The
HttpRequest
class provides programmatic access to variables from the
QueryString
,
Form
,
Cookies
or
ServerVariables
collections in the form of an array access (e.g.
Request["myParam"]
). When more than one variable exists with the same name, the .NET framework returns the value of the variable that appears first when the collections are searched in the following order:
QueryString
,
Form
,
Cookies
then
ServerVariables
. Since
QueryString
comes first in the search order, it is possible for
QueryString
parameters to supersede values from forms, cookies, and server variables. Similarly, form values can supersede variables in the
Cookies
and
ServerVariables
collections and variables from the
Cookies
collection can supersede those from
ServerVariables
.
Example 1: The following code checks the HTTP Referer header server variable to see if the request came from
www.example.com
before serving content.
...
if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
ServeContent();
else
Response.Redirect("http://www.example.com/");
...
Assume the code in
Example 1
is executed when visiting
http://www.example.com/ProtectedImages.aspx
. If an attacker makes a direct request to the URL, the appropriate referer header will not be set and the request will fail. However, if the attacker submits an artificial
HTTP_REFERER
parameter with the necessary value, such as
http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com
, then the lookup will return the value from
QueryString
instead of
ServerVariables
and the check will succeed.