PARAMETER POLLUTION

Feature Value
Type Detection
Risk -
Covered by Agent

Not setting the action field of a FORM tag may lead to parameter pollution if an attacker embeds the page inside an IFRAME

Let us take the case of a simple primary Email ID update form. Such forms are common in many web applications and they are simple but extremely important. If an attacker manages to force a victim to update his primary Email ID with that of the attacker’s ID then the attacker can perform a password reset and compromise the victim’s account.

A sample Email ID update form is given below which contains a ‘csrf-token’ parameter for CSRF protection:

<form method="POST">
    <input type="text" name="email" value=""></input>
    <input type="hidden" name="csrf-token" value="a0a0a0a0a0a"/>
</form>

Let’s say this form is available at 'www.example.com/updateEmail.jsp'
Since this form does not contain an ‘action’ attribute, on submission the form will be submitted to the current URL in the address bar, which will be ‘www.example.com/updateEmail.jsp’.

The source code of 'updateEmail.jsp' would typically look like this:

if ( request.parameter("email").isSet() && request.parameter("csrf-token").isValid() )
{
    //process the form and update the email ID
}
else
{
    //display an empty form to the user (CSRF token included)
}

The application checks if the request contains a valid CSRF token. If not, it displays the form to the user.

Now to submit our sample form using ClickJacking, the attacker can include an iframe like this
<iframe src="http://www.example.com/updateEmail.jsp?email=evil@attackermail.com">


When this request goes to the server, the application would display the update form. When this form is submitted by the victim using ClickJacking, the request that is sent to the server is like this:

POST /updateEmail.jsp?email=evil@attackermail.com HTTP/1.1
Host: www.example.com

email=& csrf-token=a0a0a0a0a0

Since the form was not filled in by the victim, the email parameter in the POST body is blank. However, since the action attribute of the form was empty, the form is submitted to www.example.com/updateEmail.jsp?email=evil@attackermail.com. Now the QueryString contains the attacker’s entered value for the ‘ email’ parameter.

This request contains two values for the ‘email’ parameter, one in POST body and one in QueryString. By entering HTTP Parameter Pollution, when the server side JSP code calls request.parameter("email"), the value that is returned is the one in the QueryString and not the POST body. Since this value can be controlled by the attacker, he can trick the victim into updating his account with the attacker’s mail ID.

This attack can also work in cases where the form is submitted with JavaScript like this:

<form onSubmit=process()>
<input type="text" name="email" value=""></input>
<input type="hidden" name="csrf-token" value="a0a0a0a0a0a">
</form>

<script>
function process()
{
//check if email is set
form.action = document.location; //document.location will give out the entire URL with parameters
form.method = "post";
form.submit();
}
</script>

More information

How to solve it

Always include ACTION tag in FORMS to reduce parameter pollution problems.