HOME

TheInfoList



Click Here for Items Related To - semantic URL attack
OR:
semantic URL attack on:   [Wikipedia]   [Google]   [Amazon]

In a semantic URL attack, a
client Client(s) or The Client may refer to: * Client (business) * Client (computing), hardware or software that accesses a remote service on another computer * Customer or client, a recipient of goods or services in return for monetary or other valuable ...
manually adjusts the
parameter A parameter (), generally, is any characteristic that can help in defining or classifying a particular system (meaning an event, project, object, situation, etc.). That is, a parameter is an element of a system that is useful, or critical, when ...
s of its request by maintaining the
URL A uniform resource locator (URL), colloquially known as an address on the Web, is a reference to a resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identi ...
's
syntax In linguistics, syntax ( ) is the study of how words and morphemes combine to form larger units such as phrases and sentences. Central concerns of syntax include word order, grammatical relations, hierarchical sentence structure (constituenc ...
but altering its
semantic Semantics is the study of linguistic Meaning (philosophy), meaning. It examines what meaning is, how words get their meaning, and how the meaning of a complex expression depends on its parts. Part of this process involves the distinction betwee ...
meaning. This attack is primarily used against CGI driven websites. A similar attack involving web browser
cookies A cookie is a sweet biscuit with high sugar and fat content. Cookie dough is softer than that used for other types of biscuit, and they are cooked longer at lower temperatures. The dough typically contains flour, sugar, egg, and some type of ...
is commonly referred to as ''cookie poisoning''.


Example

Consider a web-based e-mail application where users can reset their password by answering the
security question A security question is a form of shared secret used as an authenticator. It is commonly used by banks, cable companies and wireless providers as an extra security layer. History Financial institutions have used questions to authenticate custo ...
correctly, and allows the users to send the password to the e-mail address of their choosing. After they answer the security question correctly, the web page will arrive to the following
web form A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. ...
where the users can enter their alternative e-mail address:

Please enter your alternative e-mail address:


 The receiving page, resetpassword.php, has all the information it needs to send the password to the new e-mail. The hidden variable username contains the value user001, which is the username of the e-mail account. Because this web form is using the GET data method, when the user submits [email protected] as the e-mail address where the user wants the password to be sent to, the user then arrives at the following URL: :http://semanticurlattackexample.com/resetpassword.php?username=user001&altemail=alternative%40emailexample.com This URL appears in the location bar of the browser, so the user can identify the username and the e-mail address through the URL parameters. The user may decide to steal other people's (user002) e-mail address by visiting the following URL as an experiment: :http://semanticurlattackexample.com/resetpassword.php?username=user002&altemail=alternative%40emailexample.com If the resetpassword.php accepts these values, it is vulnerable to a semantic URL attack. The new password of the user002 e-mail address will be generated and sent to [email protected] which causes user002's e-mail account to be stolen. One method of avoiding semantic URL attacks is by using session variables.Chris Shiflett. Essential PHP Security: Chapter 2, Forms and URLs
However, session variables can be vulnerable to other types of attacks such as
session hijacking In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a ''session key''—to gain unauthorized access to information or services in a computer s ...
and
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be ...
.


References


See also

*
Query string A query string is a part of a uniform resource locator ( URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML doc ...
Internet security URL {{Comp-sci-stub