sunhux
asked on
Parameter Tampering : workaround mitigations (instead of fixing the application)
We have a Parameter Tampering weakness in our app which we are not in
time to fix at the applications level so exploring alternative mitigations,
namely WAF & IPS.
The Parameter Tampering weakness is:
a Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user can
be changed without the required authorization. After changing, it points the browser to a link, page or site other than the one the user was
authorized (from his original authentication) to access.
Eg:
https://www.abcdefghijklmnop.com/PPabcde/action/xx.com.pp.pubeform.action.PubEformFileAction?method=openFile&file_id=60001
Changing the input 60001 which user entered under parameter "file_id" in the URL is a valid request & thus the user could see
other contents (which he was not meant to see) by changing it to different values.
Is it possible to customize rules/policies in WAF/IPS such that the rules whitelist the download form (there's only 1 form that we're
vulnerable) to only the 3 URLs (exactly same URLs as above except the value after file_id= and block off the rest; the 3 values
are 80001, 80002, 80003).
We use Weblogic to serve as web service
time to fix at the applications level so exploring alternative mitigations,
namely WAF & IPS.
The Parameter Tampering weakness is:
a Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user can
be changed without the required authorization. After changing, it points the browser to a link, page or site other than the one the user was
authorized (from his original authentication) to access.
Eg:
https://www.abcdefghijklmnop.com/PPabcde/action/xx.com.pp.pubeform.action.PubEformFileAction?method=openFile&file_id=60001
Changing the input 60001 which user entered under parameter "file_id" in the URL is a valid request & thus the user could see
other contents (which he was not meant to see) by changing it to different values.
Is it possible to customize rules/policies in WAF/IPS such that the rules whitelist the download form (there's only 1 form that we're
vulnerable) to only the 3 URLs (exactly same URLs as above except the value after file_id= and block off the rest; the 3 values
are 80001, 80002, 80003).
We use Weblogic to serve as web service
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So IPS won't have this feature; most likely it's WAF
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Meaning, there's no way for the WAF layer to differentiate between authentic + forged/munged requests.
Likely this type of checking must be done at you Application layer (code rewriting) to ensure all requests arriving are authenticated/valid.