• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

User-Agent - GET HTTP

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
rfresh
Just Arrived
Just Arrived


Joined: 10 Jun 2010
Posts: 0


Offline

PostPosted: Thu Jun 10, 2010 7:05 am    Post subject: User-Agent - GET HTTP Reply with quote

My site failed its PCI scan with the following information. The scanning vendor said the problem is the User-Agent single quote. I don't know how to fix this. Can someone tell me what the vulnerability is here? This file doesn't call the user agent so I don't understand what the single quote means.

Thanks

The following resources may be vulnerable to SQL injection (on HTTP headers):
/index_dispatcher.php
---- request ----
GET /index_dispatcher.php HTTP/1.1
Host: www.mydomain.com
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
User-Agent: '
Accept-Charset: iso-8859-1
Praqma: no-cache
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Thu Jun 10, 2010 11:15 am    Post subject: Reply with quote

First of all the scanning company should be helping you. You paid them money I assume? They should always give you remediation advise. I suspect that this noddy company has just ran a Nessus scan which you could have done yourself.

The suspected vulnerability is that the PHP file in question might be vulnerable to a SQL injection e.g.

GET /index_dispatcher.php?user=admin&pw=guess' or 1=1--
Back to top
View user's profile Send private message
rfresh
Just Arrived
Just Arrived


Joined: 10 Jun 2010
Posts: 0


Offline

PostPosted: Thu Jun 10, 2010 5:54 pm    Post subject: Reply with quote

They were not much help to me as I can't understand (from them or from the failure) what is wrong.

I've added sanitizing code on all the form fields. Is that enough?

Thanks
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Fri Jun 11, 2010 12:20 pm    Post subject: Reply with quote

Quote:
I've added sanitizing code on all the form fields. Is that enough?
No, you have only implemented client side validation and this can be bypassed easily.

You paid for this 'pen test' right? Then speak to the company which provided this service and get them to explain what exactly needs to be done to fix it. If they don't then don't pay them.

Fire Ant
Back to top
View user's profile Send private message
rfresh
Just Arrived
Just Arrived


Joined: 10 Jun 2010
Posts: 0


Offline

PostPosted: Fri Jun 11, 2010 7:34 pm    Post subject: Reply with quote

When I said

>I've added sanitizing code on all the form fields. Is that enough?

I meant on the server-side via PHP.

I've requested another scan and I'm going to change vendors.

Thanks
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Fri Jun 11, 2010 7:46 pm    Post subject: Reply with quote

Sounds like you have it all in hand now.
Back to top
View user's profile Send private message
CoreDefend
Forum Fanatic
Forum Fanatic


Joined: 25 May 2010
Posts: 16777215
Location: USA

Offline

PostPosted: Sun Jun 13, 2010 6:29 am    Post subject: Re: User-Agent - GET HTTP Reply with quote

rfresh wrote:
...This file doesn't call the user agent so I don't understand what the single quote means...


The User-Agent field in the HTTP Request (depending on the application code) might be submitted to the database along with the other input. If not properly sanitized, then its contents can be manipulated to execute SQL injection.

Some advice on PCI scanning vendors (ASV), they permit the use of "compensatory controls" and false positives. This happens when they detect a vulnerability, but you have some other security measure that either mitigates or minimizes the vulnerability or they mistakenly identify an item as a vulnerability.

In this specific example, if the contents of the User-Agent field is never submitted to the database, you can mark it as a false positive. This, by no means, is to indicate that you should not fix the vulnerability; but I am 150 false positives and counting with my ASV.

Thank you,
Back to top
View user's profile Send private message Visit poster's website
rfresh
Just Arrived
Just Arrived


Joined: 10 Jun 2010
Posts: 0


Offline

PostPosted: Sun Jun 13, 2010 6:36 am    Post subject: Reply with quote

Thanks Core.

I am not using the User-Agent field at all so therefore it is not being submitted to the database. I am still waiting for my re-scan results. I guess they don't work on the weekends, so will have to wait until Monday.
Back to top
View user's profile Send private message
blackandwhitebg
Just Arrived
Just Arrived


Joined: 18 Oct 2010
Posts: 0


Offline

PostPosted: Mon Oct 18, 2010 3:06 pm    Post subject: Reply with quote

Old topic, but just to share some experience -

You should use Nekto for identifying such vulnerabilities. It provides detailed information which can be useful.
Back to top
View user's profile Send private message
lineae0211
Just Arrived
Just Arrived


Joined: 02 Mar 2011
Posts: 0


Offline

PostPosted: Mon Mar 14, 2011 10:43 am    Post subject: single quotes Reply with quote

When you declare and manipulate strings in JavaScript, always write them with a single quotes' or double quotes "around them. This tells the browser that it is dealing with a string. Do not mix up your quotes, if you start on one string with a quote and complete the double quote, JavaScript does not understand what you mean. Usually, I use single quotes' as I have decided to use for HTML quotes and single quotes for JavaScript . You can do this of course the other way around, but I advise you to make some rule yourself and try to follow.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register