0

I want to know what is the best approach for preventing URL Jumping / URL Tampering Attacks

Example

updateprofile.php?uid=1

I can change to 

updateprofile.php?uid=2

I can update the second user's profile without logging in into his or her account.

So how I can prevent this type of attacks? By using Session variables? Encrypting the data through the URL?

I am sure sessions are vulnerable to XSS or Session Hijacking Attacks.

So what is the best approach for this? Coding approach etc.

Cash-
  • 57
  • 4
  • 10

1 Answers1

2

updateprofile.php?uid=1 I can change to

updateprofile.php?uid=2

If you can change the uid parameter and then tweak other persons profile that would mean the backend application has no checks as to determine if a user is eligible to perform an action.

This attack can be a combination or any of the following including (bad session management,url tampering,indirect object reference,parameter tampering)

So how I can prevent this type of attacks? By using Session variables? Encrypting the data through the URL?

Yes,SESSIONS combined with logical checks are the way to solve such attacks.

I am sure sessions are vulnerable to XSS or Session Hijacking Attacks.

SESSIONS have nothing to do with XSS.

So what is the best approach for this? Coding approach etc.

The coding approach is to use SESSION Token to uniquely identify a user.Then perform server side checks to determine if a user is authorised to perform an action such as editing a profile.If he isn't simply don't allow him.

yeah_well
  • 3,699
  • 1
  • 13
  • 30
  • Thank you for responding , is it possible you give some brief code examples that I can have a bigger picture about it? – Cash- Jun 01 '19 at 18:26
  • 3
    There is no bigger picture here.Download any book on web development and go through the chapter on session management.I am sure you will understand it. – yeah_well Jun 01 '19 at 19:17
  • I do not know the correct approach but before I knew about session management. I always store the username into **SESSION["Username"]**, that's how I authorized users before visiting a page or performing actions. I do not use any token IDs or persistent cookies. So, Is this also considered a way to do it? – Cash- Jun 02 '19 at 02:07
  • @Cash- yes its the same logic but two people can have the same username so instead you use a unique token.If you read the chapter on session management you would understand it, – yeah_well Jun 02 '19 at 05:47
  • Thank you but I used my username is a primary key instead and have client-side validation for the same username so I assume the logic here is fine? – Cash- Jun 02 '19 at 05:52
  • usernames are not unique. – yeah_well Jun 02 '19 at 05:55
  • but for this approach if you are talking about session ID people are still able steal your ID via XSS right? Considering if my session ID is passed via the GET method. – Cash- Jun 02 '19 at 05:56
  • what does xss have anything to do with this? – yeah_well Jun 02 '19 at 05:58
  • Never mind I was actually saying there is another approach to exploit this even if we are using session tokens it still can stolen and hence do whatever we want later. Might be out topic since this is about url tampering instead. If that’s the case should I encrypt session tokens to be on the safe side? – Cash- Jun 02 '19 at 06:10
  • @Cash- i think there is a lot of things that you do not understand at all.Things like XSS and SESSION or even web development.You should first study them.No encrypting session tokens serve no purpose at all. – yeah_well Jun 02 '19 at 06:14