The Server Pages

»

TheServerPages Articles

»

Webmasters

»

PHP

»

Security

GET/POST Variable Manipulation

Author: Wojjie     Posted: 2004-05-13     Viewed: 12,882

What is it?

When a visitor is able to cheat the website by modifying GET/POST variables that contain sensitive information and therefore change things that he/she should not be able to.

Common Causes

When sensitive variables are given to the browser and are assumed to be correct on each page hit.

Examples and their exploits

Example 1 (code):
...
$username=$_GET["username"];
echo "Welcome $username:";
...
Example 1 (exploit):

URL:
page.php?username=admin
Example 1 (explaination):

Everyone reading this must know this is the worst thing you can possibly do, and no one in their right mind would make an application like this, but I had to pick a simple example that hopefully gets the point across. I rather save you time by giving you a simple example then having you analyze a bit explaination or 50 lines of code.

In this example, the application assumes that the visitor is the user that is in the $username variable, and in the exploit we tell the application that we are the administrator to that site. With this we can do anything that an administrator would be able to do.

Another example could of been shopping carts passing money owned to a 3rd party merchant and not bothering to check the total of the final payment with the reciept stored on in the SQL database before shipping the goods out. I actually found a good article on common e-commerce vulnerabilities while looking for the next common vulnerability to write about. I will post a link to the article at the end of this article.

Example 1 (solution):

Unlike other vulnerabilites I wrote about, this one does not have a one fix for all. For this example, it must be pretty obvious that you should make some sort of session manager. Most webpages use session ids for their login system.

Using a simple session manager:
...
$session=intval($_GET["session"]); //preventing a SQL Injection
$result=mysql_query("SELECT username from sessions 
	where sessionID=$session;");
if ($result) {
	$data=mysql_fetch_object($result);
	$username=$data->username;
} else {
	$username="Guest";
}
...

Link to the article:
  Common Security Vulnerabilities in e-commerce systems

Article Sections:
Common Mistakes and their Solutions (2004-05-11)
About various common vulnerabilities found in PHP sites, and solutions on how to prevent them.
SQL Injection (2004-05-11)
SQL Injection is when a visitor injects SQL code that manages to get processed by the SQL server.
Cross-Site Scripting (2004-05-12)
Cross-Site Scripting is when a visitor is able to input html/javascript code inito a website and have it display this code.

Comments

Copyright © 2004-2015: TheServerPages.com