.

How to test if website is writable

<<

dreams3577

Newbie
Newbie

Posts: 2

Joined: Mon Dec 05, 2011 3:28 am

Post Mon Dec 05, 2011 3:36 am

How to test if website is writable

Morning All

I work for a company who's website has been analysed by a outside company, the outside company did it off there own back and have said that my companies website is 'writable'.
I have checked the permissions and setup and can see nothing wrong, However I would like to check.

The site sits on a windows 2003 server, IIS 6, and is ASP coded.

How would I check to see if it is 'writable' from the web?... IE: Does anyone know of a script or a process to run against the site?

Many Thanks
Steve
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Dec 05, 2011 3:54 am

Re: How to test if website is writable

The company ran an assessment on your company's website, yet won't tell you the directory that's vulnerable? ???  I'd do my best to get that from them as this is pretty standard when you have an assessment done.  The whole purpose is to help you secure the website, not just say "yep, it's vulnerable" and turn their backs.  I understand you said that they did it off their own backs, but that's pretty low to not tell you exactly what's vulnerable if they're not going to help you fix it as well.

Check the directories that are publicly facing via the website (could be a large task if a large website :-S).  Any directories that are used to store user uploads, forms that allow users to upload files (e.g. avatars) - could be that the form is accepting all files, not just the filetype the form was developed for.
GSEC, eCPPT, Sec+
<<

dreams3577

Newbie
Newbie

Posts: 2

Joined: Mon Dec 05, 2011 3:28 am

Post Mon Dec 05, 2011 4:23 am

Re: How to test if website is writable

Hi

Thank you for the quick reply... The outside company will tell us, however a few thousand pounds will have to change hands before they do!!.. Hence the asking on here first..

I have checked the dirs, and there are no user upload dirs.

Thanks
Steve
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Mon Dec 05, 2011 1:26 pm

Re: How to test if website is writable

dreams3577 wrote:.... website has been analysed by a outside company, the outside company did it off there own back ....


So they didn't get your company's permission first?  Your company didn't engage them?

Isn't that one of the first thing that is drilled into Pen Testers ... get full written consent in advance, along with exactly what you are, and are not, permitted to do etc.?
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Tue Dec 06, 2011 11:54 am

Re: How to test if website is writable

"Writable" is a pretty generic term and can be interpreted many different ways.  They could be referring to directories, or "writing" to your SQL DB if you have one, it may also be a file injection vuln.

What bothers me most is your comment that they did it "off their own back"... They way you originally wrote that, it seems to me that this "company" did a pen test on your site without your permission, knowledge or consent.  True?

If true, they found an issue, and are now saying "we found something on your site, but we won't tell you until you pay us something."  True again?

If true again, this would be known as extortion (maybe something lesser, but extortion is such a sexy word).  At this point, you might want to get some legal people involved.  If whoever this is had wholesome pure intentions, they'd tell you want the problem was and not demand money.  If they pen tested your site without consent, you should have full legal precedence to go after them.  You might want to start collecting logs ASAFP in case you wind up in the middle of some legal action.  (of course, this doesn't solve your issue of finding out what the flaw is.  you may get that information from legal proceedings, or you may have to hire a legit pen tester to find it for you.  Or, you could just shell out the dough to whoever this is, but they may also be scamming you.  You pay them, then you never hear from them again, or they send you on a goose chase, and they get a nice pay day.)

If this is a company you hired to perform a pen test, a full report, including technical details on any flaws should be part of the package.  If you have to pay extra for data... you need someone that writes better engagement contracts.  ;D
Poking at security since 1986.  +++ATH
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Dec 06, 2011 4:00 pm

Re: How to test if website is writable

Hi dreams3577,

Welcome to EH-NET! Assuming you do have permission, you could utilize the auxiliary module: auxiliary/scanner/http/writable in Metasploit. Here's a guide from within Metasploit Unleashed:
http://www.offensive-security.com/metasploit-unleashed/HTTP_Writable

I hope this is what your looking for!
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

kowloonboy

Newbie
Newbie

Posts: 4

Joined: Tue Dec 06, 2011 8:13 am

Location: Kowloon

Post Tue Dec 06, 2011 4:16 pm

Re: How to test if website is writable

So another word, they hack your company website without your consent. And blackmail to your company to hand over a big lump sum of money, otherwise they will refuse to disclose to you the finding of the test (hack).

I think your company should call the Police.
"Life itself is your teacher, and you are in a state of constant learning." -- Bruce Lee
#! CrunchBang 10 - 20111125 iso #! CrunchBang Linux
<<

BreakThesec

Newbie
Newbie

Posts: 7

Joined: Mon Dec 12, 2011 1:11 am

Post Fri Dec 16, 2011 12:17 am

Re: How to test if website is writable

I have many questions. You should ask yourself whenever you got these type of message(to protect from spam mails):
----
How they contact you? mail?
Did you check the mail address?
is it legitimate mail?
Did you search about the company in google search with
"company_name review"
or
"Company_Name fraud" or "Company_Name cheat"
...

Attackers also send these type of message and try to get confidential data(Social Engineering).

If you really want to find vulnerabilities, hire any legitimate company.
<<

jsloan1223

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Apr 24, 2007 3:46 pm

Location: North Dakota, USA

Post Fri Dec 16, 2011 9:50 am

Re: How to test if website is writable

@dreams3577 I realize that your original question is how to tell whether your website is"writable." I agree with the others that the entire situation is phishy (pun fully intended).  Certain versions of IIS are vulnerable to having pages dumped into the root directory. I don't remember all the details, but if your IIS is configured to use index.htm (or index.html or default.htm or default.asp etc) as one of its preferred default pages, BUT any of those pages does not exist on the site, it is vulnerable to having someone dump their "you have been hacked" page into your IIS site. Which means someone goes to www.yoursite.com and sees "you have been hacekd" instead of "welcome to yoursite."

The solution to this is, best I understand, to clean up the default page settings from within IIS. In server 2003, open IIS manager, right click your website name, choose Properties and go to the documents tab.

HTH.
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Mon Dec 19, 2011 11:30 am

Re: How to test if website is writable

You need to contact your manager and the management team and have them speak to an attorney. I would imagine that will be a quick way to get a response from them. What they are doing now is more than unethical, it is illegal.
<<

vp75

Jr. Member
Jr. Member

Posts: 78

Joined: Tue May 01, 2007 6:46 am

Post Mon Dec 19, 2011 1:52 pm

Re: How to test if website is writable

I believe and remember, there are different level of service and based on that they provide report, it should be provided in terms & conditions when undertaken the work by outsourced company. But it doesn't look fair not disclosing the information about vulnerability.
Mgmt should take action......
eCPPT
<<

chrisg

Post Tue Dec 20, 2011 10:52 pm

Re: How to test if website is writable

check http allowed options and see if you can HTTP PUT or use webdav to write to a directory.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Dec 26, 2011 4:41 pm

Re: How to test if website is writable

Word of advice: Try running a Nessus and / or NeXpose scan against your website, you will most likely get exactly the same results as the company that reported the "bug".

Often, it is just because IIS supports the PUT method or perhaps WebDAV, but that doesn't necessarily mean that it's actually exploitable, or something an attacker can use to his advantage. After all, the webserver may support the method, but may not allow it anywhere.

I would ask the target company to place a file on the server as proof of that it is "writeable". If they can't, it's not writeable as they say.  :)
I'm an InterN0T'er
<<

nytfox

User avatar

Newbie
Newbie

Posts: 20

Joined: Mon Nov 28, 2011 1:54 am

Post Tue Jan 31, 2012 3:36 am

Re: How to test if website is writable

Im not sure what are you asking by writable . but if you checked permissions on files and dirs and if they are not viewer writable then I guess your fine . if they meant by hackable . use some vuln scanning tools and see if they gives your exploitable vulns . I prefer nikto ,  Acunetix WVS (spider trows big unwanted traffic but does a good job)
Unlike others I love NULLS
http://treasuresec.com

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software