AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

HTTP Parameter Pollution

The attacker can execute privileged operations that otherwise he/she can’t by adding extra HTTP parameters

Severity

Critical

Fix Cost

Low

Trust Level

Medium

Backend code usually creates B2B or M2M requests over a trust relationship either with shared secret tokens or IP restrictions, etc.

When creating untrusted-user-triggered web requests on the server side it is possible for an attacker to add extra HTTP parameters. Because of the trust relationships between the backend technologies, these extra parameters might allow an attacker to execute privileged operations.

                                     
string name = Request.Params["name"];
string serverURL = "https://backoffice.myserver.com/?token=" + TOKEN + "&Ops=Update&name=" + name;
Uri uri = new Uri(serverURL);
...
WebClient c = new WebClient(uri);
            
            

The code above forms a URL using the untrusted user input and triggers a trusted HTTP connection. Attacker adding other parameters such as;

            
name=john%26Ops=Delete
                

might be able to trigger a normally unauthorized delete operation on some other user. %26 is the URL encoded version of & which is decoded automatically by .NET framework and is an HTTP parameter delimiter.

Backend code usually creates B2B or M2M requests over a trust relationship either with shared secret tokens or IP restrictions, etc.

When creating untrusted-user-triggered web requests on the server side it is possible for an attacker to add extra HTTP parameters. Because of the trust relationships between the backend technologies, these extra parameters might allow an attacker to execute privileged operations.


string name = request.getParameter("name");
string serverURL = "https://backoffice.myserver.com/?token=" + TOKEN + "&Ops=Update&name=" + name;
URL url = new URL(serverURL);
...
connection = (HttpURLConnection) url.openConnection();

		

The code above forms a URL using the untrusted user input and triggers a trusted HTTP connection. Attacker adding other parameters such as;

            
name=john%26Ops=Delete
                
            

might be able to trigger a normally unauthorized delete operation on some other user. %26 is the URL encoded version of & which is decoded automatically by .NET framework and is an HTTP parameter delimiter.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!