Re: Implication of forced http GET request (Web App PT)



Thanks Marvin. I am also wondering whether there is any practical way
to control this from the developers' perspective, i.e. make sure only
POST or GET requests are allowed? I did a bit search on google, and
it seems that this is quite dependent on the language. And some APIs
by default accept parameters from both POST and GET which means it
will be quite hard for developers to control this since they need to
change the APIs.


On 9/29/06, Marvin Simkin <Marvin.Simkin@xxxxxxx> wrote:
Rick,

GETs are a little easier to work with than POSTs, whether your hat is white or black. So for example suppose Alice has item ID=100 up for auction at vulnerable.com, and Mallory sends Alice an email message expressing interest in Alice's merchandise. Unknown to Alice, Mallory also has an item ID=200 up for auction. Mallory's HTML formatted email includes an IMG SRC=vulnerable.com/bid?item=200&price=999999 (contrived, simplified example). The folks at vulnerable.com thought bids would only ever be POSTed and therefore harder to fake. (Or didn't think about it at all.)

But with a little more work Mallory might find a way to trigger a fake POST too. So GET just makes the job easier.


Other possible information leakage avenues to explore:

* GETs are also typically logged by the webserver while POSTs are not. So could someone be tricked into logging their sensitive info where someone else could view it?

* GET parameters can be passed by a referring URL to another site, depending on your browser choices.


Marvin



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx on behalf of Rick Zhong
Sent: Tue 2006-09-26 11:14
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Implication of forced http GET request (Web App PT)

hi, guys

Just curious to know what are the possible security implications of
permitting forced GET request in a web application? I am pt on this
web application where all the form submission POST request can be
replaced with GET request with all the parameter values appended to
the url.

I remember someone mentioned this in a "session fixation" whitepaper.
Is there any other related risks with this implementation?

regards,
Rick

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • RE: Implication of forced http GET request (Web App PT)
    ... Implication of forced http GET request ... And some APIs ... Need to secure your web apps? ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: HEAD request
    ... If you are unsure of how to format the request properly, ... That will give you the headers for any given request. ... > Need to secure your web apps? ... > Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • RE: Implication of forced http GET request (Web App PT)
    ... Implication of forced http GET request ... Need to secure your web apps? ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • RE: Implication of forced http GET request (Web App PT)
    ... the best practice is to specify which type of request you expect as a programmer. ... Look through the configuration options of your webserver software, there may be a way to reject GETs to certain URLs before the language API ever gets ahold of them. ... Need to secure your web apps? ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: BIGGEST STEP TO TAKING HASKELL MAINSTREAM
    ... Request processing is ... more similar to functional model than to conventional OO applications: ... Seriously, though, web apps aren't as functional as you are suggesting. ...
    (comp.lang.functional)