AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

HTTP Parameter Overloading

The attacker can execute attacks like CSRF easier than expected

Severity

Medium

Fix Cost

Low

Trust Level

Low

ASP.NET allows developers to access HTTP request parameter values sent through URL parameters and POST body parameters in a unified manner. For example, in order to access a parameter “username”, the majority of us will utilize a code snippet such as below;

                                     
string userName = Request[“username”];
                   
            

or

            
string userName = Request.Params[“username”];
            
            

These ways, it won’t matter if the username parameter is sent through as URL parameter or as POST body parameters, the developer will get the sent parameter value as string.

Same style of coding is also present in controllers’ action method parameters in ASP.NET MVC if the type of the HTTP request is not restricted.

However, this style of coding may make the attacker’s job easier if there’s an CSRF vulnerability in the related code. The attacker will not have to prepare a form posting exploit code which needs injected javascript execution in the same domain of the application. Being able to use GET requests the attacker may only insert a simple img HTML element with src attribute including the related parameter and no need to javascript execution. Being able to inject into the same domain will also make the attack more likely to succeed, as opposed to execute the attack in another domain.

JEE allows developers to access HTTP request parameter values sent through URL parameters and POST body parameters in a unified manner. For example, in order to access a parameter “username”, the majority of us will utilize a code snippet such as below;


String userName = request.getParameter(“username”);
    

These ways, it won’t matter if the username parameter is sent through as URL parameter or as POST body parameters, the developer will get the sent parameter value as string.

Same style of coding is also present in controllers’ action method parameters in Spring MVC if the type of the HTTP request is not restricted.

However, this style of coding may make the attacker’s job easier if there’s an CSRF vulnerability in the related code. The attacker will not have to prepare a form posting exploit code which needs injected javascript execution in the same domain of the application. Being able to use GET requests the attacker may only insert a simple img HTML element with src attribute including the related parameter and no need to javascript execution. Being able to inject into the same domain will also make the attack more likely to succeed, as opposed to execute the attack in another domain.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!