NYCPHP Meetup

[Chris Shiflett]

Daniel Krook wrote:
> This is important, I found injections in ALL my fields, not just the
> obvious textarea fields. Hidden and regular text boxes have been used
> as well, since this attack is automated and doesn't function as a
> normal browser would.

Having just written a penetration testing tool, I can say that an 
application's HTML is the perfect blueprint for an attack. It's pretty 
trivial to collect a list of URLs within an application. With that list, 
you simply search for all links and forms that point to each URL (not 
one pass per URL, but you get the idea), and you collect a list of 
variable names that are expected by each script. It doesn't matter what 
the interface to the user is.

With such a list, you can pretty much do whatever you please - you can 
even try injecting content into each variable name as a variety of types 
- GET data, POST data, cookies, etc.

So, as developers, we must necessarily give away a lot of information 
about our applications. This makes our job even harder.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/