search

raksha-life / rescuekerala

Website for coordinating rehabilitation of people affected in the Kerala Floods
https://keralarescue.in
MIT License
675 stars 575 forks source link

HTTP Parameter Override #983

Closed bobinson closed 6 years ago

bobinson commented 6 years ago

Subject of the issue

HTTP Parameter Override

https://www.keralarescue.in/find_people/?address__icontains&camped_at&district&gender&name__icontains&notes__icontains&page=396&phone__icontains

Unspecified form action: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be

Steps to reproduce

https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/

image

Tested with OWASP Zap

vigneshhari commented 6 years ago

The forms are created by Django dynamically and is not hardcoded , In this case the same URL endpoint is used for the form as well as rendering the initial page which is why the action is left unspecified

bobinson commented 6 years ago

ok, understood.

closing as false positive.