Page 1 of 1

hacking by url rewriting

Posted: Fri Aug 22, 2014 8:16 am
by Irmoz
Hi all,

I have a security problem with my website who is a social network (like facebook).
Let's me Explain :

You can execute this page on my website.
http://www.SocialNetWork.com/ChangeStat ... aram=Hello
So your status become "Hello".

On your profile, you can create a link to a picture on the web, for example : <img src='http://www.hacking.com/pic.jpg'>

The problem is that a "hacker" create several russian girl profile and made links to pic.jpg on his server, and this .jpg file rewrite URL to : http://www.SocialNetWork.com/ChangeStat ... param=Suck.
So when you visite his profil, the php code is launched, and the status OF THE VISITOR is changed !

I have no idea of how to stop this ?
If i check the variable : $_SERVER['HTTP_REFERER']
The value is empty or http://www.SocialNetWork.com, but never http://www.hacking.com ...

How can i stop the fact that a foreign picture could launch a php page on my website ?

thanks for help !
ps: sorry for my english

Re: hacking by url rewriting

Posted: Fri Aug 22, 2014 8:21 am
by Celauran
Require some sort of verifiable token with every submission. If the token is missing or incorrect, discard the request.

Re: hacking by url rewriting

Posted: Fri Aug 22, 2014 8:22 am
by Irmoz
nice !
could you give me an example ?

Re: hacking by url rewriting

Posted: Fri Aug 22, 2014 8:30 am
by Celauran
Generate a random token -- hash microtime() and use the user's email as a salt, for instance -- and store that somewhere on the server. Sessions are a good option. Also insert the value in a hidden field in your form. When the form is submitted, compare the value contained in the hidden field with the value contained in session data. If they match, allow the request. If not, dump it.

Re: hacking by url rewriting

Posted: Sat Sep 13, 2014 8:37 pm
by cap2cap10
Hi, hope this code helps:


Code: Select all

  
<?php
 $page_files=array( 'about'=>'about.html',

                    'photos'=>'photos.html',

                    'contact'=>'contact.html',

                    'home'=>'home.html'

                  );

 

if (in_array($_GET['page'],array_keys($page_files))) {

      include $page_files[$_GET['page']];

 } else {

      include $page_files['home'];

}

?>
Regards,


Batoe

Re: hacking by url rewriting

Posted: Sun Sep 14, 2014 12:37 am
by requinix
The token Celauran speaks of is how you deal with "cross-site request forgery", that being the name for the vulnerability. In case you want to learn more about it.

Note that you can make the form use POST instead of GET, and in fact you should do that anyways, but it alone will not protect you. (Makes the problem more awkward to trigger maliciously, but still possible.)