.

had an incident with an online form.

<<

p0et

User avatar

Full Member
Full Member

Posts: 197

Joined: Thu Nov 02, 2006 4:38 pm

Location: Victoria, Canada

Post Fri Jul 24, 2009 12:34 pm

had an incident with an online form.

Can't really divulge many details but here goes.  A company I know of has this website where you can sign in as a user or a guest.  If you sign in as a guest, you fill out some info such as name, phone number, address and birthdate.  At the bottom of the page is a register button.  If the user starts filling out the form but doesn't end up hitting register, he is able to copy the URL and send it to his other friend.  That friend can paste the URL on a different computer and see all the info that the first guy had filled out.

So the company received an email from the guy who found this hole saying that the company should know about it and patch it before he reports it to the papers. Apparently, he was able to see many other users filled out forms as well by guessing/changing the numbers at the end of the URL.

The company has been thinking of ways to resolve this.  One idea was to block/hide the address bar so no one can copy the URL.  Even if they do this though, won't the attacker still be able to go into the browser history and retrieve the URL there? 

Any insights would be great!
GCIH, Security+, Network+, A+, MCP, DCSE
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Jul 24, 2009 1:16 pm

Re: had an incident with an online form.

Hiding the URL bar won't deter many people at all.   Without looking at the code it's a bit difficult to see what the issue is.  

However, if I had to guess, they should incorporate session variables for each session.  They could incorporate a hidden form field called, "SessionID."  Dynamically generate this value and make it unique for each visitor.   Make sure the number is not predictable.   Often md5 hash values of various client data with a salt value is used.  Pass this session id to every page that is susceptible to the vulnerability discovered.   Make sure the page is not viewable without a valid session id.

http://www.php.net/manual/en/intro.session.php

There could be better ways, but that's the way I would do it.  Again, this is just a guess based on the information I have.

<edit> They should probably audit the remainder of the application to see what else is lurking around </edit>
~~~~~~~~~~~~~~
Ketchup
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sat Jul 25, 2009 2:42 am

Re: had an incident with an online form.

Bingo! Ketchup beat me to it.
Make sure they generate a SessionId for each user and it should be "random"

That's one of the best ways to do it.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software