This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.

Monday, 24 May 2010

Overlooking the security aspect of the query string

Recently whilst debugging a mission critical, public facing, financial web application I uncovered a very serious security hole.

As one of its features the application contained a content management system so that relevant departments can upload and change content which appears on carefully selected parts of the site.  This meant that certain folders must be open to the departments which are available to be edited through the system.  The folder currently being worked on was contained in the query string.

For those that do not know what the query string is here is an example.  When you google something, for example 'blog' the page you are sent to is That bit after the ? is called the query string (in this case q=blog) which contains my search.  I can do what I want with this string and resubmit it.  So if I change the query string to q=blogspot and submit it, I am returned the google results for 'blogspot'.  Anyone can manipulate the query string.

In the web application this meant that anyone could simply change the query string, and that would change the folder currently being worked on.  Only a few guesses are needed to view the contents of restricted folders.  Doing this I managed to download the full source code for the application, something which would be very valuable to an attacker...

So if in doubt use server side variables instead.

No comments:

Post a Comment