Comments on: An Introduction to Web Application Security http://insecureweb.com/web-security/an-introduction-to-web-application-security/ Insight into web application security Wed, 16 Dec 2009 01:02:49 -0800 http://wordpress.org/?v=2.8.5 hourly 1 By: Justin Klein Keane http://insecureweb.com/web-security/an-introduction-to-web-application-security/comment-page-1/#comment-25 Justin Klein Keane Wed, 04 Mar 2009 22:38:37 +0000 http://www.insecureweb.com/?p=8#comment-25 Request parameters actually extend far beyond GET and POST and these other request parameters are often overlooked by developers. For instance, http-referer and browser are user supplied parameters that are often used by logging mechanisms in web applications without developers ever realizing that malicious users can alter these parameters to include SQL injections, Cross Site Scripting (XSS) designed to attack admins viewing log reports, and other nastiness. Cookies are another source of malicious content that developers rarely consider. Every piece of user supplied data can be manipulated quite easily by attackers with tools like WebScarab, Paros, and the Firefox Tamper Data plugin. It's important to sanitize all of this data before processing it. What you describe is also an element of Cross Site Request Forgery (CSRF or Sea-Surf) that can be prevented by injecting pseudo random hidden tokens into forms. This strategy can be used to insure that form POSTs are actually being generated by authenticated users. Web systems record tokens when they generate the forms, and then only process form POSTs if they're accompanied by the relevant token. Making tokens time sensitive is also a good idea (i.e. they time out after an hour). Needless to say a good random generation algorithm is essential so these token's can't be predicted. Request parameters actually extend far beyond GET and POST and these other request parameters are often overlooked by developers. For instance, http-referer and browser are user supplied parameters that are often used by logging mechanisms in web applications without developers ever realizing that malicious users can alter these parameters to include SQL injections, Cross Site Scripting (XSS) designed to attack admins viewing log reports, and other nastiness. Cookies are another source of malicious content that developers rarely consider. Every piece of user supplied data can be manipulated quite easily by attackers with tools like WebScarab, Paros, and the Firefox Tamper Data plugin. It’s important to sanitize all of this data before processing it.

What you describe is also an element of Cross Site Request Forgery (CSRF or Sea-Surf) that can be prevented by injecting pseudo random hidden tokens into forms. This strategy can be used to insure that form POSTs are actually being generated by authenticated users. Web systems record tokens when they generate the forms, and then only process form POSTs if they’re accompanied by the relevant token. Making tokens time sensitive is also a good idea (i.e. they time out after an hour). Needless to say a good random generation algorithm is essential so these token’s can’t be predicted.

]]>