Sunday, 17 March 2013

(PHP) Protecting Against Simple Path Disclosure

Now more than ever the internet is being used as a way to share your political thoughts and demonstrate your skill via hacking. Groups such as Anonymous and Lulzsec(known as hacktivists) share there feelings by attacking high profile websites, be it through the simple Distributed Denial of Service or more high tech approaches such as SQL injection  and exploits.

The main way websites are hacked is by incorrectly sanitized user input, this can be via Url variables, search fields or comments plus much more.

In recent years the makers of PHP have been trying to improve security, an example of this is the introduction of MySQL library's such as MySQLi_ and PDO to prevent SQL injection attacks.

But the removal of SQL injection vulnerabilities is not even nearly enough, issues such as Cross Site Scripting, File Inclusion and Path Disclosure are still extremely common and must be dealt with.

In this post I will demonstrate Path Disclosure, a common issue that's easily fixed. This is an issue in which the PHP code generate a warning or error which discloses the current files full location e.g. /home/website/scripts/currentscript.php. 

Now the easiest way for me to demonstrate this is with a simple Search parameter, when you search the website will often use a GET request. This GET information must be sanitized to protect against the more harmful Cross Site Scripting vulnerability but this is where Path Disclosure occurs. The Url will look something like this - search.php?query=Path+Disclosure

 Now when programmers try to sanitize user input they surround the GET variable with functions like - htmlentities(); and htmlspecialchars(); but this is where the problem occurs, if the attacker adds [] after the variable name(query in our case) PHP assumes that query is an array and so produces an error with the full path, hence the name "Path Disclosure".

Now, how do we secure it. We can protect against this by turning off error reporting, simply use error_reporting(0); - this will stop any errors from being displayed, this or we can just sanitize the database output but that can take more time an still doesn't sanitize any query's.

Anyway that's how simple path disclosure works, hope this helped some people how this can be prevented. So feel free to comment and have a nice day.
No comments:

Saturday, 16 March 2013

A few XSS vectors (No Quotes)

So i see a number of vulnerability programs where companies are offering rewards for reported XSS(Cross Site Scripting) vulnerabilities. Here are some simple html/javascript codes you can use to test for XSS in web applications.

http://jsfiddle.net/Z5nHD/
<button/onclick=alert(0) >I Found XSS</button>
http://jsfiddle.net/Jt7qx/1/
<a onmouseover=(alert(1337))>Another XSS Parameter</a>
http://jsfiddle.net/yJ5Hm/
<p/onmouseover=javascript:alert(/XSS/); >hello</p>
These are just a few basic codes but as you can see none o them use quotes of any kind. Hope you like this little share.
No comments:

Friday, 15 March 2013

Excellent Tutorials for beginner programmers

Like many people who a new to learning a new programming language i go browsing Google etc. for the right tutorials and resources that will help me learn super fast and make me an "awesome" coder(obviously i know its not that easy).

Programming takes years of practice and devotion, but there is no harm in getting off to a good start. Here are some excellent places to find top quality programming resources.


Firstly, YouTube. Although there are some kids who think they can make programming tutorials and it looks like they have been recorded with a potato. Never the less, here are some good channels where you can find some good tutorials.

http://www.youtube.com/user/iTzAdam5X?feature=watch (Great C tutorial list).

http://www.youtube.com/user/thenewboston (Many good series e.g. Java, PHP...).

http://www.youtube.com/user/phpacademy (Best PHP tutorials around).

http://www.youtube.com/user/prosenjitk (Some cool Perl tutorials).


Next although this might seem like a bit obvious, check the documentation on the official website, many new comers skip this part because its just along bit of boring text. So here are just a few examples. If your chosen language us not in the list then just Google it.

http://php.net

http://cplusplus.com

http://python.org


And finally if you're willing to pay you might want to check out http://lynda.com. This website has hundreds of high quality video tutorials that you can work through. Iv currently got the C/C++ and PHP OOP series' and they are brilliant.

Anyway let me know what resources you like.

No comments:

Learning C Programming...

So today i got the news that i lost my job, kind of depressing although iv been trying to look on the bright side. The bright side being i have more time to learn C programming. Now iv been looking for a second programming language for a while now and iv attempted a number, these ranging from Python, Ruby and ASM but to be honest although i kind of liked the weirdness of ASM iv always been a lover of the traditional C syntax.

Not too long ago i said to myself "i'm going to master Ruby" but i just couldn't get used to the structure and syntax, an example being loops. Here are a few examples.

I'm a PHP programmer, this is what i'm used to...

<?php
for($i = 0;$i <= 10;$i++)
{
echo "hello World";
}
?>
Here is a C example(not im not going to include all the headers etc, just the actual loop)...

for(int i = 0;i <= 10;i++)
{
printf("Hello World");
}
And finally the Ruby loop(One i just couldn't get used to).

for i in 0..10
puts "Hello World"
end
As you can see the Ruby example is a little different and although a number of Ruby enthusiasts will say its not that different, it just wasn't for me.

Anyway long story cut short, I'm learning C.
No comments:
Subscribe to: Comments (Atom)