www.notsosecure.com

While testing a web application today, i noticed an unusual 302 HTTP response. Normally a 302 response just has a header and no html code, becuase its meant to be redirecting you to the page cited in the ‘Location’ field of the http header.� The 302 response had the html code which will be presented to the authenticated admin user, but, we didnt have the admin credentials. So, how are we seeing this code. After analyzing the 302 redircect response, we concluded that this was the result of insecure coding. The following example explains this issue in php.

insecure code:

<?
session_start();
include (”../config.php”);
echo $loggedin;

if ($loggedin != “1″){
header(”Location: http://www.google.com”); /* Redirect browser */

}

{
echo “Will this code Get executed?”;
}?>

In this example the code echo “Will this code Get executed?”; will indeed gets executed irrespective of the value of $loggedin. This is characteristics of php, and you wont see this behaviour in asp .net. To secure this code, follow this:

<?
session_start();
include (”../config.php”);
echo $loggedin;

if ($loggedin != “1″){
header(”Location: http://www.google.com”); /* Redirect browser */

}
else
{
echo “Will this code Get executed?”;
}?>

Alternatively, this code can be secured by:

<?
session_start();
include (”../config.php”);
echo $loggedin;

if ($loggedin != “1″){
header(”Location: http://www.google.com”); /* Redirect browser */
die;
}

{
echo “Will this code Get executed?”;
}?>

It is very easy for a pentester to miss out this issue, becuase in most of the cases you get redirected so fast then this page is not rendered by your browser. Unless you go through each 302 request manually, i dont think you will be able to spot it. In this case, even webinspect wasnt able to spot it.