2 Replies Latest reply on Jan 23, 2017 11:43 AM by WolfShade

    GET a POST form - possible hack??? (urgent)

    WolfShade Level 4

      Hello, all,

       

      This has created some major concern among the upper echelons.  In the web logs, we are seeing something very strange, and we need to know if this is an attack on some sort of CF weakness.

       

      Someone is manually accessing a certain section of the website (this is not a script), filling out a form (all our forms are POST) and submitting it as a POST, but all of the form variables are also being appended to the URL as if it were a GET request.

       

      Sometimes, the POST is submitted to a CFFUNCTION within a CFC (ie, '/components/action.cfc?method=processForm&phone=555-555-1234'), sometimes it is submitted to the components folder, but no CFC is named (ie, '/components/?phone=555-555-1234'), sometimes it is submitted to the index.cfm file that contains the form (ie, submitting to itself.)

       

      The higher-ups are concerned that this might be some sort of new attack.  I must admit, it has me wondering, myself.

       

      Has anyone seen/heard of anything like this, before?

       

      V/r,

       

      ^_^

        • 1. Re: GET a POST form - possible hack??? (urgent)
          Steve Sommers Level 4

          If your form use AJAX to post the data, depending on the library and browser version, the POST could come across as a GET request. If you are not using AJAX and instead rely on the native HTML form post, then there are a few causes which may or may not point to hacking - but that is a possibility. Search engine provide some strange data when crawling sites, security scanners (both good guys and bad guys use scanners), even stray forms you didn't realize existed or were mis-coded because the default post method is GET for some unknown reason.

          • 2. Re: GET a POST form - possible hack??? (urgent)
            WolfShade Level 4

            Hi, Steve Sommers,

             

            Thank you for your response.  I am using AJaX to submit the form, jQuery 1.11.  But this is intentional, switching back and forth between GET and POST; every other is a GET, every other from that is a POST, and the POSTs are duplicating form entries (the form is filled out, for these) and tacking them on as URL parameters.  And the AJaX is setting the type to "POST", so there's no native HTML form submission that could default to GET.

             

            What I suspect is going on is the user copied the DOM containing the form and pasted into a local file, and is using that to submit the form.  The reason why I think this is because I have a CAPTCHA that doesn't load until ten seconds after the page loads, and the CAPTCHA value is NOT included in the form submit.

             

            This is not a user that is using the form as intended - rather this is someone intentionally screwing around, trying to find a vulnerability.  I just have never seen this, before, and was curious if anyone else ran across something like this.

             

            V/r,

             

            ^_^