Difference between revisions of "Repudiation Attack"

From OWASP
Jump to: navigation, search
Line 11: Line 11:
 
Consider a web application that makes access control and authorization based on user SessionId, but register its actions based on user parameter defined on request header, as follows:
 
Consider a web application that makes access control and authorization based on user SessionId, but register its actions based on user parameter defined on request header, as follows:
  
<pre>
+
 
POST https://tequila:8443/atualiza/atualizaUploads.jsp HTTP/1.1
+
POST https://tequila:8443/atualiza/atualizaUploads.jsp HTTP/1.1
Host: tequila:8443
+
Host: tequila:8443
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
+
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
+
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
+
Keep-Alive: 300
Connection: keep-alive
+
Connection: keep-alive
Referer: https://tequila:8443/uploads.jsp
+
Referer: https://tequila:8443/uploads.jsp
Cookie: JSESSIONID=EE3BD1E764CD6EED280426128201131C; user=leonardo
+
'''Cookie: JSESSIONID=EE3BD1E764CD6EED280426128201131C; user=leonardo'''
Content-Type: multipart/form-data; boundary=---------------------------263152394310685
+
Content-Type: multipart/form-data; boundary=---------------------------263152394310685
Content-Length: 321
+
Content-Length: 321
</pre>
+
 
  
  

Revision as of 12:06, 4 July 2007

This is an Attack. To view all attacks, please see the Attack Category page.


Description

Repudiation is the act of refuse authoring of something that happened. A repudiation attack happens when an application or system do not adopt controls to properly track and log users actions, thus permitting malicious manipulation or forging the identification of an action. This attack can be used to change the authoring information of malicious actions that are stored on application log files and its usage can be extended to general data manipulation in name of others. If this attack takes place, the data stored on log files can be considered invalid or misleading.


Examples

Example 1

Consider a web application that makes access control and authorization based on user SessionId, but register its actions based on user parameter defined on request header, as follows:


POST https://tequila:8443/atualiza/atualizaUploads.jsp HTTP/1.1
Host: tequila:8443
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://tequila:8443/uploads.jsp
Cookie: JSESSIONID=EE3BD1E764CD6EED280426128201131C; user=leonardo
Content-Type: multipart/form-data; boundary=---------------------------263152394310685
Content-Length: 321



Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures