Not setting the action field of a FORM tag may lead to parameter pollution if an attacker embeds the page inside an IFRAMELet us take the case of a simple primary Email ID update form. Such forms are common in many web applications and they are simple but extremely important. If an attacker manages to force a victim to update his primary Email ID with that of the attacker’s ID then the attacker can perform a password reset and compromise the victim’s account.
A sample Email ID update form is given below which contains a ‘csrf-token’ parameter for CSRF protection:
Let’s say this form is available at 'www.example.com/updateEmail.jsp'
Since this form does not contain an ‘action’ attribute, on submission the form will be submitted to the current URL in the address bar, which will be ‘www.example.com/updateEmail.jsp’.
The source code of 'updateEmail.jsp' would typically look like this:
The application checks if the request contains a valid CSRF token. If not, it displays the form to the user.
Now to submit our sample form using ClickJacking, the attacker can include an iframe like this
When this request goes to the server, the application would display the update form. When this form is submitted by the victim using ClickJacking, the request that is sent to the server is like this:
Since the form was not filled in by the victim, the email parameter in the POST body is blank. However, since the action attribute of the form was empty, the form is submitted to www.example.com/updateEmail.firstname.lastname@example.org. Now the QueryString contains the attacker’s entered value for the ‘ email’ parameter.
This request contains two values for the ‘email’ parameter, one in POST body and one in QueryString. By entering HTTP Parameter Pollution, when the server side JSP code calls request.parameter("email"), the value that is returned is the one in the QueryString and not the POST body. Since this value can be controlled by the attacker, he can trick the victim into updating his account with the attacker’s mail ID.
How to solve it
Always include ACTION tag in FORMS to reduce parameter pollution problems.