Penetration Testing mailing list archives

RE: Implication of forced http GET request (Web App PT)

From: "Marvin Simkin" <Marvin.Simkin () asu edu>
Date: Thu, 28 Sep 2006 15:44:33 -0700

Rick,

GETs are a little easier to work with than POSTs, whether your hat is white or black. So for example suppose Alice has 
item ID=100 up for auction at vulnerable.com, and Mallory sends Alice an email message expressing interest in Alice's 
merchandise. Unknown to Alice, Mallory also has an item ID=200 up for auction. Mallory's HTML formatted email includes 
an IMG SRC=vulnerable.com/bid?item=200&price=999999 (contrived, simplified example). The folks at vulnerable.com 
thought bids would only ever be POSTed and therefore harder to fake. (Or didn't think about it at all.)

But with a little more work Mallory might find a way to trigger a fake POST too. So GET just makes the job easier.


Other possible information leakage avenues to explore:

* GETs are also typically logged by the webserver while POSTs are not. So could someone be tricked into logging their 
sensitive info where someone else could view it?

* GET parameters can be passed by a referring URL to another site, depending on your browser choices.


Marvin



-----Original Message-----
From: listbounce () securityfocus com on behalf of Rick Zhong
Sent: Tue 2006-09-26 11:14
To: pen-test () securityfocus com
Subject: Implication of forced http GET request (Web App PT)
 
hi, guys

Just curious to know what are the possible security implications of
permitting forced GET request in a web application? I am pt on this
web application where all the form submission POST request can be
replaced with GET request with all the parameter values appended to
the url.

I remember someone mentioned this in a "session fixation" whitepaper.
Is there any other related risks with this implementation?

regards,
Rick

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

Implication of forced http GET request (Web App PT) Rick Zhong (Sep 26)
- RE: Implication of forced http GET request (Web App PT) Marvin Simkin (Sep 28)