4

I am using acunetix to perform part of a security audit on an incoming website. The application is mainly developped with PHP and MySql.

All user input are escaped, but some input (url parameters mainly) remain partially unescaped : I can still send the '*' operator in the string parameter. Acunetix triggers an alert because of it :

Attack details

URL encoded POST input A was set to 417*1*1*1*1*1*1*

Tests performed:

648' => ERROR
648'' => ERROR
883*1*1* => ERROR
545*1*1*1*1 => OK
965*1*1*1*1* => ERROR
880*1*1*1*1*1*1 => OK
417*1*1*1*1*1*1* => ERROR

And I do not understand why it is considered a vulnerability : is the purpose to show that my input is not sufficiently escaped (no matter how actually exploitable the flaw), or is there a real hazard here? And in case there is : how do you exploit it?

2
  • 2
    * is an operator and that uses two operands on each side to perform any arithmetic operation. So if you are using * at the end then it will always gives you an error... Jan 16, 2018 at 10:03
  • To make your life easier, just use prepared statements. Jan 18, 2018 at 16:20

1 Answer 1

0

By submitting the asterics operator the test provider just checks if the sign is evaluated as string or as an operator. If it throws an error for the syntactically wrong input it can be concluded, that it was not escaped. If some vulnerable code would be submitted, it would be therefore likely to be unescaped as well and therfore harm your infrastructure.

Submitting the asterics itself is considered harmless. Anyway it is just a test to see if there are vulnerabilites, the provider does not want to submit values that actually harm or destroy your test environment.

1
  • I understand that the least information you give, the better. I feared there was an actual risk, but I understand acunetix alert. Thanks for your explanation
    – Marvin
    Jan 16, 2018 at 10:55

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.