Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Strange customer requriement -- Please advice
Posted by: simamhussain
Date: January 23, 2010 12:55PM

Hi All,

One of our product's customer did security auditing on our product purchased and raised a incident for us to solve. I did solved most of the issues but the below mentioned issue is just eating my head. Please help/suggest me how to solve this. Issue is,

They want authenticated users should have restrictions on all xml, xslt, xsd files. I am repeating its for authenticated users not unauthecticated. After logging into the system, if user know the path of xml, if he hit for access like http://<system:0000>/vir_dir/core/xxxx.xml it should restrict.

I found one workaround for this, in IIS go to the file properties, remove READ access. This solved problem for xml files, but if i did the same for XSLT files, then i am getting java script error on the page where this XSLT is been used. I know this can be fixed by chaging the design of the page/application. But, we do not have that much time.

Any workaround/fix for this?????
Technology: ASP and Java Script and IIS 6.0

I am really relaying on you and I am hoping this forum can solve my problem.

Thanks in advance.

Options: ReplyQuote
Re: Strange customer requriement -- Please advice
Posted by: rvdh
Date: January 23, 2010 03:39PM

xlsheet.setProperty("AllowXsltScript", true);

Options: ReplyQuote
Re: Strange customer requriement -- Please advice
Posted by: simamhussain
Date: January 24, 2010 03:57AM

Thanks for the response. But, i was looking for blocking access to xsl files for authenticated users. The application should use the xsl scripting but whenever enduser trys to access the xsl page like http://<machine>/vir_dir/sample.xsl, it should block. Can we block the access programatically ???
Awaiting reply...

Options: ReplyQuote
Re: Strange customer requriement -- Please advice
Posted by: kuza55
Date: January 24, 2010 06:28PM

If IIS lets you use a custom 404/403/401/whatever the appropriate error code page, you may be able to get away without changing the client-side code by simply having the appropriate error page for that directory figure out what they were trying to access and then work out if they have the appropriate rights.

You could also just create a proxy script, e.g. http://<system:0000>/vir_dir/core/file.asp=xxxx.xml but that would require rewriting client-side code, and while the above is a bit of a massive hack, it will probably be easier/faster..

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: Strange customer requriement -- Please advice
Posted by: rvdh
Date: January 24, 2010 09:52PM

I'm no IIS administrator, but I guess it depends if it is ran from an intranet, you could apply or deny rights to it. Another option is IP (range) restriction, and/or check for the proper referer though a Isapi rewrite module like isapirewrite (paid module). Or indeed as kuza55 said, is to write a small proxy-script (not necessarily a real proxy) that does this for you.

Options: ReplyQuote
Re: Strange customer requriement -- Please advice
Posted by: rvdh
Date: January 24, 2010 10:01PM

Let me clarify the isapi rwrite method.

if a call is made to a xslt file without the proper referer (i.e. the script that calles it, like an XML file) you could deny the request. Same with the XML that is called inside a another page. This way you can't call the XML/xslt directly, only through an authenticated script that executes/requests it. That's how I would solve it. Yes you could spoof the referer, but you can solve this partly by checking for a hash, or temporary session password in the request uri. Then they need to know 2 things: the script name + the hash/password. It isn't foolproof, but it works in most cases, they need to go through a lot of hassle for a bunch of xml files. So it's a trade-off you can make.

In Linux/Apache this is easy to solve by changing the permission bits that only allows the (authenticated) script owner to read it.

Options: ReplyQuote
Re: Strange customer requriement -- Please advice
Posted by: simamhussain
Date: January 25, 2010 05:54AM

Thanks for timely responses. I am here working for my organization for entire product security testing. I am using basic tools like burp suite, stalker, fiddler, wireshark for my security testing.
Is there any other tool or web site through which I can learn more about security testing. How to crack application security. I am very eager from my childhood to work in this area i got oppurtunity now. Any suggestions.
rvdh, as you said, if a call is made to a xsl file without proper referer then deny the resquest.. How can we achieve this ?

Options: ReplyQuote


Sorry, only registered users may post in this forum.