28 October 2010
Benign Unexpected URLs - Part 3 - Additional/Missing Parameters
Parts 1 and 2 provided information on some unexpected URLs that may also be valid entry points for an application. But are there also additional parameters and missing mandatory parameters which are possibly benign requests, and not an attack?
Yes, some parameter errors are not intentionally malicious. Like, any other user input they should be subject to the same types of validation checks, encoding and escaping as any other user-provided input. Some examples of additional/missing parameters are shown below.
| Category | Comments and examples |
|---|---|
| All POST Parameters Missing | If all mandatory parameters of a request using the HTTP method "POST" are missing, this may be the case of a linked, bookmarked or indexed URL being requested at a later date. |
| Tracking | Extra tracking parameters added by email marketing links, web adverts, RSS feeds, news readers, content syndication, etc, and may be sent as cookies or URL parameters. ?utm_source=feedburner&utm_medium=feed&utm_campaign=...&utm_content=... __utma __utmb __utmc __utmk __utmv __utmx __utmz Tracking parameters of any conceivable name may also be added directly into links within the site or from other sites by internal staff or external service providers. ?callback=... ?click=... ?promotion_code=GN6JW... etc |
| Network Devices | Parameters (often HTTP headers) added by trusted upstream network devices (e.g. proxy servers). notified-SplashPage notified-Splash_Page_Minimal notified-SplashPages notified-TermsAndAgreement notified-VCN_Strict Parameters added by untrusted network devices should not be assumed to be benign. |
| Cookies | Additional cookies may be submitted in requests as a result of other applications on the same domain, marketing tracking, etc. Some web crawlers might not handle a site's cookies correctly and you may receive cookie names that are fragmented parts of the intended real cookies, e.g. with names like 'path', 'secure' and 'httponly'. |
| APIs | If you expose a service using a third party's API and their API definition changes, you may receive requests with parameter names and values that you do not expect, or without ones you do expect. This might also occur where you use APIs elsewhere (e.g. in payment authentication web service) and there is a callbacks to your application (e.g. successful payment). |
| Malformed Query String | Some web crawlers may request URLs with parameters that have encoded ampersand characters or parts of, as parameter names ?...amp=... ?...&=... |
| URL Truncation | Truncation of the URL may mean some query string parameters and/or path parameters are lost. |
| New Functionality | Change control processes should ensure that any definition of parameters is kept up-to-date as changes are made to an application. Problems in this area should be discovered during testing processes. |
Please let me know additional items and I will add them to these posts.
Posted on: 28 October 2010 at 10:04 hrs
Comments are filtered automatically and should appear shortly after they been checked.