wstone0011 / hackbar

Automatically exported from code.google.com/p/hackbar
0 stars 0 forks source link

Allow non-URLs in Referrer field #26

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Hackbar will be more useful for web application testing if it supports putting 
non URL strings into the referrer field.

Tested it on Hackbar 1.6.0 on FF 18.0, nothing happens if we put some injection 
parameters and click on Execute.

Original issue reported on code.google.com by abhimbal...@gmail.com on 26 Jan 2013 at 12:17

GoogleCodeExporter commented 9 years ago
Can you elaborate a bit more, please?

Original comment by pedlag...@gmail.com on 19 Sep 2013 at 12:35

GoogleCodeExporter commented 9 years ago
Picture 1: A string is used as Referrer value [LiveHTTPHeaders] [Works]
Picture 2: A standard URL is used as Referrer value [Hackbar] [Works]
Picture 3: : A string is used as Referrer value [Hackbar] [Not working]

Referrer field is a possible injection point as many developers blindly 
believes this value.

Please let me know if you want any further information. Hackbar is a great tool 
and I use it in almost all the demos of OWASP Bricks. I'm planning to make a 
level with Referrer injection and is thus looking forward to see Hackbar 
support that feature.

Original comment by abhimbal...@gmail.com on 19 Sep 2013 at 4:50

Attachments:

GoogleCodeExporter commented 9 years ago
Is this feature request accepted? or should I provide more details?

Original comment by abhimbal...@gmail.com on 15 Nov 2013 at 2:05