Penetration Testing mailing list archives
RE: Implication of forced http GET request (Web App PT)
From: "Marvin Simkin" <Marvin.Simkin () asu edu>
Date: Thu, 28 Sep 2006 15:44:33 -0700
Rick, GETs are a little easier to work with than POSTs, whether your hat is white or black. So for example suppose Alice has item ID=100 up for auction at vulnerable.com, and Mallory sends Alice an email message expressing interest in Alice's merchandise. Unknown to Alice, Mallory also has an item ID=200 up for auction. Mallory's HTML formatted email includes an IMG SRC=vulnerable.com/bid?item=200&price=999999 (contrived, simplified example). The folks at vulnerable.com thought bids would only ever be POSTed and therefore harder to fake. (Or didn't think about it at all.) But with a little more work Mallory might find a way to trigger a fake POST too. So GET just makes the job easier. Other possible information leakage avenues to explore: * GETs are also typically logged by the webserver while POSTs are not. So could someone be tricked into logging their sensitive info where someone else could view it? * GET parameters can be passed by a referring URL to another site, depending on your browser choices. Marvin -----Original Message----- From: listbounce () securityfocus com on behalf of Rick Zhong Sent: Tue 2006-09-26 11:14 To: pen-test () securityfocus com Subject: Implication of forced http GET request (Web App PT) hi, guys Just curious to know what are the possible security implications of permitting forced GET request in a web application? I am pt on this web application where all the form submission POST request can be replaced with GET request with all the parameter values appended to the url. I remember someone mentioned this in a "session fixation" whitepaper. Is there any other related risks with this implementation? regards, Rick ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Implication of forced http GET request (Web App PT) Rick Zhong (Sep 26)
- RE: Implication of forced http GET request (Web App PT) Marvin Simkin (Sep 28)