Vulnerabilities in forms and URL parameter data


One of the most commonly overlooked areas in web design is the transfer of information via forms and URL parameters. I see it quite often and this can open a website to dangerous vulnerabilities. There are many practices that should be carried out to keep a website secure but this focus purely on the passing of data between pages via form and URL parameters. This article assumes you have some amount of knowledge on HTML and server side scripting.

So what is the problem?

The problem is that the content of forms and parameters can easily be changed. It is one of the easiest ways to hack a website. Anyone can view the code and edit an input value without too much fuss. A URL parameter can be edited right within the URL address bar. Both of these situations can be done by anyone viewing your website without any special software or extensive experience.

Let try an example. Say we have a form that updates the caption of an image.

<form action=”images.php”>
<input type=”text” name=”caption” value=”Insert your caption here” />
<input type=”hidden” name=”id” value=”34562″ />
<input type=”hidden” name=”command” value=”edit-caption” />
<input type=”submit” value=”Save”/>

Now this code is nice and makes logical sense. You can easily determine what the function of this form is. In addition you can see the data and what it will reference. This is great for debugging but at the same time anyone who views this code can see the same information and determine the same facts.

So one could, for example, edit the form in the following fashion (highlighted in red).

<form action=”images.php”>
<input type=”text” name=”caption” value=”Insert your caption here” />
<input type=”hidden” name=”id” value=”2324” />
<input type=”hidden” name=”command” value=”delete” />
<input type=”submit” value=”Save”/>

You should be able to tell that this hack is deleting the image with id 2324. However there are a few things that need to be correct in order for this hack to succeed.

  • Delete needs to be a valid command that the page will recognize
  • The ID need to correspond with a valid image ID that exist in the system
  • That there is no other server side security that will detect a hack

So if it passes all these, then ultimately the image “2324″ will be deleted. For example I may have viewed a user account and noticed that the ID associated in the accounts avatar image was “2324″. Then using this hack it may be possible to delete that image. This may not be a terminal and/or serious issue but it demonstrates the behavior that is required to make the website conduct a task it is not supposed to. Similar hacks can be made in the URL. EG Could potentially delete an account.

This lack of security can become an issue if more sensitive data was in the forms. Such as users phone number or emails address. I have seen forms with the price in a hidden field. EG

<input type=”hidden” name=”price” value=”35.00″ />

As you can tell this could be a significant issues if hacked.

So what is the solution?

There is a series of processes that can be put in place to secure the transfer of data on your site. Please see My article Securing form and URL data submissions.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>