0

I am new to security testing and I need to exploit the issue reported by hp fortify tool. It says String.format() of a cs file to be insecure. How to exploit that and show it can be subjected to hacking?

how the following code is exposed for hacking?

String.Format(CultureInfo.InvariantCulture,
"s_objectID='{5}';window.location='{0}?BasketAction=Add&PriceID={1}&cid={2}&PkgQty={3}&LicPriceID={4}&pk={6}';return false;",
m_LegacyUrlName.ShoppingCart, PriceId, CampaignId, 1, LicensePriceId,m_sObjectId,    
StringOperations.EncodeHtml(HttpContext.Current.Request.QueryString["pk"]));
AstroCB
  • 12,337
  • 20
  • 57
  • 73
curiousDev
  • 417
  • 1
  • 7
  • 17
  • Here is a thread related to this http://stackoverflow.com/a/7459758/1305119 – Suresh Kumar Veluswamy Mar 21 '14 at 07:20
  • Where is that string used? What are the types of the parameters/properties? Are there strings? You could then get a string `PriceId=1&BasketAction=Delete` which will override the previous value of basket action. – knittl Mar 21 '14 at 07:20
  • Your question should have title: "why it is bad idea to construct Urls with string concatenation of user provided strings" – Alexei Levenkov Mar 21 '14 at 07:24
  • Is that "StringOperations.EncodeHtml" is a custom function to encode? If yes then it might not encoding correctly on the querystring param. – Senthil Mar 21 '14 at 07:26

1 Answers1

3

You seem to be putting user generated content into your string without doing ANY check on it. Although that's not exactly highly sophisticated hacking, what happens if the user calls your URL with the following value for pk:

42'; return true; //

Your formatted string would suddenly read:

...&pk=42'; return true; //';return false;

Although I maybe missed the syntax, I hope you know what I mean. Never format user input into a technical string. Never ever use user input without proper sanitation.

nvoigt
  • 75,013
  • 26
  • 93
  • 142