It returned the error:
Variable SUB_HEAD_TEXT is undefined
(Well above example is specially chosen for the sake of simplicity, otherwise, u may get even more robust errors revealing some source code or line of the code that caused the problem, from there try to harvest the variable names)

So what are we now waiting, now Let us inject this variable in URL and specify it any value.

Test revealed that this variable is being used in returned page formation

Because this variable’s value is injected in returned result page, so we can try to inject HTML or javascript and it will lead to an XSS condition. Check folloing HTML injection:

http://www.housing.navy.mil/pages.cfm?pg=hlc&num=2&section_id=2and&SUB_HEAD_TEXT=<H1>IPP-Injection</H1><br>vinnu<br><H2>Legion+Of+Xtremers</H2><br>INDIA&sort=datUp&nextrow=11&CFID=2699653&CFTOKEN=48909620

A complete hijack of application’s logic is possible, if the variable value is used as an executing script or database query, though this will depend upon the way variables are initialized and implemented in webapp.

“vinnu”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s