Senin, 29 Oktober 2007

Detecting BroadVision Applications. Are they secure?

Are proprietary applications secure? Well, i guess yes and no. Security researchers are constantly researching for flaws in those applications and only if a bug is reported, will only then the company take actions to secure their loopholes. I am currently auditing a BroadVision application and what a surprised i got from my results. I am not supposed to reveal anything, but i let me tell you, for a critical application like this, i am not sure if the customer is using an old version of BroadVision or it was simply not check for sanitization. I could basically do pretty much i want from that application and create a havoc. Too bad, i cant show anything here but trust me, if you guys got a chance to audit a BroadVision application, you will be surprised with the kind of flaws you find. Its basically like opening a can of worms, waiting for someone to feed on it.

Well, at first i wasn't sure it was a BroadVision application, however after some researching on observation on the HTTP headers, this is what i got:

POST http://example.com/bvsn/bvcom/en/server/whereto.jsp?BV_SessionID=NNNN1809204881.10923774158NNNN&BV_EngineID=nnndaoplghjkiihcfklcfkmdgohdgih.0&BV_UseBVCookie=yes HTTP/1.0

The killer signature here is the parameter names of BV_SessionID and BV_ EngineID. If you see these anywhere in a URL or on a http header, you have more or less nailed down a BroadVision Application. Of course there are some other parameters like checking for .do extention, however that wasn't seen during the audit. Google for those highlighted in bold and you will see what i mean. I am now signing off here and back for another round of audit. I am going to pretty much cripple the whole application this time round.

The Hacka Man

0 komentar:

Posting Komentar