Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-32076

Security enhancement: do not allow POST parameters to be used in GETs

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      My company's security team ran a vulnerability scan against our JIRA and found this issue. They advised me to bring it to your attention as an opportunity to improve security.

      Summary:

      Some web frameworks collapse the POST and GET parameters into a single collection. This is a flawed design pattern from a security standpoint. If a page accepts POST parameters as GET parameters an attacker would be able to effect change on websites through Cross-Site Request Forgery or leverage this design flaw with other vulnerabilities to attack the system hosting the web application. POST variables and GET variables should be distinct and no attempt to collapse to two collections should occur.

      An example showing how to demonstrate the issue:
      Input:

      GET /login.jsp?atl_token&os_username=12345&os_password=foo&os_cookie=true&os_destination=%2fsecure%2fDashboard.jspa&login=Log%20In HTTP/1.1
      Referer: https://ourJira.local:443/login.jsp
      Accept: /
      Pragma: no-cache
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
      Host: ft-jira.mattersight.net
      X-Scan-Memo: Category="Audit"; Function="createStateRequestFromAttackDefinition"; SID="FBF9E4FEE5C7BA725AF21068F08BDAF6"; PSID="280981CE8E66BF997A623A77CC318FFD"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Other"; OriginatingEngineID="8ca14a29-1566-423d-b9f8-f46aa279ec29"; AttackSequence="0"; AttackParamDesc=""; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10655"; Engine="Form+Accepts+GET+Variables"; Retry="False"; SmartMode="NonServerSpecificOnly"; ThreadId="55"; ThreadType="AuditDBReaderSessionDrivenAudit";
      Connection: Keep-Alive
      Cookie: CustomCookie=WebInspect78498ZX4A2C8EB0ABD54C51AC87E7A4AB6BBC75Y3A46;atlassian.xsrf.token=BOKD-JKJB-95MZ-P5IW|b6c98b43b2686e19d437215c8d0bdc6d5054a134|lout;JSESSIONID=072444395FA06364137381BBBF290A43

      Response:

      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      X-AREQUESTID: 1310x84951x8
      X-ASESSIONID: 13aee16
      Cache-Control: no-cache, no-store, must-revalidate
      Pragma: no-cache
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      X-Seraph-LoginReason: AUTHENTICATED_FAILED
      X-AUSERNAME: anonymous
      Content-Type: text/html;charset=UTF-8
      Date: Thu, 19 Apr 2012 20:50:29 GMT
      Content-Length: 7751

      <!DOCTYPE html>
      ...

              Unassigned Unassigned
              31de1fbb1799 Brian Louks
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: