GET/POST Variable Manipulation

When a visitor is able to cheat the website by modifying GET/POST variables that contain sensitive information and therefore change things that he/she should not be able to.

When sensitive variables are given to the browser and are assumed to be correct on each page hit.

...
$username=$_GET["username"];
echo "Welcome $username:";
...

page.php?username=admin

Everyone reading this must know this is the worst thing you can possibly do, and no one in their right mind would make an application like this, but I had to pick a simple example that hopefully gets the point across. I rather save you time by giving you a simple example then having you analyze a bit explaination or 50 lines of code.

In this example, the application assumes that the visitor is the user that is in the $username variable, and in the exploit we tell the application that we are the administrator to that site. With this we can do anything that an administrator would be able to do.

Another example could of been shopping carts passing money owned to a 3rd party merchant and not bothering to check the total of the final payment with the reciept stored on in the SQL database before shipping the goods out. I actually found a good article on common e-commerce vulnerabilities while looking for the next common vulnerability to write about. I will post a link to the article at the end of this article.

Unlike other vulnerabilites I wrote about, this one does not have a one fix for all. For this example, it must be pretty obvious that you should make some sort of session manager. Most webpages use session ids for their login system.

...
$session=intval($_GET["session"]); //preventing a SQL Injection
$result=mysql_query("SELECT username from sessions 
	where sessionID=$session;");
if ($result) {
	$data=mysql_fetch_object($result);
	$username=$data->username;
} else {
	$username="Guest";
}
...