Help popping a web application

From: Maudite MLRL (maudite.mlrl@gmail.com)
Date: Tue Feb 14 2006 - 21:13:11 EST

• Next message: ROB DIXON: "Re: Password Crackers"
• Previous message: Peter Wood: "Re: Password Crackers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok,
Working on a Black Box application test and I am looking for a littleinput on some things to try to get through this application. This isagainst production deployed code but the test is against the test labsystems so messing up the system is ok. The goal is elevated privilegeand/or data manipulation. What I am up against is a 3 tier webapplication.
Rules/scope are application only, no direct service attacks againstthe OS/Network/ or server system (IIS 5) itself. So like no metasploittype garbage. Hand jamming all the way and through the web interfaceonly.
Background:
Web tier: Web Server is IIS 5.0, on win 2kApplication server Tier: application server is Websphere 6.0 on Win2kDB tier is MS SQL on win 2k.
All separate boxes. Code base is Java. Authentication is handled byActive Directory (out of scope). This is an internal app. There areprobably firewalls between me and the primary web server, but my areais application only anyway. I have a user level login. Wholeconnection scheme is SSL (cookies/presentation/ all of it).
Web inspect offered NO vulnerabilities.
What I have done both in the html portion of the application andcatching the info at a Burp Suite Proxy so I could by pass any funkyfiltering:
Standard 1=1 and ' type injections at multiple input locations.Produced no errors just a custom "did not meet criteria message".
Directory transversal – no joy
URL rewrite for bypassing any login type criteria- no joy
Sequential session ID checks to hijack a 1 up system – no joy they are random
Large input (5000 characters) to see if I could force an error.
Bad option to a field sort request – got a custom error messagestating call the administrator. No information
No information in the html code. Column headings do not appear tomatch DB tables when other requests are manipulated with htmlinformation.
Cookies and web pages are not cached.
There was other stuff but I am a little drained to remember right now.I have until Sunday to pop this then my window closes.
Anything can help at this point. I hate to loose.
Maudite.

• Next message: ROB DIXON: "Re: Password Crackers"
• Previous message: Peter Wood: "Re: Password Crackers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:32 EDT