|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sverre H. Huseby (shh
thathost.com)Date: Mon Oct 29 2001 - 11:02:51 CST
| Paramater Manipulation can be done with URL Query Strings, Form
| Fields and Cookies.
Don't forget the HTTP headers. They can be forged just as easily.
| There are several ways you can prevent this sort of attack, but
| all essentially work by coupling the parameters being passed to
| the application with the users account via some form of "session
| token".
Why make it this hard? It's easier to use what could be called a
"session indirection". Instead of passing "real" data, you pass
pointers to data in the user's session. The solution to your account
number example would be to store a "ValidAccounts" array in each
user's session. When the user logs in, this array is filled with
valid accounts for this user, thus testing authorization once and for
all. All subsequent requests pass indexes into this array instead of
passing real data.
Sverre.
-- shh
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]