TransWikia.com

Client side HTTP parameter pollution (reflected)

WordPress Development Asked by divided on October 30, 2021

Some of my sites have been flagged by a security scanner as being vulnerable to client-side HTTP parameter pollution. The security department says that this must be fixed. How can I protect against this in WordPress? Any help is greatly appreciated!

Issue detail

The name of an arbitrarily supplied URL parameter is copied into the response within the query string of a URL.

The payload wzx&sfy=1 was submitted in the name of an arbitrarily supplied URL parameter. This input was echoed as wzx&sfy=1 within the "action" attribute of a "form" tag.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary query string parameters into URLs in the application’s response.

Request

GET [removed]?wzx%26sfy%3d1=1 HTTP/1.1

Host: [removed]

Accept-Encoding: gzip, deflate

Accept: /

Accept-Language: en-US,en-GB;q=0.9,en;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Connection: close

Referer: [removed]

Response

HTTP/1.1 200 OK

Date: Thu, 09 Jul 2020 00:44:05 GMT

Server: Apache

Link: <[removed]?p=35>; rel=shortlink

Strict-Transport-Security: max-age=31557600; preload

Vary: Accept-Encoding,User-Agent

X-Frame-Options: SAMEORIGIN

Content-Length: 28294

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<hea
...[SNIP]...
<form method='post' enctype='multipart/form-data' id='gform_1' action='[removed]?wzx&sfy=1=1'>
...[SNIP]...

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP