02-25-2014 08:48 AM
We are running WebInspect 10.1.177.0. On our recent scan with .NET web app, we found "possible format string injection" and "possible parameter based buffer overflow" vulnerablilites. However, under "Session Info" menu, the "HTTP Response " menu was grey. If opening HTTP editor, we only saw HTTP Request and the reponse viewer is blank.
Do the blank responses mean the vulnerablities are confirmed or something was wrong during the scan?
Thanks for any help.
02-26-2014 12:24 PM
I believe these null Responses are in the nature of these two probes.
From the Execution section of the Possible Format String Injection, it does indicate that the vulnerable response could include crashes, so I would assume a null response could be an option as well.
To test for format string injection vulnerabilities, submit the string value "%n%s%n%s%n%s%n%s" in form input fields and watch to see if the application behaves oddly, such as crashing or returning a response that indicates a memory access exception occurred.
As for the possible Parameter Based Buffer Overflow, there are three of these; #5057 with 2100 bytes, #10254 with 270 bytes, and #10253 with 70 bytes. The BO checks performed by WebInspect are not pure exploits, but more like "pulled punches". They provide most of the payload, but not all of it, and then WebInspect is seeking a timed-out session or other delay in the Response timing that indicates the server is having trouble managing the Request and that providing it the full exploit could push it over the brink. So for any Buffer Overflow check, I would not be surprised to see a null HTTP Response.
-- Habeas Data