Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How are input keys exploitable by malicious users?

Tags:

In the CodeIgniter PHP framework, there is a function that automatically runs on each request that, among other things, filters the GET/POST/COOKIE array keys, and kills the application if it encounters characters it deems unsafe.

To prevent malicious users from trying to exploit keys we make sure that keys are only named with alpha-numeric text and a few other items.

Something like:

// foreach GET/POST/COOKIE keys as $str... if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) {     exit('Disallowed Key Characters.'); } 

For example, this will trigger if you accidentally post something like <input name="TE$T"> or have a query string like ?name|first=1.

I can see this being a good way to enforce common sense key names, or catch mistakes while developing an application, but I don't understand: How can a malicious user possibly "exploit keys" in $_POST data for instance? Especially since (I would assume) input values are just as exploitable, what is this actually preventing?

like image 683
Wesley Murch Avatar asked May 11 '12 22:05

Wesley Murch


People also ask

What is malicious input?

This occurs when a hacker is able to inject the malicious script into the application and have it be available to all visiting users. It may be placed in a database that is used to populate a webpage or in a user forum that displays messages or any other mechanism that stores input.

Which one of the following is most likely caused by user input being included in output without being validated and encoded?

Cross-Site Scripting (XSS) Whenever an application allows user input within the output it generates, it allows an attacker to send malicious code to a different end-user without validating or encoding it.


1 Answers

You see this junk often in noob code:

$_SESSION = $_POST; 

A seldom known secret is that $_SESSION is "special" and can't handle the pipe character, |, as a top level array key. php fails to save the session variables during shutdown/session_write_close, instead wiping the entire array.

session_start();  if (!isset($_SESSION['cnt'])) {     $_SESSION['cnt'] = 0; }  $_SESSION['cnt']++;  /* prior to php 5.4, it will never increment, because it never successfuly saves unless you comment line below */ $_SESSION['a|b'] = 1;  print_r($_SESSION); 

I'm not saying that's why CodeIgniter scrubs the keys, but it's one of many "ways input keys are exploitable".

Maybe a more likely reason though is because people certainly do stuff like this:

if ($formPostDidntValidate) {     echo "Please fix the form submission errors and try again\n";     foreach ($_POST as $key => $value) {         echo "<p>$key<br>               <input name='$key' value='$value'></p>";     } } 

Outputting request variables without doing proper context-specific escaping, such as escaping for html contexts, html attribute contexts, or even sql contexts:

$sql = "select * from myTable where 1=1"; foreach ($_POST as $key => $value) {     $sql .= " and $key = '$value'"; } 

I've seen plenty of people escape the value, but not the key when building sql and/or html.

If you don't escape everything, you are easily hacked. Scrubbing values isn't as good as escaping, but it's much better than nothing, and considering how many developers aren't yet sophisticated enough to understand when and how to escape, I can see the attraction to adding automatic request variable scrubbing.

like image 89
goat Avatar answered Nov 24 '22 13:11

goat