| ||
To spot Magic URLs, review all your web server code and itemize all input points into the application that come from the network. Scan the code for the following constructs:
Language | Key Words to Look For |
---|---|
ASP.NET | Request and label manipulation such as *.text or *.value |
ASP | Request |
PHP | $_REQUEST, $_GET, $_POST, or $_SERVER |
PHP 3.0 and earlier | $HTTP_ |
CGI/Perl | Calling param() in a CGI object |
mod_perl | Apache::Request |
ISAPI (C/C++) | Reading from a data element in EXTENSION_CONTROL_BLOCK, such as lpszQueryString; or from a method, such as GetServerVariable or ReadClient |
ISAPI (Microsoft Foundation Classes) | CHttpServer or CHttpServerFilter, and then reading from a CHttpServerContext object |
Java Server Pages (JSP) | getRequest and request.GetParameter |
For hidden form fields, the task is a little easier. Scan all your web server code, and check for any HTML sent back to the client containing the following text:
type=HIDDEN
Remember, there may be single or double quotes around the word hidden . The following regular expression, written in C#, but easily transportable to other languages, finds this text:
Regex r = new Regex("type\s*=\s*['\"]?hidden['\"]?",RegexOptions.IgnoreCase); bool isHidden = r.IsMatch(stringToTest);
Or in Perl:
my $isHidden = /type\s*=\s*['\"]?hidden['\"]?/i;
For each hidden element you find, ask yourself why it is hidden, and what would happen if a malicious user changed the value in the hidden field to some other value.