Open GoogleCodeExporter opened 8 years ago
This isn't a defect, but I'm not sure how to change the "Type" to
"Enhancement"...
Original comment by boonebyt...@gmail.com
on 17 Sep 2008 at 6:27
Hmm, many servers return 30x messages with bodies to assist navigation in case
automatic redirection is not supported or fails, for example Apache does:
HTTP/1.1 301 Moved Permanently
...
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>301 Moved Permanently</TITLE>
</HEAD><BODY>
<H1>Moved Permanently</H1>
The document has moved <A HREF="...">here</A>.<P>
<HR>
We could still replay the request without cookies to see if the response
changes, but
I'm curious as to how likely this would be?
Original comment by lcam...@gmail.com
on 29 Sep 2008 at 5:28
Original comment by lcam...@gmail.com
on 29 Sep 2008 at 5:28
[deleted comment]
Hi,
Thanks, sounds like we're on the same page :) I was thinking about just
checking to
make sure that authenticated content doesn't exist.
Some pages may be different per authenticated user. For example, if User Role A
cannot see all the fields that User Role B sees, then this might be a change in
content. What I would like to test for is to make sure that User Role A cannot
access the administration pages AND that if a user comes in uninvited, they
also do
not get to see any pages. I would also like to catch the response, ignoring
the HTML
status code, to make sure that authenticated content is not replayed, and that
the
programmer is not depending that just because a redirect has been issued that no
other page content will be sent.
We use the PHP code header('Location: loginpage.php'); to redirect our users
who are
either not authenticated or in a timed-out session. The applications I deal
with
contain personal data, protected by legislation. If someone forgets a "die();"
command, then the page may be able to serve some personal information. Granted,
there are some cases where the above snippet is sent when a status code is
sent, but
if there could be some way to determine that it's not just a generic message, I
think
that would work :)
Some possible checks (perhaps some can be combined to prevent false negatives or
false positives):
-Content is above the maximum length, predefined in code or specified on
command line
-Content contains form elements
-Content does not contain a list of words (such as "move*", "redirect*", etc.)
Thanks again!
Original comment by boonebyt...@gmail.com
on 29 Sep 2008 at 9:16
Original issue reported on code.google.com by
boonebyt...@gmail.com
on 17 Sep 2008 at 6:26