View previous topic :: View next topic |
Author |
Message |
rfresh Just Arrived
Joined: 10 Jun 2010 Posts: 0
|
Posted: Thu Jun 10, 2010 7:05 am Post subject: User-Agent - GET HTTP |
|
|
My site failed its PCI scan with the following information. The scanning vendor said the problem is the User-Agent single quote. I don't know how to fix this. Can someone tell me what the vulnerability is here? This file doesn't call the user agent so I don't understand what the single quote means.
Thanks
The following resources may be vulnerable to SQL injection (on HTTP headers):
/index_dispatcher.php
---- request ----
GET /index_dispatcher.php HTTP/1.1
Host: www.mydomain.com
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
User-Agent: '
Accept-Charset: iso-8859-1
Praqma: no-cache
|
|
Back to top |
|
|
Fire Ant Trusted SF Member
Joined: 27 Jun 2008 Posts: 3 Location: London
|
Posted: Thu Jun 10, 2010 11:15 am Post subject: |
|
|
First of all the scanning company should be helping you. You paid them money I assume? They should always give you remediation advise. I suspect that this noddy company has just ran a Nessus scan which you could have done yourself.
The suspected vulnerability is that the PHP file in question might be vulnerable to a SQL injection e.g.
GET /index_dispatcher.php?user=admin&pw=guess' or 1=1--
|
|
Back to top |
|
|
rfresh Just Arrived
Joined: 10 Jun 2010 Posts: 0
|
Posted: Thu Jun 10, 2010 5:54 pm Post subject: |
|
|
They were not much help to me as I can't understand (from them or from the failure) what is wrong.
I've added sanitizing code on all the form fields. Is that enough?
Thanks
|
|
Back to top |
|
|
Fire Ant Trusted SF Member
Joined: 27 Jun 2008 Posts: 3 Location: London
|
Posted: Fri Jun 11, 2010 12:20 pm Post subject: |
|
|
Quote: |
I've added sanitizing code on all the form fields. Is that enough? |
No, you have only implemented client side validation and this can be bypassed easily.
You paid for this 'pen test' right? Then speak to the company which provided this service and get them to explain what exactly needs to be done to fix it. If they don't then don't pay them.
Fire Ant
|
|
Back to top |
|
|
rfresh Just Arrived
Joined: 10 Jun 2010 Posts: 0
|
Posted: Fri Jun 11, 2010 7:34 pm Post subject: |
|
|
When I said
>I've added sanitizing code on all the form fields. Is that enough?
I meant on the server-side via PHP.
I've requested another scan and I'm going to change vendors.
Thanks
|
|
Back to top |
|
|
Fire Ant Trusted SF Member
Joined: 27 Jun 2008 Posts: 3 Location: London
|
Posted: Fri Jun 11, 2010 7:46 pm Post subject: |
|
|
Sounds like you have it all in hand now.
|
|
Back to top |
|
|
CoreDefend Forum Fanatic
Joined: 25 May 2010 Posts: 16777215 Location: USA
|
Posted: Sun Jun 13, 2010 6:29 am Post subject: Re: User-Agent - GET HTTP |
|
|
rfresh wrote: |
...This file doesn't call the user agent so I don't understand what the single quote means... |
The User-Agent field in the HTTP Request (depending on the application code) might be submitted to the database along with the other input. If not properly sanitized, then its contents can be manipulated to execute SQL injection.
Some advice on PCI scanning vendors (ASV), they permit the use of "compensatory controls" and false positives. This happens when they detect a vulnerability, but you have some other security measure that either mitigates or minimizes the vulnerability or they mistakenly identify an item as a vulnerability.
In this specific example, if the contents of the User-Agent field is never submitted to the database, you can mark it as a false positive. This, by no means, is to indicate that you should not fix the vulnerability; but I am 150 false positives and counting with my ASV.
Thank you,
|
|
Back to top |
|
|
rfresh Just Arrived
Joined: 10 Jun 2010 Posts: 0
|
Posted: Sun Jun 13, 2010 6:36 am Post subject: |
|
|
Thanks Core.
I am not using the User-Agent field at all so therefore it is not being submitted to the database. I am still waiting for my re-scan results. I guess they don't work on the weekends, so will have to wait until Monday.
|
|
Back to top |
|
|
blackandwhitebg Just Arrived
Joined: 18 Oct 2010 Posts: 0
|
Posted: Mon Oct 18, 2010 3:06 pm Post subject: |
|
|
Old topic, but just to share some experience -
You should use Nekto for identifying such vulnerabilities. It provides detailed information which can be useful.
|
|
Back to top |
|
|
lineae0211 Just Arrived
Joined: 02 Mar 2011 Posts: 0
|
Posted: Mon Mar 14, 2011 10:43 am Post subject: single quotes |
|
|
When you declare and manipulate strings in JavaScript, always write them with a single quotes' or double quotes "around them. This tells the browser that it is dealing with a string. Do not mix up your quotes, if you start on one string with a quote and complete the double quote, JavaScript does not understand what you mean. Usually, I use single quotes' as I have decided to use for HTML quotes and single quotes for JavaScript . You can do this of course the other way around, but I advise you to make some rule yourself and try to follow.
|
|
Back to top |
|
|
|