Forum Discussion

Nimbostratus

Feb 15, 2016

Solved

Parameter tampring of the parameter

Hi; Why would the passing of parameter "nick" to the user_menu.php yield disclosing the details of user1's CC details? http://10.10.200.10/user_menu.php?nick=student1 This may yield th...

ASM Advanced WAF

security

Ido_Breger_3805
Feb 15, 2016
Hi Wasfi, 'nick' is a valid parameter of the user_menu.php page and it does exist (the page is expecting this parameter). When the user_menu.php page is requested with the the 'nick' parameter and a value ('student1' in this case), the page displays the user menu of the username submitted as a value to the nick parameter. Within the user menu page, one can see his personal details like address, phone etc.

Ido_Breger_3805

Historic F5 Account

Hi Wasfi, 'nick' is a valid parameter of the user_menu.php page and it does exist (the page is expecting this parameter). When the user_menu.php page is requested with the the 'nick' parameter and a value ('student1' in this case), the page displays the user menu of the username submitted as a value to the nick parameter. Within the user menu page, one can see his personal details like address, phone etc.

Wasfi_182818

Nimbostratus

Feb 15, 2016

Thank you Ido.

Forum Discussion

Parameter tampring of the parameter

Recent Discussions

URL

service profile HTTP in LTM v16.1?

iRule resulting in too many redirects

Azure SAML - F5 APM

Converting config to DO

Related Content

Brute Force protection for single parameter like OTP

Wildcard Parameter signature attack

HTTP auth - Calling external API with parameters

AWAF Path Parameters with OPENAPI json file

Parameter Value - Regular Expression