Thursday, September 6, 2007

Query String Tampering

Query String Tampering is one of the easiest and most common Internet attacks. Each time a web application uses QueryString to pass sensitive information between pages, there is a risk that tampering is possible and would reveal otherwise unavaiable information.

Suppose that I am allowed to see the list of my order (567), and clicking on the application-generated link I am supposed to see the details.

http://the.address.com/details.aspx?orderid=567

 

What if I try to manually alter the parameter value and see an order from someone else?

http://the.address.com/details.aspx?orderid=568

 

If it works then we can say that the application is vulnerable to QST.

There are two possible solutions to this issue:

  1. sign query string parameters with additional signature. You can read about it here
  2. encrypt the whole query string so that there is only single encrypted parameter visible on the client-side. You can read about it here

 

From these two possibilities I prefer the latter since it seems to be slightly more ellegant. Custom implementation is easy and straightforward.

1 comment:

Dominik Dalek said...

This is security by obscurity and does not protect one from various attacks (e.g. MITM ones). The correct approach is verifying credentials on access (assuming authentication tokens cannot be forged or scooped, which is hopefully true for a given system).