RE: Implication of forced http GET request (Web App PT)
- From: "Marvin Simkin" <Marvin.Simkin@xxxxxxx>
- Date: Thu, 28 Sep 2006 15:44:33 -0700
Rick,
GETs are a little easier to work with than POSTs, whether your hat is white or black. So for example suppose Alice has item ID=100 up for auction at vulnerable.com, and Mallory sends Alice an email message expressing interest in Alice's merchandise. Unknown to Alice, Mallory also has an item ID=200 up for auction. Mallory's HTML formatted email includes an IMG SRC=vulnerable.com/bid?item=200&price=999999 (contrived, simplified example). The folks at vulnerable.com thought bids would only ever be POSTed and therefore harder to fake. (Or didn't think about it at all.)
But with a little more work Mallory might find a way to trigger a fake POST too. So GET just makes the job easier.
Other possible information leakage avenues to explore:
* GETs are also typically logged by the webserver while POSTs are not. So could someone be tricked into logging their sensitive info where someone else could view it?
* GET parameters can be passed by a referring URL to another site, depending on your browser choices.
Marvin
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx on behalf of Rick Zhong
Sent: Tue 2006-09-26 11:14
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Implication of forced http GET request (Web App PT)
hi, guys
Just curious to know what are the possible security implications of
permitting forced GET request in a web application? I am pt on this
web application where all the form submission POST request can be
replaced with GET request with all the parameter values appended to
the url.
I remember someone mentioned this in a "session fixation" whitepaper.
Is there any other related risks with this implementation?
regards,
Rick
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- References:
- Implication of forced http GET request (Web App PT)
- From: Rick Zhong
- Implication of forced http GET request (Web App PT)
- Prev by Date: Re: cracking Y2k DC Admin password
- Next by Date: RE: XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning)
- Previous by thread: Implication of forced http GET request (Web App PT)
- Next by thread: Legal Aspect of Pentesting / CyberCrime Treaty
- Index(es):
Relevant Pages
|
