Burp Suite User Forum

Create new post

Form action hijacking

Kelley | Last updated: Jun 20, 2017 09:40PM UTC

Hola Working on site that is reporting the new Burp finding for Form Action Hijacking (Reflective). The application has a POST parameter that is place in the form action html tag. Would you consider this finding in the same category as an arbitrarily URL redirection finding obviously without the 302 redirect?

PortSwigger Agent | Last updated: Jun 21, 2017 07:32AM UTC

Yes, they are similar vulnerabilities. One of the main risks of an open redirect is that an attack would direct a victim to a form asking for personal information. Form action hijacking has a couple of subtle differences: 1) The URL will show the victim site instead of the attacker's site. This is more persuasive for the user. 2) The attacker can't modify the form. They can only capture the information the form asks for, and not add their own fields. Please let us know if you need any further assistance.

Burp User | Last updated: Jun 21, 2017 03:04PM UTC

Thank you. A couple things to add. Burp flagged the login page (username, password) and the logout page which uses the form action to direct them back to the login page. Do you see any issues with these being false positives based on the information I provided? Burp has them rated as firm. Thank you.

PortSwigger Agent | Last updated: Jun 21, 2017 03:05PM UTC

The login page sounds like a valid issue. I suspect logout doesn't have a significant impact. I'd have to see more information to be sure. If you'd like us to investigate further, email support@portswigger.net with screenshots of the request and response.

Burp User | Last updated: Jun 21, 2017 03:31PM UTC

Thanks...Will send those over.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.