URL Manipulation Hacks in Web Applications
An automated input hack manipulates a URL and sends it back to the server, telling the web application to do various things, such as redirect to third-party sites, load sensitive files off the server, and so on. Local file inclusion is one such vulnerability.
This is when the web application accepts URL-based input and returns the specified file’s contents to the user. For example, in one situation, webInspect sent something similar to the following request and returned the Linux server’s passwd file:
https://www.your_web_app.com/onlineserv/Checkout.cgi?state= detail&language=english&imageSet=/../..//../..//../..//../ ..///etc/passwd
The following links demonstrate another example of URL trickery called URL redirection:
http://www.your_web_app.com/error.aspx?PURL=http://www. bad~site.com&ERROR=Path+’OPTIONS’+is+forbidden. http://www.your_web_app.com/exit.asp?URL=http://www. bad~site.com
In both situations, an attacker can exploit this vulnerability by sending the link to unsuspecting users via e-mail or by posting it on a website. When users click the link, they can be redirected to a malicious third-party site containing malware or inappropriate material.
If you have nothing but time on your hands, you might uncover these types of vulnerabilities manually. However, in the interest of sanity (and accuracy), these attacks are best carried out by running a web vulnerability scanner because they can detect the weakness by sending hundreds and hundreds of URL iterations to the web system very quickly.