With the message board I'm using SpringMVC which...
Tue Apr 06, 2021 2:42pm

I have to specify which query params I want to accept (if any) in the method's parameters. So, if a user enters "?howdy=yall" and I'm not set up to look for a query param named "howdy", it gets completely ignored which is nice.

Example for the RSS controller's mapping to get the RSS feed of a message board which accepts a query param of "id":

@RequestMapping(value = DISCUSSION_RSS_URL, method = RequestMethod.GET, produces = "application/rss+xml") public ModelAndView getRssDiscussionFeed(@RequestParam(name="id")long appId, RssViewModel rssViewModel, HttpServletRequest request) {
.... then code starts here.. yadda yadda yadda....

Thankfully the bored hacker was just messing with the Help board on index #1 and not the other people's board.

The COBOL guestbook stuff, it all gets passed as a raw string into a buffer variable. Variables in COBOL are all fixed in length, so the buffer will only contain up to as many characters the buffer has in it. I built a little helper function that pulls the value for a requested parameter from the post buffer or query string buffer which causes the program to ignore anything that's unexpected in the request.

It's called like so:
                   move function
                       get-param-value(f-chunk-of-post, "name")
                       to ws-guest-name

I'm guessing you could push enough stuff in the first part of the query string or post data to push the meaningful fields past the end of the buffer which would cause the application to not find the fields it's looking for when it goes to process the request. In the guestbook, only the correct answer and comment are needed to post and they're checked for values. If they were pushed out of the buffer string, the message wouldn't get posted. I wonder if that's what all these "A=0&A=0&.." requests I see in the message board logs are trying to do? Find some undefined behavior if they push fields out of where they're expected to be? hmm....

    • I wonder if banning form/query strings that don't return - Puckdropper, Sat Apr 03 2021 2:27am
      anything you want (like A=whatever) would be a good start. I remember seeing a technique published years ago where a form element was hidden (and thus the user would never see it) and its presence or absence was looked for when the form submitted. That only worked so long, though, as bots learned ... more
      • With the message board I'm using SpringMVC which...- Erik_, Tue Apr 06 2021 2:42pm
  • Click here to receive daily updates
    "Forces act when not restrained" - Puckdropper