Assessing Vulnerability from URL parameters

Assessing Vulnerability from URL parameters

I am in the processing of helping secure a .NET website against URL hacking. So I have spent some time adding a whitelist of valid domains and sub-domains. But what about query parameters?

My instincts are to add a second whitelist of valid query string parameters, but does that do anything to protect me?

I suppose a determined hacker could, with time and experimentation, find a query string param that has some exploitation value.

What do you think?

My worry is that whitelist of query string params may be difficult to generate, as this website is quite large. And there is always a risk of rejecting a legitimate request. The query string exposure is about revealing key data in the URL, but I am asking whether there is value in asserting that each query string param is in a whitelist of such params?

So, this is a customer service versus hack risk, threat assessment. And if there is little or no measurable reduction in threat, then this parameter whitelist could cause more harm than good.



newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
what you are looking for is an application level firewall.
One that actually sits between your webserver and the application.
(mostly it is a module bolted onto the webserver.)
Or is part of a reverse proxy tool.
In such a firewall you tell what is allowable and what combination of fields (and values) is allowable.

in the application you obviously have checks that if you expect a name that you don;t accept ?. !.  ; /* etc.
you check that an integer field containing a number in range 0-100 actualy is a number in that range etc.etc.
all this before even handling the data to process it.
btanExec ConsultantCommented:
The best practice is to make sure input validation codes are included for the parameters when it gets processed by the application. To nip the buds for web parameters tampering, go to the correct the codes. Conduct the penetration test and code reviews on application once codes changes. Identify any findings and rectify that.

Whitelisting parameters are not sustainable and prone to human error. The WAF is good but eventually it give you that extra layer of checks is to give you time to correct the codes. All inputs are evil amd defensive coding are needed.
newbiewebSr. Software EngineerAuthor Commented:
> Whiteisting parameters are not sustainable and prone to human error.

But, in order to inspect a param's value, I need not only a white list of each, but some Max/Min or more complex algorithm that validates that param's input. This seems like a large undertaking.

But, aside from the obvious value of protecting our core application from a Ddos attack, what is the primary benefit of handling param checking in a WAF? If the application needs to "protect itself," wouldn't that mean I need to code these param in two distinct white lists?

And when I do decide to protect the MVC application from errant URL's, should I use the LogIn() Controller Action?

> (mostly it is a module bolted onto the webserver.)

What language is this normally written in? Are there downloadable source projects I could use as a starting point?

btanExec ConsultantCommented:
WAF is to perform the validation of the parameters and esp for obvious tampering with injection of XSS or SQLi scripts. You are just bringing the check into a control before the web traffic passed through to the web server.
The main aim in using a WAF is therefore securing the existing, often productive web applications, where the required changes within the application can no longer be implemented or can only be implemented with a disproportionately large amount of work. This applies to vulnerabilities in particular which have been revealed via a penetration test or even via analysis of the source code, , and - especially in the short term - cannot be fixed within the application.

Besides the basic protection via blacklisting - in other words the description of known attack patterns - the basic feature of the WAF is the option of whitelisting which can be configured appropriately. With active whitelisting, the rule set of the WAF describes the exact behaviour of the application; the configuration of suitable whitelists is often supported via a learning mode.
open redirection to external URL should still be inspected. If you deemed the login function necessary and is redirect to some other URL due to user inputs then WAF if exist should inspect that. Nevertheless WAF is to reduce the attack surface to the server.
As a central service point, the WAF can implement tasks which can be solved in the same way for every application. A good example of this is secure session management for all applications based on cookie stores.

Many WAFs also provide proactive security mechanisms such as URL encryption or site usage enforcement, in order to minimise the area of attack
modsecurity is a embedded WAF
 See for use in IIS and directives
There are libraries to aid secure coding like ESAPI.
But suggest you see this example with regards how the codes are secured against OWASP top vulnerabilities

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.