header(Location:)

I'm testing someone else's code that hey have put in my site.  I know that as part of their security suite, they used header (Location:) to redirect to a login page, but I need to make sure that after it's redirected it stops executing.

For those who don't know why... if a page does not stop executing, all a hacker needs to do is to find a browser that will not honor the header(Location:) and they can get in.

What I'm looking for us such a browser, or other method for testing the site.  Yeah, I know I could go dig through the code myself, but it's going to take forever.  I just want a method to test a handful of sensitive pages (user accounts, etc) to make sure that we're secure.

So here's the question.  Anyone know of such a browser or method for testing?  I know  a hacker would just have to download the firefox source, find the place where it redirects because of header(location) and comment it out.  I'm no coder, so that's beyond me.

Thanks
LVL 1
bennybutlerAsked:
Who is Participating?
 
ozanhazerConnect With a Mentor Commented:
Well, If you can't hack a browser act like a browser:)
Open a command prompt window or shell...

telnet www.poorsite.com 80
GET /somepage.php HTTP/1.1
Host: www.google.com
<press enter twice>

0
 
ollyatstithiansCommented:
Just break the line that has the header or comment it out so it won't redirect.

The code in the login page should set a session variable to identify the user to each page. The presence of a valid session variable should lead to the redirect being circumvented.

Olly.
0
 
bennybutlerAuthor Commented:
The code is currently running on their server, I don't have the resources to set up a mirror environment.  I'm trying to pen test it from the outside.
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
nplibCommented:
add exit(); after header();
0
 
bennybutlerAuthor Commented:
Yes, I put exit() after header in all of my stuff, but I'm trying to test from the outside without access to the code.

0
 
nplibCommented:
to test, comment out the header() line, unless you happen to have a browser that ignores such line. If nothing is happening that's because nothing is happening, plus if you setup your conditional statements correctly, if a hacker was to use a browser that ignored the header line, then they should get a blank page regardless if you used exit or not, exit should be an assurance not a life line.
0
 
ollyatstithiansCommented:
I've had an investigate, but can't find a way. Sorry.

Olly.
0
 
bennybutlerAuthor Commented:
not really what I was looking for, but I hate asking for refunded points ;)
0
All Courses

From novice to tech pro — start learning today.