Lucene search
K

Web Application Potentially Sensitive CGI Parameter Detection

🗓️ 25 Aug 2009 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 495 Views

Web Application Potentially Sensitive CGI Parameter Detection. Detection of sensitive CGI parameters that control data and may pose security risk

Code
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#


include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
 script_id(40773);
 script_version("1.12");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

 script_name(english:"Web Application Potentially Sensitive CGI Parameter Detection");
 script_summary(english: "Common sensitive CGI parameters names");

 script_set_attribute(attribute:"synopsis", value:
"An application was found that may use CGI parameters to control
sensitive information.");

 script_set_attribute(attribute:"description", value:
"According to their names, some CGI parameters may control sensitive
data (e.g., ID, privileges, commands, prices, credit card data, etc.). 
In the course of using an application, these variables may disclose
sensitive data or be prone to tampering that could result in privilege
escalation.  These parameters should be examined to determine what
type of data is controlled and if it poses a security risk.

** This plugin only reports information that may be useful for auditors
** or pen-testers, not a real flaw.");

 script_set_attribute(attribute:"solution", value: 
"Ensure sensitive data is not disclosed by CGI parameters.  In
addition, do not use CGI parameters to control access to resources or
privileges.");

 script_set_attribute(attribute:"risk_factor", value:"None");

 script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/25");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.");
 script_family(english: "CGI abuses");

 script_dependencie("http_version.nasl", "webmirror.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("Settings/enable_web_app_tests");
 exit(0);
}

#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("torture_cgi.inc");

port = torture_cgi_init();

names = make_array(
"cmd",		"Possibly a command - try 'edit', 'view', 'delete'...",
"command",	"Possibly a command - try 'edit', 'view', 'delete'...",
"id",		"Potential horizontal or vertical privilege escalation",
"price",	"Manipulating this could allow for price modification",
"admin",	"Potential vertical privilege escalation - try '1', 'yes'...",
"role",		"Potential privilege escalation - try 'admin', 'super'...",
"pwd",		"Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack",
"pass",		"Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack",
"passwd",	"Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack",
"password",	"Possibly a clear or hashed password, vulnerable to sniffing or dictionary attack",
"user",		"Potential horizontal privilege escalation - try another user ID",
"userid",	"Potential horizontal or vertical privilege escalation",
"usr",		"Potential horizontal privilege escalation - try another user ID",
"cc",		"Possibly credit card data - please examine it",
"expd",		"Possibly credit card expiration date",
"cvv",		"Possibly a credit card cryptogram" );


t = get_port_transport(port);

cgis = get_cgi_list(port: port);

rep = "";
foreach cgi (cgis)
{
  repcgi = "";
  args_l = get_cgi_arg_list(port: port, cgi: cgi);
  args_l = replace_cgi_args_token(port: port, args_list: args_l, max_tokens: 1);
  foreach arg (args_l)
  {
    name = tolower(arg);
    foreach k (keys(names))
      if (k == name)
      {
	a = names[k];
	if (t > ENCAPS_IP)
          a = str_replace( string: a,
	      		   find: "vulnerable to sniffing or ",
			   replace: "vulnerable to ");
        repcgi = strcat(repcgi, arg, ' : ', a, '\n');
	break;
      }
  }
  if (strlen(repcgi) > 0)
  rep = strcat(rep, 'Potentially sensitive parameters for CGI ', cgi, ' :\n\n', repcgi, '\n');
}

if (strlen(rep) > 0)
{
  security_note(port: port, extra: '\n'+rep);
  if (COMMAND_LINE) display(rep);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Jan 2021 00:00Current
5.5Medium risk
Vulners AI Score5.5
495