Semantic URL attack

In a semantic URL attack, a client manually adjusts the parameters of its request by maintaining the URL's syntax but altering its semantic meaning. This attack is primarily used against CGI driven websites.

A similar attack involving web browser cookies is commonly referred to as cookie poisoning.

Example

Consider a web-based e-mail application where users can reset their password by answering the security question correctly, and allows the users to send the password to the e-mail address of their choosing. After they answer the security question correctly, the web page will arrive to the following web form where the users can enter their alternative e-mail address:

<form action="resetpassword.php" method="GET">
  <input type="hidden" name="username" value="user001" />
  <p>Please enter your alternative e-mail address:</p>
  <input type="text" name="altemail" /><br />
  <input type="submit" value="Submit" />
</form>

The receiving page, resetpassword.php, has all the information it needs to send the password to the new e-mail. The hidden variable username contains the value user001, which is the username of the e-mail account.

Because this web form is using the GET data method, when the user submits [email protected] as the e-mail address where the user wants the password to be sent to, the user then arrives at the following URL:

http://semanticurlattackexample.com/resetpassword.php?username=user001&altemail=alternative%40emailexample.com

This URL appears in the location bar of the browser, so the user can identify the username and the e-mail address through the URL parameters. The user may decide to steal other people's (user002) e-mail address by visiting the following URL as an experiment:

http://semanticurlattackexample.com/resetpassword.php?username=user002&altemail=alternative%40emailexample.com

If the resetpassword.php accepts these values, it is vulnerable to a semantic URL attack. The new password of the user002 e-mail address will be generated and sent to [email protected] which causes user002's e-mail account to be stolen.

One method of avoiding semantic URL attacks is by using session variables.[1] However, session variables can be vulnerable to other types of attacks such as session hijacking and cross-site scripting.

References

  1. Chris Shiflett. Essential PHP Security: Chapter 2, Forms and URLs

See also


This article is issued from Wikipedia - version of the 9/14/2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.