D'Arcy from Winnipeg
Solution Architecture, Business & Entrepreneurship, Microsoft, and Adoption

Why You Shouldn't Use Query Strings to Determine Viewed Data

Tuesday, December 4, 2007 9:22 AM

So apparently the Canadian Online Passport application site had quite the bug discovered in it...one that left thousands open to identity theft!

Another reason kids why Session isn't always a bad thing.

D




Feedback

# re: Why You Shouldn't Use Query Strings to Determine Viewed Data

I love this quote: "The online passport system is still a very highly secure application."

Not sure how he can make this statement with confidence if he didn't know about the programming error to begin with. Time to fill out an application of my own under the pseudonym, Mr. ;DELETE FROM USERS; 12/4/2007 9:44 AM | Kyle Baley

# re: Why You Shouldn't Use Query Strings to Determine Viewed Data

heheh @Kyle:you reply reminds me of an old entry of mine> http://www.keithrull.com/2007/10/29/A+Lesson+In+SQL+Injection.aspx

I think they all government sites should be analyzed throughly. even the philippine US consulate site has some bugs thats really eyepopping. I can't even imagine how they got the guts to deploy such a buggy application to pretty high traffic website.
12/4/2007 10:07 AM | Keith Rull

# re: Why You Shouldn't Use Query Strings to Determine Viewed Data

Nothing wrong with the query string, the issue is with the backend code not asking who you are and can I view this data/page based on my credentials given. Can the average user see another persons dat Probably not.

12/5/2007 6:13 AM | William

# re: Why You Shouldn't Use Query Strings to Determine Viewed Data

I agree Will.

This type of attack is probably more wide spread than people realize.

Authenticating a user on login is only the first step. From that point forward, all submitted data must be checked to ensure that the user has authorization to view the data requested by the id's they submit.

In other words, a login only specifies whether a person is allowed to view any given page. The data presented on that page is another matter entirely.

12/5/2007 7:08 AM | Shaneo

# re: Why You Shouldn't Use Query Strings to Determine Viewed Data

Sorry I should have pointed out too. Not only just data presented on a page, but the actions a user requests must also be checked for authorization.

12/5/2007 7:17 AM | Shaneo

Post a comment