Last post Apr 08, 2019 01:40 PM by Titto Thomas
Mar 19, 2019 07:26 PM|Sam519|LINK
I have an asp.net webforms application(.net framework 4.5) running on client's server. A recent security audit indicates that the application collapse the POST and GET parameters into a single collection and that this is a flawed design pattern from a security
The audit further indicates that using interceptors, it is possible to change the method type to GET which is unsafe as the information is appended to the URL and can be easily tampered.
So, instead of allowing the user to login with the modified request, he/she should have been redirected to the login page/error page.
Mar 19, 2019 07:34 PM|PatriceSc|LINK
My understanding is that your code is using Request["name"] (see
https://docs.microsoft.com/en-us/dotnet/api/system.web.httprequest.item?view=netframework-4.7.2) rather than telling explicititely from which collection you want to retrieve the value using Request.QueryString["name"] or Request.Form["name"] ?
Mar 19, 2019 07:51 PM|Sam519|LINK
This vulnerability test was done on the login page where I have a username and password inputs for authentication.
The exploit scenario is as below:
Open the application and intercept the POST request using Burp Suite, while logging in to the application.
• Modify the request method from POST to GET
• A response 302 status is reflected for the modified POST request
• The application successfully opens in the browser
Hence, POST is accepted as GET.
So instead of allowing the user to login with the modified request, he/she should have been redirected to the login page or any error page should have been displayed.
Mar 19, 2019 08:09 PM|PatriceSc|LINK
As I said my first thought is that it happens when reading form fields using Request['name""] rather than Request.Form["name"].
if this is not your issue, it will be likely easier to show us your code so that we can possibly spot what is wrong and suggest how to fix this rather than letting us guess what is done tor read form fields. AFAIK it should not happen with "standard code".
Apr 08, 2019 01:40 PM|Titto Thomas|LINK
You can add this 'if(Request.HttpMethod == "POST")' condition in your action methods to confirm the HTTP request verb before actually processing the business logic.