0

Assume that a user logged in to a webpage with their own account, then makes a POST request and captures it. With some modification to the captured request, it is being executed. Sure. It goes through without any problems.

Is this a security issue on the development side? Because the modified POST request contains data, which is not on the database/server side. The user changes their name and address then to bypass some restrictions.

What should I look into to prevent this happening again? I do capture the IP of this user. But it seems to me, that we can do better to prevent it with our technical skill.

skooog
  • 1,008
  • 7
  • 17
Dmomo
  • 1
  • 1
  • 1
    The rules here are *never trust what comes from the outside*, and *always considere that a request could have been forged* for malicious or innocent reasons. And please add more context if you want a more in-depth answer ... – Serge Ballesta Sep 27 '17 at 07:57

1 Answers1

1

In an insecure serverside application this would be a problem. But it is most likely to not work against most applications. This is web application security 101.

A properly coded application will take these names/values and sanitize the data server side. Once the data is verified as what it is looking for it will then make them part of the query. So likely any name and value you submit the applications code doesn't recognized will simply be ignored. Basic error handling might even stop the request.

Additionally they may have security tokens in place. This is to prevent someone from making a POST request with fraudulent data and tricking someone else into submitting it and to stop spam submission. So simply submitting a POST request might not allow it to go through at all.

Overall it is a pretty broad subject. But you can read more on how serverside data is securely handled at OWASP if you wish to familiarize yourself better.

Bacon Brad
  • 3,340
  • 19
  • 26