Skip to main content

HTTP Parameter Injection

What is HTTP Parameter Injection ?

HTTP Parameter Injection is The vulnerability when user-supplied parameters are used as parameters within a back-end HTTP request.

Suppose an Simple HTTP request:


POST /bank/48/Default.aspx HTTP/1.0 
Host: mdsec.net 
Content-Length: 65 

FromAccount=18281008&Amount=1430&ToAccount=08447656&Submit=Submit


This front-end request, sent from the user’s browser, causes the application to make a further back-end HTTP request to another web server within the bank’s infrastructure. In this back-end request, the application copies some of the parameter values from the front-end request:


POST /doTransfer.asp HTTP/1.0 
Host: mdsec-mgr.int.mdsec.net 
Content-Length: 44 


fromacc=18281008&amount=1430&toacc=08447656


This request causes the back-end server to check whether cleared funds are available to perform the transfer and, if so, to carry it out. However, the frontend server can optionally specify that cleared funds are available, and therefore bypass the check, by supplying the following parameter: 

clearedfunds=true 

If the attacker is aware of this behavior, he can attempt to perform an HPI attack to inject the clearedfunds parameter into the back-end request. To do this, he adds the required parameter onto the end of an existing parameter’s value and URL-encodes the characters & and =, which are used to separate names and values: 


POST /bank/48/Default.aspx HTTP/1.0 
Host: mdsec.net 
Content-Length: 96 

FromAccount=18281008&Amount=1430&ToAccount=08447656%26clearedfunds%3dtru e&Submit=Submit

When the application server processes this request, it URL-decodes the parameter values in the normal way. So the value of the ToAccount parameter that the front-end application receives is as follows: 

08447656&clearedfunds=true

 If the front-end application does not validate this value and passes it through unsanitized into the back-end request, the following back-end request is made, which successfully bypasses the check for cleared funds: 


POST /doTransfer.asp HTTP/1.0 
Host: mdsec-mgr.int.mdsec.net 

Content-Length: 62 fromacc=18281008&amount=1430&toacc=08447656&clearedfunds=true


Thanks...
Labels:

Comments

Post a Comment

Popular posts from this blog

New Working Shopping Site SQLi Dorks

Post a Comment
Read more

Most Important XSS Cheat Sheet

8 comments
Read more

How to Install Mosh on you Linux ec2 Instance

173 comments
Read more