ABSTRACT

The program accesses a variable in an ambiguous way, which can leave it open to attack.

EXPLANATION

The HttpRequest class provides programatic access to variables from the QueryString, Form, Cookies or ServerVariables collections in the form of an array access (e.g. Request["myParam"]). When more than one variable exists with the same name, the .NET framwork returns the value of the variable that appears first when the collections are searched in the following order: QueryString, Form, Cookies then ServerVariables. Because QueryString comes first in the search order, it is possible for QueryString parameters to supersede values from forms, cookies and server variables. Similarly, form values can supersede variables in the Cookies and ServerVariables collections and variables from the Cookies collection can supersede those from ServerVariables.


Example 1: Imagine a banking application temporarily stores a user's e-mail address in a cookie and reads this value when it wants to contact the user. The following code reads the cookie value and sends an account balance to the specified e-mail address.


...
String toAddress = Request["email"]; //Expects cookie value
Double balance = GetBalance(userID);
SendAccountBalance(toAddress, balance);
...

Assume the code above is executed when visiting http://www.example.com/GetBalance.aspx. If an attacker can cause an authenticated user to click a link that requests http://www.example.com/GetBalance.aspx?email=evil%40evil.com, an e-mail with the user's account balance will be sent to evil@evil.com.