The program accesses a server variable in an ambiguous way, which can leave it open to attack.
The HttpRequest
class provides programatic access to variables from the QueryString
, Form
, Cookies
or ServerVariables
collections in the form of an array access (e.g. Request["myParam"]
). When more than one variable exists with the same name, the .NET framwork returns the value of the variable that appears first when the collections are searched in the following order: QueryString
, Form
, Cookies
then ServerVariables
. Because QueryString
comes first in the search order, it is possible for QueryString
parameters to supersede values from forms, cookies and server variables. Similarly, form values can supersede variables in the Cookies
and ServerVariables
collections and variables from the Cookies
collection can supersede those from ServerVariables
.
Example 1: The following code checks the HTTP Referer header server variable to see if the request came from www.example.com
before serving content.
...
if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
ServeContent();
else
Response.Redirect("http://www.example.com/");
...
http://www.example.com/ProtectedImages.aspx
. If an attacker makes a direct request to the URL, the appropriate referer header will not be set and the request will fail. However, if the attacker submits an artificial HTTP_REFERER
parameter with the necessary value, such as http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com
, then the lookup will return the value from QueryString
instead of ServerVariables
and the check will succeed.[1] Microsoft IIS Server Variables