Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 060819.html (Request Expert securityfocus.com Support)

Re: View and edit hidden HTML form fields (fwd)

From: George W. Capehart <gwc(at)capehassoc.com>
Date: Sat Jun 14 2003 - 10:14:49 EDT

On Thursday 12 June 2003 03:02 pm, sirkus wrote:
> On Thu, 2003-06-12 at 12:22, Tim Greer wrote:

<snip>

> >
> > I actually don't see how this reveals any weaknesses. Just seeing
> > the fields or arguments/values passed to a script/program doesn't

<snip>

> full explanation... Yes, tools like this can be used to test for

Indeed. A real-world example follows:

Context: an on-line banking application which allows the user to do account balance inquiry and transfer funds between accounts. The application was poorly designed and naively trusted data from the browser. When the user logged in, the application looked up all of the accounts to which the user had legitimate access and sent the account numbers out to the browser. The user could then choose which account he/she wanted to access. In the case of transferring funds, the user selected the "from" and "to" accounts. Problem was, upon receipt of the form, the application did not validate that the accounts were owned by the user. This meant that if the user could directly manipulate the contents of the POST, he/she could inquire about *anyone's* balance, and transfer funds from *anyone's* account to *anyone else's* account. This was tested and exploited using a tool such as is being discussed here during the Information Security audit before the application was actually put into production.

Do you need help?X

</gwc> 

-- 
George W. Capehart

"With sufficient thrust, pigs fly just fine . . ."
 -- RFC 1925
Received on Sat Jun 14 20:09:31 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:52 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library