Spotting the Sin During Code Review
| | ||
To spot Magic URLs, review all your web server code and itemize all input points into the application that come from the network. Scan the code for the following constructs:
| Language | Key Words to Look For |
|---|---|
| ASP.NET | Request and label manipulation such as *.text or *.value |
| ASP | Request |
| PHP | $_REQUEST, $_GET, $_POST, or $_SERVER |
| PHP 3.0 and earlier | $HTTP_ |
| CGI/Perl | Calling param() in a CGI object |
| mod_perl | Apache::Request |
| ISAPI (C/C++) | Reading from a data element in EXTENSION_CONTROL_BLOCK, such as lpszQueryString; or from a method, such as GetServerVariable or ReadClient |
| ISAPI (Microsoft Foundation Classes) | CHttpServer or CHttpServerFilter, and then reading from a CHttpServerContext object |
| Java Server Pages (JSP) | getRequest and request.GetParameter |
For hidden form fields, the task is a little easier. Scan all your web server code, and check for any HTML sent back to the client containing the following text:
type=HIDDEN
Remember, there may be single or double quotes around the word hidden . The following regular expression, written in C#, but easily transportable to other languages, finds this text:
Regex r = new Regex("type\s*=\s*['\"]?hidden['\"]?",RegexOptions.IgnoreCase); bool isHidden = r.IsMatch(stringToTest); Or in Perl:
my $isHidden = /type\s*=\s*['\"]?hidden['\"]?/i;
For each hidden element you find, ask yourself why it is hidden, and what would happen if a malicious user changed the value in the hidden field to some other value.
EAN: 2147483647
Pages: 239
- ERP Systems Impact on Organizations
- Challenging the Unpredictable: Changeable Order Management Systems
- The Effects of an Enterprise Resource Planning System (ERP) Implementation on Job Characteristics – A Study using the Hackman and Oldham Job Characteristics Model
- Context Management of ERP Processes in Virtual Communities
- Intrinsic and Contextual Data Quality: The Effect of Media and Personal Involvement