2

While reading an article I encounter an interesting thing I did not know about:

if(!isset($_SESSION['usr_id']) || !isset($_SESSION['usr_name']))
{
    header('Location: index.php');
}

...Which is all well and good if the client respects the Location header. The crawler apparently doesn't, because it doesn't really have to. The bad thing is that any crawler, bot, or browser that can ignore headers could bypass all security on their site.

I do believe that it is true, but I was wondering how I can replicate the results. Basically how can I test that the browser, crawler or something else is ignoring header?

I am not sure whether this question belongs here or to stackoverflow, but I think that due to the nature of this site, there is higher probability that people know how to bypass this.

Improve this question
3
  • 1
    I can't help but notice that you're missing a die() or an exit() call after sending the location header. You should stop execution after the client gets redirected. Commented Mar 2, 2013 at 19:52
  • this is not my code, this is a part of the article, and yes, this should be written in the if statement. Commented Mar 2, 2013 at 20:17
  • @Maerlyn that is part of the problem in the article. Commented Mar 2, 2013 at 20:38

2 Answers 2

Reset to default
4

First to clarify, the proper description is that the header was "ignored" not "bypassed". A header is a piece of data that is transmitted as a part of an HTTP response, it is not in and of itself a gateway that controls access.

At least one of the comments on the article notes that the the actual issue here is not that that the header was ignored, per se, but that the application failed to exit at the point authentication was denied and send only the header. They continued to build and send the entire response as if the user was properly authenticated, and trust that the client would redirect based on the header without reading the contents of the body. This Is Bad.

The correct behaviour would have been to send only the header (and the corresponding HTTP response code) so that even if a client did chose to ignore it, they would receive no privileged content with the response.

Once the data goes outside of your firewall, it's no longer yours, so you don't send data you wouldn't want someone to have until you've verified who they are.

Improve this answer
1

You can test it with cURL extension in PHP or more effective way is to use software that scanning your script and see what action you got.

http://php.net/manual/en/book.curl.php

More than that, you can check it with web server assessment tool: http://www.cirt.net/nikto2

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.