I am developing a web application that should be open to all attacks of owasp list. Most of the attacks are using url to get information but in my web application nothing is showed in url except name of file. Although i have set session variable. Anyone knows how can I show these values in url?
You can see variables in URL only when you use a GET protocol:
Your url will be :
site.com/file.php?param1=value1¶m2=value2
Else, you can use POST protocol, and your url will be
site.com/file.php
It's not a secure way to send datas, but it just hide them.
It's more simple to change a variable with GET than POST, but you can change/add every variables with POST protocol too.
Related
Please I am designing a website and passed two IDs to through URL and got it using GET .But I noticed that anyone could change the value of ID in the URL and it alters the page content. Is there anyway to prevent this ...
A code like
www. site.com/main.php?user1_id=4&user2_id=7
If changed by anybody to
www.site.com/main.php?user1_id=6&user2_id=10
It shows another detail not meant to be seen.
Implement control at server side and check if the user requesting the resource has access to it or not. Anyone can change anything at client side easily. This should be controlled from server.
this is my first post, i'd like to ask you how can i avoid a direct call of a php page passing POST parameters in the browser?Because I have an iOS application and this should send data to a php page with POST method and then the php page will store data on a database but i don't want that someone, which somehow find the page address, type directly in the browser the address of php page followed by post parameters. I've searched and find that creating a .htaccess file could prevent the php call but, being a newbie, i would like to ask if this prevent the direct passage of parameters on browser.
Thanks in advance for your answer.
NO.
You can't control the user-side operations. anybody that can call your php page - can send any parameter as he like to.
What you can do is this:
1) block all IP addresses without your own (if your IP is static).
2) add a secret parameter to all of your requests. and in php file add condition like
if($_POST["secret"]!="some secret string")
exit("No permissions");
Make the parameter name (or value...) - hard to guessing!
I think the best way is to pass a secret code, work on https website and make some coditions for the variables that passed to your ftp like it must not be Null , if you are passing an email for example you have to validate it's format... so you make it hard for the hacker to get control :)
i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.
I am working on "Email this page" Popup page. I want to send url of base page as an email, but it should be a popup window.
I have used HTTP_REFERER, it is working fine on Firefox, but not working on Internet Explorer.
I am getting the url of current page but I want that url in new popup window page.
Is there any alternative than HTTP_REFERER.
On the page you wish to grab the URL of, you can use $_SERVER['REQUEST_URI'] to get the requested URI (except the scheme & hostname; in other words, you get the path and query string). Pass this to your other page either using a query string or sessions. The former is preferable, as the latter isn't RESTful. There may be times when it's OK to break REST's rule against server side state, but this probably isn't it.
There is no way unless you store it or send it yourself. This page has one example of how to do it, but only really if you set it beforehand. If the site is your own then you should be ok. If not then you will struggle.
That happens because the HTTP_REFERER is sent by the client browser, which means that it's value can be totally manipulated or can even be null. This means that this variable isn't very reliable. But if the site is yours, there are other solutions.
You can send the url or any other identification like an ID by QueryStrings. So you'll have the link URL like this the_send_page_name.php?ref=index.php
Be aware that this method only works if you're opening the Pop-up in a site that's yours.
I have a site that is using frames. Is it still possible from the browser for someone to craft post data for one of the frames using the address bar? 2 of the frames are static and the other frame has php pages that communicate using post. And it doesn't appear to be possible but I wanted to be sure.
No, it is not possible to POST data from the address bar. You can only initiate GET requests from there by adding params to the URL. The POST Body cannot be attached this way.
Regardless of this, it is very much possible to send POST requests to your webserver for the pages in a frame. HTTP is just the protocol with which your browser and webserver talk to each other. HTTP knows nothing about frames or HTML. The page in the frame has a URI, just like any other page. When you click a link, your browser asks the server if it has something for that URI. The server will check if it has something for that URI and respond accordingly. It does not know what it will return though.
With tools like TamperData for Firefox or Fiddler for IE anyone can tinker with HTTP Requests send to your server easily.
Any data in the $_REQUEST array should be considered equally armed and dangerous regardless of the source and/or environment. This includes $_GET, $_POST, and $_COOKIE.
POST data can not be added in the address bar.
You should always check & sanitize all data you get in your PHP code, because anyone could post data to all of your pages.
Don't trust data from outside of your page. Clean it & check it.
Maybe not from the browser, but they can still catch the request (tinker with it) and forward it to the provided destination, with a tool like burp proxy.
To answer your question: No, it is not possible to send post data using the addressbar.
BUT it is possible to send post data to any url in a snap. For example using cURL, or a Firefox extension. So be sure to verify and sanitize all the data you receive no matter if POST or GET or UPDATE or whatever.
This is not iFrame or php specific, so it should be considered in every webapplication. Never ever rely on data send by anyone being correct, valid or secure - especially when send by users.
Yes, they absolutely can, with tools like Firebug, and apparently more specialized tools like the ones listed by Gordon. Additionally, even if they couldn't do it in the browser from your site, they could always create their own form, or submit the post data through scripting or commandline tools.
You absolutely cannot rely on the client for security.