3

During a penetration test I noticed that changing some of the HTTP GET parameters from expected strings to arrays using ?test[]=1 instead of ?test=1. In PHP this results either way in an error or in an unwanted Array to String conversion. Which (when errors are suppressed) results in the string "Array".

Does this introduce any security risk? Other than the tiny "risk" that it might give insight in used technology (PHP). Which is also detectable in a lot of different ways.

I once saw a similar case wherein the injection of a deep multidimensional array ?test[][][][][]=1 (times 100), resulted in a rapid exhaustion of resources (denial of service) since a recursive function started to process all that.

Improve this question

1 Answer 1

Reset to default
4

Being able to provoce a PHP error is always a bad sign, and it is worth looking into it in more detail or at least report it. How bad this is in practice can range from completely benign to absolutely catastrophic. It all depends on what the code does with the array it expects to be a string.

Lets take a look at a real world example from the bad end of that scale - Drupal security advisory SA-CORE-2014-005, or Drupalgeddon as it is more commonly known.

It was an SQL injection attack that worked because the programmeras had not expected that a query parameter would be an array. When it was, for some reason I do not fully understand the keys of that array were concatenated into an SQL query. You can see some example of payloads here.

So does this introduce risk? Potentially, yes.

Improve this answer
1
  • Thanks, that example/payload is very interesting. I was already expecting a "context matters" answer. But the additional examples are quite helpful. Commented Jun 21, 2017 at 13:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.