authorized. If a low-privileged user proceeds directly to a later stage, she may

The authors encountered this logic flaw in a web application deployed by a

financial services company.

The Functionality

The application enabled users to obtain quotations for insurance, and if desired,

complete and submit an insurance application online. The process was spread

across a dozen stages, as follows:

■■

At the first stage, the applicant submits some basic information, and

wishes insurance for. The application offers a quotation, computing

whichever value the applicant did not specify.

■■

Across several stages, the applicant supplies various other personal

■■

Finally, the application is transmitted to an underwriter working for the

reviews the details and decides whether to accept the application as is,

or modify the initial quotation to reflect any additional risks.

Through each of the stages described, the application employed a shared

component to process each parameter of user data submitted to it. This com-

ponent parsed out all of the data in each 

POST

request into name/value pairs,

The component which processed user-supplied data assumed that each

request would contain only the parameters that had been requested from the