Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-8267

Body Parameters Accepted in Query

XMLWordPrintable

    • Icon: New Feature Request New Feature Request
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 4.0.44, 5.0.31, 6.0.13, 6.4.0rc1
    • Frontend (F)

      Hi,
      Zabbix web is designed to accept body parameters in the query. That is insecure and automatic vulnerability scanners react to it

      Risk:
      It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive filelocations
      It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social securitynumber etc.
      GET requests are designed to query the server, while POST requests are for submitting data.
      However, aside from the technical purpose, attacking query parameters is easier than body parameters, because sending a link to the originalsite, or posting it in a blog or comment, is easier and has better results than the alternative - in order to attack a request with bodyparameters, an attacker would need to create a page containing a form that will be submitted when visited by the victim.It is a lot harder to convince the victim to visit a page that he doesn't know, than letting him visit the original site. It it therefore notrecommended to support body parameters that arrive in the query string.
      

            zabbix.dev Zabbix Development Team
            elina.kuzyutkina Elina Kuzyutkina (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: