In James Kettle’s post Web Cache Entanglement: Novel Pathways to Poisoning he says that
On every cacheable page, I could use a fat GET to poison the cache and change any parameter to a value of my choice.
GET /contact/report-abuse?report=albinowax HTTP/1.1 Host: github.com Content-Type: application/x-www-form-urlencoded Content-Length: 22 report=innocent-victim
Using the same technique it was also possible to persistently apply and change issue filters, deny access to topic pages, disable the ‘raw’ button on most repos, etc.
From my understanding Rail’s merges both query and body params in the
ActionDispatch::Http::Parameters module. Seems like the body parameters are being prioritized over the query_parameters?
It would be nice to have the option to ignore any body params for GET based requests to mitigate this style of attack. The alternative seems to use
query_parameters rather than just plain
params for GET requests.