I'm working through a security assessment report on a php app generated by Accunetix.
The report is claiming a SQL Injection vulnerability. The app is PHP with MySQL. Here's the headers it says are making the attack (specifically the accept-language header):
GET /user_login.php HTTP/1.1
user-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
accept-language: 1;select pg_sleep(1); --
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=35kno6h8kmkbin973q02gojp82; uniqueuser=1382404387
Host: xxx.xxx.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
I haven't found "accept-language" or "accept_language" anywhere in the app. Also, pg_sleep() isn't a MySQL function.
I searched for a known vulnerability in PHP and didn't find anything. Is this a false positive, or am I missing something?
Accept-Language is the request header sent by client's browser.
Accunetix were trying to manipulate these headers by injecting malicious code to find security wholes (imitating hackers) to test if you application is vulnerable to them.
If you haven't used accept-language header, or request headers in your DB queries, then probably it is a false positive. To make sure, see the response of that request, if the response is normal, then it is all OK.
The code will probably treat that header as a source for selecting the language, an that is done via a database query. And when generating the query, the contents of the HTTP header are improperly parsed.
The reason for you not seeing this might be because the fetching of the HTTP headers is done indirectly (like in $_SERVER[$language_header]).
Related
Sending the following form ends with a single character # shown in the MS Edge browser(Microsoft Edge 42.17134.1.0, Microsoft EdgeHTML 17.17134) and we can expect the final result should be OK!. The expected result is shown in other popular browsers. Wrapping the form with the correct HTML5 skeleton with Doctype etc. does not help. Why can some particular text not be sent via the form? Well, to be strict it can as long as I do not touch $_POST or I do not want to include this meta tag on my webpage where the form is sent. I can access the post data via php://input and everything is there in a raw but this is not a solution.
The issue was found in my own content management framework where some tags(including meta tags) are sent via the form to the PHP script.
<?php
if(isset($_POST['test'])){
echo "OK!";
} else{
echo '
<form action="/" name="template" method="post" accept-charset="UTF-8">
<textarea name="test"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></textarea>
<input type="submit" />
</form>
';
}
?>
Naturally, the source code is saved with UTF-8 as well. Please, drag me away from this path in case I am doing something prohibited or potentially wrong. Eventually, I want to send the complete HTML head section via POST method.
Here are my questions:
Why text including <meta charset="UTF-8" /> cannot be properly sent using post method? Here, there is no question about the processing of the data via PHP script.
Is there any reason to search for the issue not in the source code but in web server installation? But, if yes why then it works with other browsers?
Can the HTTP requests be for some reason significantly different what might cause the described issue?
From where comes # can it be from the web server or the edge browser?
I am using XAMPP 7.2.4 on Windows 10.
Not everything should be allowed to send with the form by a user, but any tag is not a reason to be refused by a browser or httpd server.
The web server could reject some request, especially along the loaded mod_rewrite module with not a proper configuration,
...but what is the point of writing the # instead of an error message.
The main fear is that the HTTP requests might be different, maybe some mechanism against XSS incidentally will catch something? But as the life shown the issue here was somehow connected to cache, default content language and saved cookies.
The original issue from the question is related only to XAMPP <=> MS Edge and it has nothing to do with PHP scripts or UTF-8 encoding. It is established in the community that the meta tag with charset should be used as a safety mechanism, but what is not to be expected is that this meta tag might potentially have the influence on showing the website's content or just #. It should be strongly stressed that a similar issue is not appearing with other tags. The simplest case in which the scenario could be repeated is with the GET method by sending form data even to the HTML file.
http://127.0.0.1/?data=%3Cmeta+http-equiv%3D%22%22+%2F%3E
The other decent installations of Apache server have no such issues(I have tried apachelounge on Windows and Apache installations on different linux distributions). Therefore, I claim that reproducing the issue might be difficult and potentially can be the installation specific.
The simplest solution is to use a different version of XAMPP or other implementation of the httpd server.
For those, curious as I am, still, it is not explained why the XAMPP server has the issue with requests only from MS Edge. The typical HTTP request
GET /?data=%3Cmeta+http-equiv%3D%22%22+%2F%3E HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
seems not to has any unconventional stuff. There is an obvious User-Agent difference with MS Edge
GET /?data=%3Cmeta+http-equiv%3D%22%22+%2F%3E HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
Accept-Language: pl-PL
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Host: 127.0.0.1
Connection: Keep-Alive
Cookie: PHPSESSID=*********
and the Cookie, and the Accept-Language: pl-PL only. To my surprise, it turned out that cleaning of the browser data solved my issue.
My organization is testing my laravel app with IBM AppScan and it reveled the following issue. I'm not sure the best way I should be verifying the referer. Details of the scan
The following changes were applied to the original request:
- Set header to 'http://bogus.referer.ibm.com'
Reasoning:
The test result seems to indicate a vulnerability because the Test
Response is identical to the Original Response, indicating that the
Cross-Site Request Forgery attempt was successful, even
though it included a fictive 'Referer' header.
Request/Response:
GET /data/1?page=3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32) Referer:
http://bogus.referer.ibm.com
Host: xxxx.xxx.xxx.xxx
Accept: text/html,application/
Laravel relies on CSRF token to prevent the application from CSRF. Validating the header only adds an extra layer of security, however, this can be forged.
How is it possible for client browser data to be saved in an array in PHP?
PHP runs on the server side, so I don't understand how it has access to information about the client's browser.
User agent data is usually sent with every HTTP requests, in the User-Agent HTTP header field. You might want to read up on HTTP message formats in general. For example, this is part of the HTTP request that my browser sent to load jQuery on this very page:
GET http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
If-Modified-Since: Fri, 01 Apr 2011 21:23:55 GMT
Accept-Charset: UTF-8,*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
PHP reads the client browser data that you're asking about from the User-Agent header field.
The client sends data to the server which the server uses to build the array (I'm assuming you're talking about $_GET, $_POST, $_SERVER, etc.)
You will find it here
$_SERVER['HTTP_USER_AGENT']
You may need to parse this by regex to get the browser name and version separately.
$_REQUEST
An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.
The data is submited by the browser when a new page is requested, PHP just puts it into an array for your convenience.
You should start by reading a bit about HTTP (GET and POST to begin with), and HTTP headers.
Im using a script from this guy
A. Valums http://valums.com/ajax-upload/
Everything is fine until the file has finished uploading and i get a 406 error on the firebug(ONLY). when i right click the link on firebug and open in new window, the file does exist and does what i expect it to do.
the page on firebug says
Not Acceptable
An appropriate representation of the requested resource upload.php could not be found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
but when i see the page on a new tab it works fine and returns the right thing, that script on A. Valums has ajax requests btw
UPDATE
Host www.example.com
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-gb,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive
Content-Type application/octet-stream
Referer http://www.example.com
Content-Length 192378
Cookie
Look at the HTTP headers. Your JavaScript is likely adding an Accept header that the server thinks it doesn't have a suitable type of data to respond with.
It was a server error.something called "mod_security" which needs to be disabled and I have no clue what it is but ask your hosting provider they should know about it if you experience the problem :)
This is a two part question.
Q1: Can cURL based request 100% imitate a browser based request?
Q2: If yes, what all options should be set. If not what extra does the browser do that cannot bee imitated by cURL?
I have a website and I see thousands of request being made from a single IP in a very short time. These requests harvest all my data. When looked at the log to identify the agent used, it looks like a request from browser. So was curious to know if its a bot and not a user.
Thanks in advance
This page has all the answers to your questions. You can imitate the things mostly.
R1 : I suppose, if you set all the correct headers, that, yes, a curl-based request can imitate a browser-based one : after all, both send an HTTP request, which is just a couple of lines of text following a specific convention (namely, the HTTP RFC)
R2 : The best way to answer that question is to take a look at what your browser is sending ; with Firefox, for instance, you can use either Firebug or LiveHTTPHeaders to get that.
For instance, to get this page, Firefox sent those request headers :
GET /questions/1926876/can-a-curl-based-http-request-imitate-a-browser-based-request-completely HTTP/1.1
Host: stackoverflow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://stackoverflow.com/questions/1926876/can-a-curl-based-http-request-imitate-a-browser-based-request-completely/1926889
Cookie: .......
Cache-Control: max-age=0
(I Just removed a couple of informations -- but you get the idea ;-) )
Using curl, you can work with curl_setopt to set the HTTP headers ; here, you'd probably have to use a combination of CURLOPT_HTTPHEADER, CURLOPT_COOKIE, CURLOPT_USERAGENT, ...