Semantic URL attack

From Wikipedia, the free encyclopedia
Jump to: navigation, search
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (December 2009)
Wiki letter w.svg
 This article is an orphan, as few or no other articles link to it. Please introduce links to this page from related articles; suggestions may be available. (February 2009)

In a semantic URL attack, a client manually adjusts the parameters of its request by maintaining the URL's syntax but altering its semantic meaning. This attack is primarily used against CGI driven websites.

A similar attack involving web browser cookies is commonly referred to as cookie poisoning.

[edit] Example

Consider a web-based e-mail application where users can reset their password by answering the security question correctly, and allows the users to send the password to the e-mail address of their choosing. After they answer the security question correctly, the web page will arrive to the following web form where the users can enter their alternative e-mail address:

<form action="resetpassword.php" method="GET">
  <input type="hidden" name="username" value="user001" />
  <p>Please enter your alternative e-mail address:</p>
  <input type="text" name="altemail" /><br />
  <input type="submit" value="Submit" />
</form>

The receiving page, resetpassword.php, has all the information it needs to send the password to the new e-mail. The hidden variable username contains the value user001, which is the username of the e-mail account.

Because this web form is using the GET data method, when the user submits alternative@emailexample.com as the e-mail address where the user wants the password to be sent to, the user then arrives at the following URL:

http://semanticurlattackexample.com/resetpassword.php?username=user001&altemail=alternative%40emailexample.com

This URL appears in the location bar of the browser, so the user can identify the username and the e-mail address through the URL parameters. The user may decide to steal other people's (user002) e-mail address by visiting the following URL as an experiment:

http://semanticurlattackexample.com/resetpassword.php?username=user002&altemail=alternative%40emailexample.com

If the resetpassword.php accepts these values, it is vulnerable to a semantic URL attack. The new password of the user002 e-mail address will be generated and sent to alternative@emailexmaple.com which causes user002's e-mail account to be stolen.

This semantic URL attack can be avoided easily by using Session.[1] It can keep track of the name of the user and make sure the current user has already answered the security question correctly. The best way to prevent security exploits is to disallow URL manipulation and use the POST method instead of the GET method.

[edit] References

  1. ^ Chris Shiflett. Essential PHP Security: Chapter 2, Forms and URLs

[edit] See also


Stub icon This computer science article is a stub. You can help Wikipedia by expanding it.
Retrieved from "http://en.wikipedia.org/w/index.php?title=Semantic_URL_attack&oldid=456877610"
Personal tools
Namespaces
Variants
Actions
Navigation
Interaction
Toolbox
Print/export