locked
How to make sure that GET and POST request parameters are not modified (validate GET for POST vulnerability) RRS feed

  • Question

  • User706407582 posted

    Hi

    I have a ASP.NET (3.5 framework) website that is getting scanned by a tool called "Hailstorm" for checking vulnerability.
    This tool is able to inject parameters from POST request into GET request, which i want to restrict.

    I have 2 queries ->
    Query 1. How to restrict attacker from sending POST parameters as GET parameters? 
    What i am looking for is, when the parameters from the POST request were submitted as a GET request (through the URL), and when a form submission via method besides POST is detected, the application should respond with an error from the 4xx status code family. I want to throw 400 error in this case.

    For e.g. below page as per regular behavior, does not accept query string. But attacker is trying to manipulate the GET request by copying all POST request +
    additional few parameters into query string. How to validate this and throw 400 error ?

    attacked GET request becomes
    GET /<app_path>/Co_Gl.aspx?ctl00$ScriptManager1=ctl00$ContentPlaceHolder2$pnlMain|ctl00$ContentPlaceHolder2$btnSaveChange&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&__VIEWSTATEGENERATOR=&__PREVIOUSPAGE=&__EVENTVALIDATION=&ctl00$ContentPlaceHolder2$txtComments=&__ASYNCPOST=&ctl00$ContentPlaceHolder2$btnSaveChange=

    To fix this, I put below code in global.asax, but looks like its not working. I put checks for all __ parameters ->

    public void Application_PreRequestHandlerExecute(Object sender, EventArgs e)

    {

    if (Request.HttpMethod != "GET")

    return;

    var hasPostParams = (Request.QueryString["__EVENTTARGET"] ?? Request.QueryString["__VIEWSTATE"] ?? Request.QueryString["__EVENTARGUMENT"] ??

    Request.QueryString["__EVENTVALIDATION"] ?? Request.QueryString["__VIEWSTATEGENERATOR"] ?? Request.QueryString["__VIEWSTATEENCRYPTED"] ??

    Request.QueryString["__LASTFOCUS"] ?? Request.QueryString["__ASYNCPOST"] ?? Request.QueryString["__PREVIOUSPAGE"]) != null;

    try

    {

    if (hasPostParams)

    throw new HttpException(400, "Bad Request");

    }

    catch(Exception ex)

    {

    Response.Redirect("Error.aspx");

    }

    }

    Can you please guide how to fix this issue ?

    Query 2 -> How to stop POST request getting modified ?

    Attacker was able to modify post request by adding extra query string called "__PREVIOUSPAGE" as you can see below.
    Attacked request ->
    POST /<app_path>/DashboardStats.aspx HTTP/1.1
    __EVENTTARGET=ctl00%24lbTermsandConditions&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJNDI5ODM0ODQwDxYEHglDb3VudExpc3QywwgAAQAAAP%2F%2F%2F%2F8BAAA
    N0Q291bnQAAAAAAAAAAADwPwAAAAAA2BFwPnhiQ%3D%3D&__VIEWSTATEGENERATOR=018364EC&__PREVIOUSPAGE=4&__EVENTVALIDATION=%2FwEWEwKs9JzzCALHjcXDCgK2t4q3AQKvm9%2FeBgKi3MW%2FBALrrN2sBAKfpaifCgKUsrmvCAKfpYzvBwKUst2sBwKEvIL6CwKNpNwOAoDlAomqq88MIj7DhyEH39wLW63R34kiPbygJoU%3D

    How to avoid this ?

    As per my understanding, for any ASP.NET form, by POST method, below data is sent (correct if I am wrong). and looks like this attacker tool is trying to manipulate these fields, specially  "VIEWSTATE". How to stop it or how to throw 400 error in this case ? Any idea ?

    <form name="aspnetForm" method="post" action="page_name.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">

    <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />

    <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />

    <input type="hidden" name="__LASTFOCUS" id="__LASTFOCUS" value="" />

    <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="<encryoted_control_data>" />

    </form>

    Quick help will be highly appreciated.

    Regards

    Sarang

    Thank you.

    Thursday, March 7, 2019 11:05 PM

All replies

  • User-1811426859 posted

    Hi  ,

    If you are using the post , below code will return , and your check will not fire :

    if (Request.HttpMethod != "GET")
    
    return;

    Friday, March 8, 2019 9:15 AM
  • User706407582 posted

    Hi

    This code block I am using for GET verification. But as per my query 2, I need to validate POST also.

    If I have POST request and __VIEWSTATE is modified by attacker after form is posted... how should I check that this variable is modified maliciously and throw 400 error ?

    Friday, March 8, 2019 11:07 AM
  • User1724605321 posted

    Hi sarang ,

    You may  check if the request URI have  any parameter :

    Request.QueryString != null && Request.QueryString.Count > 0;

    Best Regards,

    Nan Yu

    Monday, March 11, 2019 2:59 AM