Forum Discussion
NimbostratusParameter Tampering
Dear all,
I want to know how can I avoid users to manipulate the URL and circumvent a security permission?
Example, user clicks a link: http://myweb.com/student_data/academic_data.jsp?studentID=AAA12345
In this example the parameter will be for user ID XXX12345, but what if the end user manipulates the URL and place studentID=CCC56789 (someone else)?
I tried adding parameter studentID as a global parameter, but it did not solve my issue.
This web server is on a productive environment, and my client does not want to invest in a programmer to code a new application in order to solve this problem.
I hope somebody can help me.
Thanks in advance!
7 Replies
Mike_MaherHow is the studentID parameter value populated?
natheCirrocumulus
Dependant on the answer to Mike's question could a flow policy work for you?
Rgds
N
pcastagnaro_709Posted By Mike Maher on 03/12/2013 02:06 PM
How is the studentID parameter value populated?
Excuse me, but I do not understand your question.What means "parameter value populated"?
Anyway, thank you very much for your attention and your help!
- pcastagnaro_709
Posted By nathan on 03/12/2013 02:58 PM
Dependant on the answer to Mike's question could a flow policy work for you?
Rgds
NI think flow policy involves into a vulnerability, because if an attacker wants to access /student_data/academic_data.jsp?studentID=AAA12345 he could do the request, tamper this adding Referer header, and application will show him page requested.
Is that correct?
- Mike_MaherHow does the parameter studenID gets its value? My assumption would be that this parameter gets populated at the login page so I would set up studentID to be a Dynamic parameter value and set the extraction point to be the page at which the parameter value should be populated. That way the value can only be set or changed by information gathered and passed during the login process. Which I would assume would be password protected and therefore should resolve your concern about being able to tamper with the value in other parts of the page.
To further tighten this down you would want to implement flows was well and define a login page so that everyone has to start at the login page and cannot get to authenticated pages unless they come from the login page first. Yes this can be bypassed by crafting requests and messing with the refer but it will take away some of the ease of it - pcastagnaro_709Dear Mike Maher,
Thank you very much for your help.
Is a good point search where the parameter studenID gets its value and then, set up studentID to be a Dynamic parameter value and set the extraction point to be the page at which the parameter value should be populated.
I will do that next days, because BIG IP is installed in one of my clients and I depend on your schedule 
SunHuHwang_1815please referer below. (v12.0.0)
-
Parameter
- add in parameter list : studentID
- Object change - Parameter Value Type : dynamic contents value
- Extraction > Extract From URLs : /student_data/academic_data.jsp
- Blocking setting : Illegal dynamic parameter value - check
- Apply policy
-
Parameter
