lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 24 Sep 2003 23:10:51 +0200
From: RAFAEL SAN MIGUEL CARRASCO <rsmc@....es>
To: bugtraq@...urityfocus.com
Subject: Sanctum AppScan 4 misses potential vulnerabilities in wrapped links


"AppScan 4.0 Audit Edition, the market leading application vulnerability assessment 
tool, accurately detects security vulnerabilities automatically as an integrated 
component of an enterprise security process review."

AppScan 4 have a flaw regarding the way the "Explore stage" is implemented
when the "Automatic Scan" is selected.
When a reference to a URL in a "a href" tag is made using a wrapper function 
instead of directly calling "window.open" or "document.location" javascript 
functions, AppScan will not detect the link and the URL will not be tested 
against any attack.

As this is a common way to reference URLs (it enables the coder to do some 
stuff before the window is actually opened), many pages of a website may not
be analyzed by AppScan, hiding potential vulnerabilities to the user. 
An attacker with this knowledge would scan first pages referenced in the way 
explained above, speeding up the vulnerability discovery process.

Here is an example of a link that will be ignored by AppScan:

<script>
function openBrWindow(theURL,winName,features) 
{ window.open(theURL,winName,features); }
</script>

<a href="#" onClick="openWindow('bla.html','','');">
<img src="bla.jpg"></a>

I contacted SanctumInc, and this was the solution proposed:

"We are aware of this limitation and in case of extensive usage of Java Script 
we recommend the user to choose "Interactive" Scan Type and explore the site 
manually. If you do so, just like a normal user will explore your site, AppScan 
will test the encapsulated links."

More information about this product: www.sanctuminc.com


Rafael San Miguel Carrasco
División de Infraestructura y Seguridad en Redes IP
Telefónica I+D

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ