Web developers notes,programming tutorials.

Curiosity is the motivation behind many attacks, and semantic URL attacks are a perfect example. This type of attack involves the user modifying the URL in order to discover what interesting things can be done. For example, if the user chris clicks a link in your application and arrives at http://example.org/private.php?user=chris, it is reasonable to assume that he will try to see what happens when the value for user is changed. For example, he might visit http://example.org/private.php?user=rasmus to see if he can access someone else’s information. While GET data is only slightly more convenient to manipulate than POST data, its increased exposure makes it a more frequent target, particularly for novice attackers.

Most vulnerabilities exist because of oversight, not because of any particular complexity associated with the exploits. Any experienced developer can easily recognize the danger in trusting a URL in the way just described, but this isn’t always clear until someone points it out.

To better illustrate a semantic URL attack and how a vulnerability can go unnoticed, consider a web-based email application where users can log in and check their example.org email accounts. Any application that requires its users to log in needs to provide a password reminder mechanism. A common technique for this is to ask the user a question that a random attacker is unlikely to know (the mother’s maiden name is a common query, but allowing the user to specify a unique question and its answer is better) and email a new password to the email address already stored in the user’s account.

With a web-based email application, an email address may not already be stored, so a user who answers the verification question may be asked to provide one (the purpose being not only to send the new password to this address, but also to collect an alternative address for future use). The following form asks a user for an alternative email address, and the account name is identified in a hidden form variable:

The receiving script, reset.php, has all of the information it needs to reset the password and send the emailthe name of the account that needs to have its password reset and the email address where the new password is to be sent.

If a user arrives at this form (after answering the verification question correctly), you are reasonably assured that the user is not an imposter but rather the legitimate owner of the chris account. If this user then provides chris@example.org as the alternative email address, he arrives at the following URL after submitting the form:

http://example.org/reset.php?user=chris&email=chris%40example.org

This URL is what appears in the location bar of the browser, so a user who goes through this process can easily identify the purpose of the variables user and email. After recognizing this, the user may decide that php@example.org would be a really cool email address to have, so this same user might visit the following URL as an experiment:

http://example.org/reset.php?user=php&email=chris%40example.org

If reset.php trusts these values provided by the user, it is vulnerable to a semantic URL attack. A new password will be generated for the php account, and it will be sent to chris@example.org, effectively allowing chris to steal the php account.

If sessions are being used to keep track of things, this can be avoided easily:

]+@([-a-z0-9]+\.)+[a-z]{2,}$/i’;

if (preg_match($email_pattern, $_POST[’email’]))

{

$clean[’email’] = $_POST[’email’];

$user = $_SESSION[’user’];

$new_password = md5(uniqid(rand(), TRUE));

if ($_SESSION[’verified’])

{

/* Update Password */

mail($clean[’email’], ‘Your New Password’, $new_password);

}

}

?>

Although this example omits some realistic details (such as a more complete email message or a more reasonable password), it demonstrates a lack of trust given to the email address provided by the user and, more importantly, session variables that keep up with whether the current user has already answered the verification question correctly ($_SESSION[’verified’]) and the name of the account for which the verification question was answered ($_SESSION[’user’]). It is this lack of trust given to input that is the key to preventing such gaping holes in your applications

7 things to look for in a URL snipping Service

By Charles H Smith

URL snipping services are becoming commonplace today. Surfers use them to mask affiliate URLs, shorten very long URL’s, even to hide email addresses from spammers and automatic email harvesters. Ther are several URL snipping services that are no longer active. These inculde: shortlink.us, quickones.org, smlnk.com, and smurl.it. Hopefully, you didn’t lose any carefully crafted and well planned email link campaigns as these services closed.

As you look to snip your URL’s using a free service, there are several items to investgate.

First, do the links expire? If they expire, you may want to look to another service.

Second, is there a direct redirect? If, upon selecting the short URL, you are sent to a transition or intersitial page, this page may change in the future to display an advertisment of the free service. The preferable redirection is a direct link to your short URL.

Third, the service should check the URL and determine is is valid. Everyone makes typos, this simply check for valid URL format.

Fourth, how long has the service been in business? Longevity and reliability are crucial when you are snipping hundreds of affiliate links.

Fifth, is there any Terms of Service that you do not agree with? If there are, look for another service.

Sixth, can you use the URL snipping service to hide email addresses from spammers? Try to snip mailto:youremailaddress@yourdomain.com. If the resulting snipped URL opens your default email program, then you may hide your email address from spammers.

Seventh, are your links available only to the site administrators or are they available to the general public?

An alternative to the free services is your own snipping service, running from your server. This ensures your links are available until you decide to delete them.

Generally speaking, the short URL generators are php/MySQL driven scripts. You would need php installed on your server, your site administrator could tell you if it is. You would also need a MySQL database, again your site administrator could tell you if this is available to you.

Another item to check is the control panel page. It should be a php template that can be edited for color, position etc.

If you are using a shared hosting situation you may not be able to run a script that requires will not allow Mod Rewrites to be on, It should be a webmaster settable configuration.

What’s the difference Mod Rewrites On/Off? As you compare the resulting snipped URL’s, if has a ? in the URL; such as, http://snippedurl.com/?a then the script is set for Mon Rewrites off. This is probably not the preferable URL format. If there is no ? in the snipped URL then it may only be run with Mod Rewrites on.

As you look to snipping your URL’s you may want to bring the service in-house to your server. This will give your site added stickyness as your customers, return time and time again to snip their URL’s.

The below .htaccess code to ban visitor(s) from your site based on their IP address.

Add the below code to your .htaccess file, and upload to root of the directory:

## USER IP BANNING

order allow,deny
deny from 61.11.74.206 //(it’s our IP address)
allow from all