Insecure Php coding

While testing a web application today, i noticed an unusual 302 HTTP response. Normally a 302 response just has a header and no html code, becuase its meant to be redirecting you to the page cited in the ‘Location’ field of the http header.� The 302 response had the html code which will be presented to the authenticated admin user, but, we didnt have the admin credentials. So, how are we seeing this code. After analyzing the 302 redircect response, we concluded that this was the result of insecure coding. The following example explains this issue in php.

insecure code:

<?
session_start();
include (“../config.php”);
echo $loggedin;

if ($loggedin != “1”){
header(“Location: http://www.google.com”); /* Redirect browser */

}

{
echo “Will this code Get executed?”;
}?>

In this example the code echo “Will this code Get executed?”; will indeed gets executed irrespective of the value of $loggedin. This is characteristics of php, and you wont see this behaviour in asp .net. To secure this code, follow this:

<?
session_start();
include (“../config.php”);
echo $loggedin;

if ($loggedin != “1”){
header(“Location: http://www.google.com”); /* Redirect browser */

}
else
{
echo “Will this code Get executed?”;
}?>

Alternatively, this code can be secured by:

<?
session_start();
include (“../config.php”);
echo $loggedin;

if ($loggedin != “1”){
header(“Location: http://www.google.com”); /* Redirect browser */
die;
}

{
echo “Will this code Get executed?”;
}?>

It is very easy for a pentester to miss out this issue, becuase in most of the cases you get redirected so fast then this page is not rendered by your browser. Unless you go through each 302 request manually, i dont think you will be able to spot it. In this case, even webinspect wasnt able to spot it. :)

Cookie Analysis

Webscarab is perhaps the only tool i can think of for this. I use this tool to figure out whether the session ids are predictable or not. The ‘visualisation’ feature is just great. Although the interface is not a very well designed and if you are a new user you have difficulties operating this tool but once you learn this tool its very handy. Some other great features include the compare feature which is a bit like ‘diff’ command in unix.

Another feature why i like this tool is for the inbuilt fuzzing module. Just specify the parameter in the request which you want to fuzz and point to the file containing the values, which you would like the paramter to take. Then use the ‘compare’ section to compare different responses and this should indicate whether fuzzing was successful or not. Although this also has a built in proxy feature, but i still prefer burp for proxy may be becuase of the better gui.

For the basic cookie analysis i use a firefox plugin. This plugin allows you to view all the cookies for a partciular domain currently set in your browser, and also allows you to edit them.

Man In The Middle Tools

This weekend as i have nothing better to do, lemme talk about my experiences with proxy tools:

  1. Proxy Tool: Parameter Manipulation is a very important stage of web app testing, and without this, the test will be incomplete. I was using tools like Paros and Achillies for achieveing this, but the problem with both of them was they were highly unstable and would crash every now and then. Thus if the customer has asked you to provide all the logs of testing, it would be difficult for you to provide logs if tools were to crash. I currently use Burp Suite. I find it is highly stable and comes with this feature of viewing request/response as text, parameter, and as hex. Viewing request and response as ‘param’ helps me particulary when dealing with asp .net applications becuase of the long value of viewstate and other .net stuff. Another interesting feature of Burp is the repeater module, which could be used to send modified requests to server multiple times. I use this feature mostly to figure out the ‘non essential’ parameters of the unmodified request and then to focus on the essential parametes. Best way to learn the capabilities of this tool is to download it and then play with it. :)

SQL Injection Cheat Sheet

cheat sheet. Although there are so many articles on internet which talks about Sql Injection, this is the only document i know which is ‘complete’.

Word Press: Md5 hash in Cookie

I realised word press uses a static cookie, even when u have not enabled remember-me option. This static value holds the md5 of your password (md5(md5 of password)), which remains static. Thus an xss exploit in wordpress could be really handy as the cookie remains the same unless the password for the user is changed.