RE: Implication of forced http GET request (Web App PT)

From: Marvin Simkin (Marvin.Simkin@asu.edu)
Date: Thu Sep 28 2006 - 18:44:33 EDT

• Next message: killy: "Re: cracking Y2k DC Admin password"
• Previous message: 09sparky@gmail.com: "BlackBoard Academic Suite ?"
• In reply to: Rick Zhong: "Implication of forced http GET request (Web App PT)"
• Next in thread: Rick Zhong: "Re: Implication of forced http GET request (Web App PT)"
• Reply: Rick Zhong: "Re: Implication of forced http GET request (Web App PT)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rick,

GETs are a little easier to work with than POSTs, whether your hat is white or black. So for example suppose Alice has item ID=100 up for auction at vulnerable.com, and Mallory sends Alice an email message expressing interest in Alice's merchandise. Unknown to Alice, Mallory also has an item ID=200 up for auction. Mallory's HTML formatted email includes an IMG SRC=vulnerable.com/bid?item=200&price=999999 (contrived, simplified example). The folks at vulnerable.com thought bids would only ever be POSTed and therefore harder to fake. (Or didn't think about it at all.)

But with a little more work Mallory might find a way to trigger a fake POST too. So GET just makes the job easier.

Other possible information leakage avenues to explore:

* GETs are also typically logged by the webserver while POSTs are not. So could someone be tricked into logging their sensitive info where someone else could view it?

* GET parameters can be passed by a referring URL to another site, depending on your browser choices.

Marvin

-----Original Message-----
From: listbounce@securityfocus.com on behalf of Rick Zhong
Sent: Tue 2006-09-26 11:14
To: pen-test@securityfocus.com
Subject: Implication of forced http GET request (Web App PT)
 
hi, guys

Just curious to know what are the possible security implications of
permitting forced GET request in a web application? I am pt on this
web application where all the form submission POST request can be
replaced with GET request with all the parameter values appended to
the url.

I remember someone mentioned this in a "session fixation" whitepaper.
Is there any other related risks with this implementation?

regards,
Rick

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: killy: "Re: cracking Y2k DC Admin password"
• Previous message: 09sparky@gmail.com: "BlackBoard Academic Suite ?"
• In reply to: Rick Zhong: "Implication of forced http GET request (Web App PT)"
• Next in thread: Rick Zhong: "Re: Implication of forced http GET request (Web App PT)"
• Reply: Rick Zhong: "Re: Implication of forced http GET request (Web App PT)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:02 EDT