Then, fire off the request and analyze the response. If the response mirrors that of the original request, then the application is vulnerable to Method Interchange.
Exploitation: The Great Assist
So where does the assist analogy fit in to all of this? And so what if parameters can be sent in the URI query string or request payload interchangeably? Well, have you ever tried to conduct a Cross-Site Request Forgery (CSRF) attack that leveraged parameters sent in the request payload? How about a Cross-Site Scripting (XSS) attack? Or how about exploiting a Session Fixation vulnerability where the session variable was sent in the request payload? If Method Interchange exists, then the CSRF and XSS attacks become much simpler, and Session Fixation vulnerabilities may become exploitable. Exploiting XSS in a
POST parameter requires a GET-to-POST script on a 3rd party server, resulting in an attack consisting of a suspicious looking link. Exploiting CSRF in a
POST parameter. Method Interchange allows an attacker to fixate a session via a simple URL that appears as a link to a trusted resource.
Preventing Method Interchange is as simple as discovering it. Use methods, objects, etc. that explicitly provide values from the URI query string (
GET) and request payload (
POST). All popular frameworks are capable of preventing Method Interchange. Below are a few resources that address acquiring parameters from requests for an explicitly defined method.
Parameter binding is the recommended approach for accessing parameter values of an explicitly defined method. However, .NET MVC is only vulnerable to Method Interchange when using parameter binding. Binding parameters in .NET MVC without an
AcceptVerbsAttribute decorator cause the framework to search all parameter sources (query string, request payload, route data, etc.) for a matching parameter name. .NET MVC is otherwise immune.
So as you see, Method Interchange alone is rather harmless. But when combined with other vulnerabilities, Method Interchange provides the needed assist to drastically elevate the risk exposure of the vulnerabilities.