Please I am designing a website and passed two IDs to through URL and got it using GET .But I noticed that anyone could change the value of ID in the URL and it alters the page content. Is there anyway to prevent this ...
A code like
www. site.com/main.php?user1_id=4&user2_id=7
If changed by anybody to
www.site.com/main.php?user1_id=6&user2_id=10
It shows another detail not meant to be seen.
Implement control at server side and check if the user requesting the resource has access to it or not. Anyone can change anything at client side easily. This should be controlled from server.
Related
I am developing a web application that should be open to all attacks of owasp list. Most of the attacks are using url to get information but in my web application nothing is showed in url except name of file. Although i have set session variable. Anyone knows how can I show these values in url?
You can see variables in URL only when you use a GET protocol:
Your url will be :
site.com/file.php?param1=value1¶m2=value2
Else, you can use POST protocol, and your url will be
site.com/file.php
It's not a secure way to send datas, but it just hide them.
It's more simple to change a variable with GET than POST, but you can change/add every variables with POST protocol too.
this is my first post, i'd like to ask you how can i avoid a direct call of a php page passing POST parameters in the browser?Because I have an iOS application and this should send data to a php page with POST method and then the php page will store data on a database but i don't want that someone, which somehow find the page address, type directly in the browser the address of php page followed by post parameters. I've searched and find that creating a .htaccess file could prevent the php call but, being a newbie, i would like to ask if this prevent the direct passage of parameters on browser.
Thanks in advance for your answer.
NO.
You can't control the user-side operations. anybody that can call your php page - can send any parameter as he like to.
What you can do is this:
1) block all IP addresses without your own (if your IP is static).
2) add a secret parameter to all of your requests. and in php file add condition like
if($_POST["secret"]!="some secret string")
exit("No permissions");
Make the parameter name (or value...) - hard to guessing!
I think the best way is to pass a secret code, work on https website and make some coditions for the variables that passed to your ftp like it must not be Null , if you are passing an email for example you have to validate it's format... so you make it hard for the hacker to get control :)
i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.
i am trying to access a webpage. I manage to get the redirect webpage session id as shown:
http://www.sbstransit.com.sg/mobileiris/(tqkjtlnqkh2lw5v4rz4yurzf)/mobresult_svclist.aspx?stopcode=16101
I added mobresult_svclist.aspx?stopcode=16101 after the session id to retrieve the information.
However, i could not access the page and keep been redirected to the root url: http://www.sbstransit.com.sg/mobileiris/(tqkjtlnqkh2lw5v4rz4yurzf)/index_nextbus.aspx?__redir=1.
Do anyone know how to prevent that redirection to the root url using php or any other codes? Thanks.
You cannot. If the server sends a redirect header, you can of course choose not to follow it, but the page body would still be empty if the server side doesn't generate it.
You would like to have access to data the webmaster doesn't want you to have. Just contact the webmaster and ask for it to achieve this in a proper way.
I am working on "Email this page" Popup page. I want to send url of base page as an email, but it should be a popup window.
I have used HTTP_REFERER, it is working fine on Firefox, but not working on Internet Explorer.
I am getting the url of current page but I want that url in new popup window page.
Is there any alternative than HTTP_REFERER.
On the page you wish to grab the URL of, you can use $_SERVER['REQUEST_URI'] to get the requested URI (except the scheme & hostname; in other words, you get the path and query string). Pass this to your other page either using a query string or sessions. The former is preferable, as the latter isn't RESTful. There may be times when it's OK to break REST's rule against server side state, but this probably isn't it.
There is no way unless you store it or send it yourself. This page has one example of how to do it, but only really if you set it beforehand. If the site is your own then you should be ok. If not then you will struggle.
That happens because the HTTP_REFERER is sent by the client browser, which means that it's value can be totally manipulated or can even be null. This means that this variable isn't very reliable. But if the site is yours, there are other solutions.
You can send the url or any other identification like an ID by QueryStrings. So you'll have the link URL like this the_send_page_name.php?ref=index.php
Be aware that this method only works if you're opening the Pop-up in a site that's yours.