?
Solved

header(Location:)

Posted on 2009-04-08
9
Medium Priority
?
353 Views
Last Modified: 2012-05-06
I'm testing someone else's code that hey have put in my site.  I know that as part of their security suite, they used header (Location:) to redirect to a login page, but I need to make sure that after it's redirected it stops executing.

For those who don't know why... if a page does not stop executing, all a hacker needs to do is to find a browser that will not honor the header(Location:) and they can get in.

What I'm looking for us such a browser, or other method for testing the site.  Yeah, I know I could go dig through the code myself, but it's going to take forever.  I just want a method to test a handful of sensitive pages (user accounts, etc) to make sure that we're secure.

So here's the question.  Anyone know of such a browser or method for testing?  I know  a hacker would just have to download the firefox source, find the place where it redirects because of header(location) and comment it out.  I'm no coder, so that's beyond me.

Thanks
0
Comment
Question by:bennybutler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 10

Expert Comment

by:ollyatstithians
ID: 24097023
Just break the line that has the header or comment it out so it won't redirect.

The code in the login page should set a session variable to identify the user to each page. The presence of a valid session variable should lead to the redirect being circumvented.

Olly.
0
 
LVL 1

Author Comment

by:bennybutler
ID: 24097240
The code is currently running on their server, I don't have the resources to set up a mirror environment.  I'm trying to pen test it from the outside.
0
 
LVL 17

Expert Comment

by:nplib
ID: 24101159
add exit(); after header();
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Author Comment

by:bennybutler
ID: 24101188
Yes, I put exit() after header in all of my stuff, but I'm trying to test from the outside without access to the code.

0
 
LVL 17

Expert Comment

by:nplib
ID: 24101299
to test, comment out the header() line, unless you happen to have a browser that ignores such line. If nothing is happening that's because nothing is happening, plus if you setup your conditional statements correctly, if a hacker was to use a browser that ignored the header line, then they should get a blank page regardless if you used exit or not, exit should be an assurance not a life line.
0
 
LVL 10

Expert Comment

by:ollyatstithians
ID: 24105044
I've had an investigate, but can't find a way. Sorry.

Olly.
0
 
LVL 2

Accepted Solution

by:
ozanhazer earned 500 total points
ID: 24106924
Well, If you can't hack a browser act like a browser:)
Open a command prompt window or shell...

telnet www.poorsite.com 80
GET /somepage.php HTTP/1.1
Host: www.google.com
<press enter twice>

0
 
LVL 1

Author Closing Comment

by:bennybutler
ID: 31568012
not really what I was looking for, but I hate asking for refunded points ;)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question