HTML Form Found in Redirect Page Web Vulnerability

When creating a password protected section for a website, such as an admin portal for a CMS solution, typically developers check if the user session is authenticated. If the user session is not authenticated, the user is redirect to the login page. Maybe because the lack of development experience, typically developers use the below sample code in pages to determine if a session is already existing or not:

<?php
// check if the session is authanticated
if (!isset($_SESION["isAdmin"])) {
header("Location: ../login.php");
}
?>
<title>Admin Dashboard</title>
<h3>List of Users</h3>

This code checks if the isAdmin session variable is set, so if it is not the user is redirected to the login page. The problem with that the above sample script is that it is not terminated after the user is redirected to the login page. I’ve repeatedly seen this mistake in different applications developed from different developers. This coding mistake is not obvious to notice because when accessing the application using a normal web browser, everything works as it should.

As seen in the above screenshot, when using a web browser the user is shown a login page in case he or she tries to access a passwords protected page and the session is not valid, i.e. the user never authenticated. However, if you try to access the same page using a tool such as the HTTP editor, you will notice something interesting.

In the above screenshot we can see the HTTP Response headers. As you can see the HTTP Status Code is HTTP/1.1 302 Found. This means that the web browser should redirect the user to the page specified by the Location header (../login.php).

However, when you browse the body content of the page using the same tool. you’ll notice that you can see the administrative page, for example get a list of registered users, their password hashes and we can even see an HTML form to add new users. We can see this page because HTTP Editor doesn’t automatically follow redirects like a normal web browser and shows the page as it is.

In the latest version of Acunetix Web Vulnerability Scanner we have added a web security check that checks if there is an HTML form inside a redirect page. Using heuristics analysis, the Acunetix Web Vulnerability Scanner will also try to determine if the page is an administrative page or leads to pages with administrative access. If such pages are discovered an Alert is generated and in case such pages are administrative pages, the alert will be tagged as a ‘high risk alert’. When we scanned the test website used in the above example with Acunetix WVS, the scanner generated the following alert:

How to fix such problem?

The fix is very simple. The script that checks if a user is authenticated or not must be terminated after the user is redirected.  Below is a code sample with the fix Notice the “exit();” on line 5 which terminates the script.

<?php
// check if the session is authanticated
if (!isset($_SESION["isAdmin"])) {
header("Location: ../login.php");
exit();
}
?>
<title>Admin Dashboard</title>
<h3>List of Users</h3>

  • Glad to see that feature integrated into Acunetix. I personally have seen this types of issues in many places ranging from content management systems to popular websites. Exploiting such a vulnerability can give access to restricted contents or areas of the website.

    (I have responsibly disclosed such a vulnerability by the way: http://www.exploit-db.com/exploits/18632/).

    All the best Acunetix, keep up the good work.!!!

  • Hi there,

    I see a fault in your last example, session has to contain 2 s(es) lol.

    Nice article btw.

  • Sir, when i scanned my website with Acunetix, i found XSS saying that it affects http://www.xxxxx.com/ajax/vote. I got this :

    XSS(Verified)

    Affected Items:
    /ajax/vote
    Details
    URL encoded POST input oid was set to ‘”()&%1prompt(937172)

    Request headers
    POST /ajax/vote HTTP/1.1
    Content-Length: 77
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=8gdnkrml3on73daub1csfels73
    Host: http://www.xxxxxxx.org
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    Accept: */*

    oid=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28937172%29%3c%2fScRiPt%3e&pid=1

    Response headers
    HTTP/1.1 500 Internal Server Error
    Date: Thu, 27 Sep 2012 15:56:05 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Connection: close
    Content-Type: text/html
    Content-Length: 906

    Now when i goes to HTTP editor in acunetix i get a prompt alert box but i didnt get it when i type the same URL in Address bar of browser. I want to get same prompt box when i type this in Browser. I used Live HTTP headers to reply the POST request but still not getting prompt box. Also i cant understand that when putting these variables in URL bar what should be used to join these input, means http://www.xxxx.org/ajax/vote (then use and, or ,? to join them)oid=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28937172%29%3c%2fScRiPt%3e&pid=1

    Sir please give reply as soon as possible because i have to submit the report today itself. Please sir reply soon:):)

  • Hello,

    Instead of exit(), else would have also worked isnt it?

  • Nice article

    For ASP.NET, I added the below code to the Global.asax
    protected void Application_AcquireRequestState(object sender, EventArgs e)
    {
    if ((Utility.CurrentPagePath.EndsWith(“.aspx”)) && (Utility.CurrentPagePath != “~/LoginPage.aspx”))
    {
    if ((HttpContext.Current.Session == null) || HttpContext.Current.Session["userID"] == null)
    Response.Redirect(“~/LoginPage.aspx”, true);
    }
    }

    where Utility.CurrentPagePath returns HttpContext.Current.Request.AppRelativeCurrentExecutionFilePath

  • Why is that most of the examples and resolutions for Acunetix seems to be hovering around PHP? Is it since PHP is simple to understand since I have seen pluggins related to PHP integrated in Acunetix. Would love to see examples related to fixes and source code examples related to ASP.NET / JSP as most of the corporate websites are hosted on this platform.

    Thanks – Abhilash

  • Leave a Reply

    Your email address will not be published.


    *