kkovar / ratproxy

Automatically exported from code.google.com/p/ratproxy
0 stars 0 forks source link

Add notifications for redirections with content #21

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
When navigating a site, a site can potentially send the headers for a
redirect, but yet display content.  I would like to see ratproxy report on
this, as the information exposed may not be authorized information.

Sample output from a redirect page using Telnet (this page should only be
available to authenticated users):

HTTP/1.1 302 Found
Date: Wed, 17 Sep 2008 18:25:40 GMT
Server: Apache/2.0.55 (Win32)
Status: 302
Set-Cookie: PHPSESSID=fna4oub597j7teu7klg4s3j5u3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: Zend Core/1.5.0 PHP/5.1.6
Location: http://www.google.ca/
Transfer-Encoding: chunked
Content-Type: text/html

42
<html>
<body>
Authenticated content goes here!
</body>
</html>
0

Original issue reported on code.google.com by boonebyt...@gmail.com on 17 Sep 2008 at 6:26

GoogleCodeExporter commented 9 years ago
This isn't a defect, but I'm not sure how to change the "Type" to 
"Enhancement"...

Original comment by boonebyt...@gmail.com on 17 Sep 2008 at 6:27

GoogleCodeExporter commented 9 years ago
Hmm, many servers return 30x messages with bodies to assist navigation in case
automatic redirection is not supported or fails, for example Apache does:

HTTP/1.1 301 Moved Permanently
...

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>301 Moved Permanently</TITLE>
</HEAD><BODY>
<H1>Moved Permanently</H1>
The document has moved <A HREF="...">here</A>.<P>
<HR>

We could still replay the request without cookies to see if the response 
changes, but
I'm curious as to how likely this would be?

Original comment by lcam...@gmail.com on 29 Sep 2008 at 5:28

GoogleCodeExporter commented 9 years ago

Original comment by lcam...@gmail.com on 29 Sep 2008 at 5:28

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Hi,

Thanks, sounds like we're on the same page :)  I was thinking about just 
checking to
make sure that authenticated content doesn't exist.

Some pages may be different per authenticated user.  For example, if User Role A
cannot see all the fields that User Role B sees, then this might be a change in
content.  What I would like to test for is to make sure that User Role A cannot
access the administration pages AND that if a user comes in uninvited, they 
also do
not get to see any pages.  I would also like to catch the response, ignoring 
the HTML
status code, to make sure that authenticated content is not replayed, and that 
the
programmer is not depending that just because a redirect has been issued that no
other page content will be sent.

We use the PHP code header('Location: loginpage.php'); to redirect our users 
who are
either not authenticated or in a timed-out session.  The applications I deal 
with
contain personal data, protected by legislation.  If someone forgets a "die();"
command, then the page may be able to serve some personal information.  Granted,
there are some cases where the above snippet is sent when a status code is 
sent, but
if there could be some way to determine that it's not just a generic message, I 
think
that would work :)

Some possible checks (perhaps some can be combined to prevent false negatives or
false positives):
-Content is above the maximum length, predefined in code or specified on 
command line
-Content contains form elements
-Content does not contain a list of words (such as "move*", "redirect*", etc.)

Thanks again!

Original comment by boonebyt...@gmail.com on 29 Sep 2008 at 9:16