Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

header(Location:)

Posted on 2009-04-08
9
345 Views
Last Modified: 2012-05-06
I'm testing someone else's code that hey have put in my site.  I know that as part of their security suite, they used header (Location:) to redirect to a login page, but I need to make sure that after it's redirected it stops executing.

For those who don't know why... if a page does not stop executing, all a hacker needs to do is to find a browser that will not honor the header(Location:) and they can get in.

What I'm looking for us such a browser, or other method for testing the site.  Yeah, I know I could go dig through the code myself, but it's going to take forever.  I just want a method to test a handful of sensitive pages (user accounts, etc) to make sure that we're secure.

So here's the question.  Anyone know of such a browser or method for testing?  I know  a hacker would just have to download the firefox source, find the place where it redirects because of header(location) and comment it out.  I'm no coder, so that's beyond me.

Thanks
0
Comment
Question by:bennybutler
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 10

Expert Comment

by:ollyatstithians
ID: 24097023
Just break the line that has the header or comment it out so it won't redirect.

The code in the login page should set a session variable to identify the user to each page. The presence of a valid session variable should lead to the redirect being circumvented.

Olly.
0
 
LVL 1

Author Comment

by:bennybutler
ID: 24097240
The code is currently running on their server, I don't have the resources to set up a mirror environment.  I'm trying to pen test it from the outside.
0
 
LVL 17

Expert Comment

by:nplib
ID: 24101159
add exit(); after header();
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 1

Author Comment

by:bennybutler
ID: 24101188
Yes, I put exit() after header in all of my stuff, but I'm trying to test from the outside without access to the code.

0
 
LVL 17

Expert Comment

by:nplib
ID: 24101299
to test, comment out the header() line, unless you happen to have a browser that ignores such line. If nothing is happening that's because nothing is happening, plus if you setup your conditional statements correctly, if a hacker was to use a browser that ignored the header line, then they should get a blank page regardless if you used exit or not, exit should be an assurance not a life line.
0
 
LVL 10

Expert Comment

by:ollyatstithians
ID: 24105044
I've had an investigate, but can't find a way. Sorry.

Olly.
0
 
LVL 2

Accepted Solution

by:
ozanhazer earned 125 total points
ID: 24106924
Well, If you can't hack a browser act like a browser:)
Open a command prompt window or shell...

telnet www.poorsite.com 80
GET /somepage.php HTTP/1.1
Host: www.google.com
<press enter twice>

0
 
LVL 1

Author Closing Comment

by:bennybutler
ID: 31568012
not really what I was looking for, but I hate asking for refunded points ;)
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Not using commercial AV product on Windows 10. 10 98
Help with PHP 13 27
Displaying text in text field when clicking on ajax search result 10 39
Ahax pagination 9 33
The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question