Web application security - the fast guide 1.1 | Page 108
Chapter 5 - Attack Execution the client
P a g e | 108
This attack tries to gain authorization to access a functionality based on a forged
Referer Header.
Attack requirement:
Application developer falsely depends on the Referer Header to check the page
from which the request id originated.
Attack process
A.
Using a proxy capture a request heading to restricted page.
B.
Alter the Referer Header to match a page with the same or
higher authority level
C.
Release the altered request.
Example:
GET /Restrict/32/CreateUser.phpHTTP/1.1
Host: testlocahost.com
Referer: https://testlocalhost.com/Restict/32/adminAct.php
In the previous example (Referer header) is forged to show that the request is
sent by (adminAct.php) page that has high privilege.
If the application developer is using ($_SERVER['HTTP_REFERER']) to check If
the request is coming from an authorized page this will give the request the
ability to reach the page and actually show (CreateUser) page.
5.19 Attack Execute- Direct Change to URL parameters
This attack alter data by changing parameters value directly from URL
Attack requirement:
A. Information are passed through parameters embedded in the URL .
B. Wrong inputs are not well validated
Attack process
This attack considered one of the easiest attacks, it can be mainly done without
the need of any tool but in the worst scenario all what is needed is:
A. Using a proxy capture the request.
B. Alter the parameters as requested directly from URL.