Cross site scripting issue by adding new parameter in the request - php

Below is my url with request
http://test.com?leavingfrom=BOM&goingto=DEL&travel=DOM&_token=gclligMoBzOHW4wwruDShklxbOh3SjsKTWRvWFK0&Default=O&leavingfrom1=Mumbai+%28BOM%29&goingto1=New+Delhi+%28DEL%29&depart=16-02-2017&arrive=&class=E&adults=1&child=0&infants=0
Cross site scripting is happening for this URL as below. New parameter is added in the URL as '-alert-'=1 and passed to nextpage
http://test.com?leavingfrom=BOM&goingto=DEL&travel=DOM&_token=gclligMoBzOHW4wwruDShklxbOh3SjsKTWRvWFK0&Default=O&leavingfrom1=Mumbai+%28BOM%29&goingto1=New+Delhi+%28DEL%29&depart=16-02-2017&arrive=&class=E&adults=1&child=0&infants=0&'-alert-'=1
How can i stop the cross site scripting if new parameter is added


You can use this class as middleware
class XSSProtection
{
/**
* The following method loops through all request input and strips out all tags from
* the request. This to ensure that users are unable to set ANY HTML within the form
* submissions, but also cleans up input.
*
* #param Request $request
* #param callable $next
* #return mixed
*/
public function handle(Request $request, \Closure $next)
{
if (!in_array(strtolower($request->method()), ['put', 'post'])) {
return $next($request);
}
$input = $request->all();
array_walk_recursive($input, function(&$input) {
$input = strip_tags($input);
});
$request->merge($input);
return $next($request);
}
}
REF : https://gist.github.com/kirkbushell/5d40fdd7f7b364716742

Related

Call authenticate manually in router middleware

I created a CustomAuth middleware to use in routes to authenticate by "user_id" in request body or "Authentication" in request header.
I need call Authenticate class case "user_id" isn't passed.
class CustomAuth
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next, $guards)
{
if ($request->get('user_id')) {
Auth::loginUsingId($request->get('user_id'));
} else {
<-- here -->
}
return $next($request);
}
}
Obs: I use whitelist ip middleware as well.

Do you want to authenticate user in login form by user_id?
if yes you should change login form and make change in this file:
vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php
public function username()
{
return 'email'; // default is email but you can change it to id or user_id if you have this column in your users table
}

TypeError from throttle requests when doesn't pass the middleware

I didn't know how to describe the subject but here's my problem:
I have a model/table named users, and it has a field called type. I made a middleware to give controller access to the specific types. when it passes the middleware, there's no problem. but when the type is not the same, it gives an error like this:
Argument 1 passed to Illuminate\\Routing\\Middleware\\ThrottleRequests::addHeaders() must be an instance of Symfony\\Component\\HttpFoundation\\Response, string given, called in C:\\xampp\\htdocs\\app\\Http\\Middleware\\ThrottleRequests.php on line 3
the thing is, this is giving me a typeError, and it's not the type field I have in my table. I tried to change the field name in case you think this is about my field name.
ps: I didn't do anything else, it's just the default class I didn't try to modify the throttle middleware.
ps: the middlewares I'm using are:
'support' => [
'auth:api',
'customMiddleware',
]
UPDATE:
customeMiddleware:
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
$user = Auth::user();
$AccessLevel = 2;
if($user->type >= $AccessLevel){
return $next($request);
}
return "UnAuthorized";
}

You probaly automatically imported the wrong response class.
In ThrottleRequests.php
You probably have:
use Symfony\Component\HttpFoundation\Response;
replace it with:
use Illuminate\Http\Response;
Sharing your code will help, people answer indeed.
Don't return a string, that is not mathing the expected return type:
throw new UnauthorizedHttpException('Some message')

Your issue is that you are simply returning a string from the middleware. I can't remember if abort() works in middleware, but try this:
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
$user = Auth::user();
$AccessLevel = 2;
if($user->type >= $AccessLevel){
return $next($request);
}
return abort(403);
}

Ajax Auth redirect on Laravel 5.6

I have a Like button that fires an Ajax Post, this route is protected by auth:api middleware:
myproject/routes/api.php
Route::group(['middleware' => ['auth:api']], function () {
Route::post('/v1/like', 'APIController#set_like');
});
When an authenticated user clicks the like button, no problem at all, everything works smoothly. But when guests click the button, I redirected them to login page via Javascript and after authentication they are redirected to the page specified in RedirectIfAuthenticated middleware, so usually to /home.
I modified that middleware as follows:
myproject/app/Http/Middleware/RedirectIfAuthenticated.php
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Auth;
class RedirectIfAuthenticated
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string|null $guard
* #return mixed
*/
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->check()) {
return redirect()->intended('/home');
}
return $next($request);
}
}
My Ajax call is this:
var toggleLike = function(){
var token = USER_TOKEN; //javascript variable
var current_type = $(thisLikeable).attr("data-type");
var current_id = $(thisLikeable).attr("data-id");
var jqxhr = $.post( APP_URL + "/api/v1/like", {api_token: token, type: current_type, id: current_id}, function(data) {
setLikeAppearance(data.message);
})
.fail(function(xhr, status, error){
if (xhr.status == 401) {
window.location = APP_URL + "/login" ;
}
});
};
The problem here's the intended() function, which for Ajax calls is not storing the correct session variable and I am not figuring out how to set it properly.
I am clearly missing something obvious, can anyone help?
Cheers!
EDIT
What I want to achieve is this:
GUEST is in //mysite/blabla
clicks Like button
gets redirected to login
logs in (or register)
gets redirected to //mysite/blabla with the Like already triggered on

What's happening is that in APIs sessions are not managed or in other words it's stateless. So the session middleware is not implemented on Laravel framework for API requests. Though you can manually add, it's not idle to use. So if the API does not use sessions and uses the redirect, fronted does not know about it, as API and frontend work as two separate apps. SO you need to send the frontend the status of the response and let the frontend handle the redirect as you have done with ajax. Just remove the redirect if unauthenticated and let the API throw unauthorized exception. Then, from the handler, handle the unauthorized exception.
Here is how to do it.
Add this to app/Exceptions/Handler.php
/**
* Convert an authentication exception into an unauthenticated response.
*
* #param \Illuminate\Http\Request $request
* #param \Illuminate\Auth\AuthenticationException $exception
* #return \Illuminate\Http\Response
*/
protected function unauthenticated($request, AuthenticationException $exception)
{
if ($request->expectsJson()) {
return response()->json(['error' => 'Unauthenticated.'], 401);
}
return redirect()->guest('login');
}
this will send the user a 401 with message Unauthenticated if the request was json(api request), else(if web request) will redirect to login
check the render method below or check it from source to understand what's happening. when an unauthorized exception is thrown we are telling to check the request type and if it's from an API request, we are sending a json response with 401 status code. So know from frontend we could redirect the user to login page after seeing the 401 status code.
From source
/**
* Render an exception into a response.
*
* #param \Illuminate\Http\Request $request
* #param \Exception $e
* #return \Symfony\Component\HttpFoundation\Response
*/
public function render($request, Exception $e)
{
if (method_exists($e, 'render') && $response = $e->render($request)) {
return Router::toResponse($request, $response);
} elseif ($e instanceof Responsable) {
return $e->toResponse($request);
}
$e = $this->prepareException($e);
if ($e instanceof HttpResponseException) {
return $e->getResponse();
} elseif ($e instanceof AuthenticationException) {
return $this->unauthenticated($request, $e);
} elseif ($e instanceof ValidationException) {
return $this->convertValidationExceptionToResponse($e, $request);
}
return $request->expectsJson()
? $this->prepareJsonResponse($request, $e)
: $this->prepareResponse($request, $e);
}
AFTER EDIT
The intended method() is only for web routes as it uses session to extract the intended route or manually passed value. Here is the intended() method.
/**
* Create a new redirect response to the previously intended location.
*
* #param string $default
* #param int $status
* #param array $headers
* #param bool $secure
* #return \Illuminate\Http\RedirectResponse
*/
public function intended($default = '/', $status = 302, $headers = [], $secure = null)
{
$path = $this->session->pull('url.intended', $default);
return $this->to($path, $status, $headers, $secure);
}
To achive the redirect to the page the user is comming from you can
1 - Manually pass some queries with url like
/login?redirect=like(not the url, just a mapping for /comments/like url)&value=true(true is liked, false is unliked)
and handle it manually.
2 - Get and check the query parameters from url
3 - Use to() method to pass the intended url instead of using intended(). here is the to() method. (see 4 to see the recommended way)
/**
* Create a new redirect response to the given path.
*
* #param string $path
* #param int $status
* #param array $headers
* #param bool $secure
* #return \Illuminate\Http\RedirectResponse
*/
public function to($path, $status = 302, $headers = [], $secure = null)
{
return $this->createRedirect($this->generator->to($path, [], $secure), $status, $headers);
}
4 - But, I would recommend sending redirect url (I mean the mapping ex: like) as a response to frontend and let the frontend handle the redirecting. As API redirecting will work if the API is used by websites only. Suppose if you are using this same api for a mobile app, wonder how API redirect will work. It's not a work of API to redirect, unless if it's for things like OAuth Authentication, which would have a redirect url specified.
Remember to sanitize the url params to block XSS like stuff. Better
Send some values and map it to the urls. Like
[
//like is mapping
//comments/like is the actual url
'like' => 'comments/like'
]
Then, get the mapping url from array or use frontend mappings.

You can make changes in your RedirectIfAuthenticated.php to distinguish between Ajax call & normal login like this:
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Auth;
class RedirectIfAuthenticated
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string|null $guard
* #return mixed
*/
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->check()) {
if ($request->has('api_token')) {
// do whatever you want
return response()->json('some response');
}
return redirect()->intended('/home');
}
return $next($request);
}
}
Update:
Another solution is to remove Auth middleware from your route. In APIController#set_like function manually login user, trigger like & return json response.

If a button is not for a guest, then you shouldn't render it on page.
Instead, you should render a link to login, then if the user logs in you will redirect him back to where he was before. Now, user can see and click the button.

How to store into database on page Refresh with Laravel?

I want to check if users are using the system.
I know have a last_login, with the standard laravel class UpdateLastLoggedInAt.
public function handle(Login $event)
{
$event->user->last_login = Carbon::now();
$event->user->save();
}
This doesn't work if users let their browser window stay open.
Is there a way to have it so that on every page refresh or route change (users navigates through the website), change the last_login to that time?
Thanks in advance.

I created a middleware for this and wrapper it around all routes.
class LogLastSeen
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
$user = User::find(Auth()->user()->id);
$user->last_login = Carbon::now();
$user->save();
return $next($request);
}

Multiple dynamic url redirect in Laravel

I have looked at many similar questions bu they don't approach the real problem. I would like to redirect a user to a certain url just after login depending on a condition about the user.
I know this can be archieved with a middleware so I have tried this in app\Http\Middleware\RedirectIfAuthenticated.php
class RedirectIfAuthenticated
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string|null $guard
* #return mixed
*/
public function handle($request, Closure $next, $guard = null)
{
if (Auth::User()->check()) {
$redirect = '/client';
if (Auth::user()->hasRole('admin')){
$redirect = '/admin';
}
return redirect($redirect);
}
return $next($request);
}
}
I realise now this will not work just after login. I'd like to redirect a user depending whether he/she is an admin or a client. I know I could use: protected $redirectPath = '/url/to/redirect'; but I have multiple pages to redirect to.
What is the best way to do this?

You could over-write the redirect method offered up by the trait in app/Http/Controllers/Auth/AuthController.php
public function redirectPath()
{
if (Auth::user()->hasRole('admin')){
return '/admin';
}
return '/client';
}
Put that in your AuthController.php.

Categories