Security, what threats besides an SQL Injection do I have to worry about a search field?

Asked

Viewed 188 times

7

I’m getting deeper into web programming (with php) and I have this doubt, I’ve seen some similar things in some places, but going straight to the point I wanted to tell me what are the main security threats and their solutions (in php)

1 answer

4


SQL Injection, cited, would be the most severe from the perspective of data integrity, if there is such error could allow editing, erasing and reading information improperly.

However, there is also the Blind SQL Injection, that unlike the first just "question" whether something exists or not, thus will allow you to discover other content, which can be as dangerous as.

But there are other sides besides just erasing your data. It depends on what YOU consider the word "Security", i.e., what I will list here may (or may not) be a security issue.

CSRF

Third parties using/collecting your data:

Research data can be extremely detailed. This may allow other people to have access to research information, including being able to monitor it if there is no limit.

For demonstration I will use the website of hail.com.br.

Your search API is this:

http://busca.saraiva.com.br/autocomplete?q={PESQUISA (ENCODE HTML)}&apikey=saraiva-v5

This link was obtained through network traffic monitoring, is not documented or publicly documented!

Where is the error?

You can make as many requests as you want, even if you don’t even access the site, there is no IP monitoring, cookies or sessions. Fully open and exposed to all.

So I can monitor a desired book, like the Atlas Uprising, on:

http://busca.saraiva.com.br/autocomplete?q=a%20revolta%20atlas&apikey=saraiva-v5

It returns, TODAY, it:

{"history": [], "products": [{"url": "//busca.saraiva.com.br/click?apikey=saraiva-v5&search_id=4322cd5c-5a89-4ee8-84cc-0dd8b501e647&pid=3093154&page=1&prodIdx=0&q=a+revolta+atlas&feature=autocomplete", "price": "71,90", "type": "product", "name": "A Revolta de Atlas - 03 Volumes", "image": "//dnsdprunamxb9.cloudfront.net/54x54/http%3A%2F%2Fimages.livrariasaraiva.com.br%2Fimagem%2Fimagem.dll%3FA%3D100%26PIM_Id%3D%26L%3D-1%26pro_id%3D3093154"}, {"url": "//busca.saraiva.com.br/click?apikey=saraiva-v5&search_id=4322cd5c-5a89-4ee8-84cc-0dd8b501e647&pid=4294739&page=1&prodIdx=1&q=a+revolta+atlas&feature=autocomplete", "price": "37,99", "type": "product", "name": "A revolta de Atlas", "image": "//dnsdprunamxb9.cloudfront.net/54x54/http%3A%2F%2Fimages.livrariasaraiva.com.br%2Fimagem%2Fimagem.dll%3FA%3D100%26PIM_Id%3D%26L%3D-1%26pro_id%3D4294739"}], "queries": []}

So I can take the "price", to monitor the price of this book and be alerted to lower, for example.

Example silly, and let no one worry about it.

Now let’s go the other way?

Example the shop kinguin.net:

Your search API is this:

http://www.kinguin.net/catalogsearch/ajax/suggest/?q={PESQUISA}

This link was obtained through network traffic monitoring, is not documented or publicly documented!

However, this has several limitations that hinder its use.

Search for "Siege" in reference to the game "Rainbow Six Siege", in:

http://www.kinguin.net/catalogsearch/ajax/suggest/?q=siege

You should get the result:

<ul class="ajax-result-list">
                <li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/rainbow_1.jpg" alt="Tom Clancy's Rainbow Six Siege Uplay CD Key" title="Tom Clancy's Rainbow Six Siege Uplay CD Key" width="95" height="66" />
            <span class="ajax-result"><a href="http://www.kinguin.net/category/22529/tom-clancy-s-rainbow-six-siege-uplay-cd-key/">Tom Clancy's Rainbow Six Siege Uplay CD Key</a></span>
            <span><span class="price " data-no-tax-price="120.76">R$120<span class="super">.76</span></span></span></li>
                <li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/rainbow-six-siege_1.jpg" alt="Tom Clancy's Rainbow Six Siege Season Pass Uplay CD Key" title="Tom Clancy's Rainbow Six Siege Season Pass Uplay CD Key" width="95" height="66" />
            <span class="ajax-result"><a href="http://www.kinguin.net/category/22307/tom-clancy-s-rainbow-six-siege-season-pass-uplay-cd-key/">Tom Clancy's Rainbow Six Siege Season Pass Uplay CD Key</a></span>
            <span><span class="price " data-no-tax-price="87.78">R$87<span class="super">.78</span></span></span></li>
                <li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/header_2298_4.jpg" alt="Tom Clancy's Rainbow Six Siege TR Uplay CD Key" title="Tom Clancy's Rainbow Six Siege TR Uplay CD Key" width="95" height="66" />
            <span class="ajax-result"><a href="http://www.kinguin.net/category/23140/tom-clancy-s-rainbow-six-siege-tr-uplay-cd-key/">Tom Clancy's Rainbow Six Siege TR Uplay CD Key</a></span>
            <span><span class="price " data-no-tax-price="62.66">R$62<span class="super">.66</span></span></span></li>
                <li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/header_2298.jpg" alt="Tom Clancy's Rainbow Six Siege + Exclusive Gold Weapons Skin Pack Uplay CD Key" title="Tom Clancy's Rainbow Six Siege + Exclusive Gold Weapons Skin Pack Uplay CD Key" width="95" height="66" />
            <span class="ajax-result"><a href="http://www.kinguin.net/category/22630/tom-clancy-s-rainbow-six-siege-uplay-cd-key/">Tom Clancy's Rainbow Six Siege + Exclusive Gold Weapons Skin Pack Uplay CD Key</a></span>
            <span><span class="price " data-no-tax-price="125.36">R$125<span class="super">.36</span></span></span></li>
                <li class="ajax-result-item"><img src="http://cdn.kinguin.net/media/catalog/category/cache/1/image/95x66/9df78eab33525d08d6e5fb8d27136e95/header_292x136_496.jpg" alt="Hero Siege Steam Gift" title="Hero Siege Steam Gift" width="95" height="66" />
            <span class="ajax-result"><a href="http://www.kinguin.net/category/10152/hero-siege-steam-gift/">Hero Siege Steam Gift</a></span>
            <span><span class="price " data-no-tax-price="8.95">R$8<span class="super">.95</span></span></span></li>
                <li id="show-more-search"  class="show-more"><span class="show-more-result">SHOW MORE</span></li>
</ul>

Now try accessing such API URL. You will probably get a page with no information. But believe me, this is the URL, but it is minimally protected, not as easy as the previous site. :)

In addition, some Apis may expose unlisted data to the user, for example, a promotion start, a promotional code, values in other currencies in other countries. So have common sense in what you report in your searches and limit access to users who are actually on the site, per session, cookies, Ips and even a limit of attempts. Now, in some cases doing so will be exaggeration, so it DEPENDS ON EACH SITUATION!

Same problem, other examples:

Imagine that your search also has traces of last searches made by the user, problems with CSRF allows another site to get the information, as well as the previous case.

If you allow other sites to connect or authorize JSONP and do not correctly validate the data you may expose a user’s preferences/recommendations, since such search filters will have a visitor-based order.

Another case, imagine that in a social network users may know that you searched and viewed the profile. Just by focusing on the people who came for you, you could create something like:

<img src="meusite.com/buscar?amigo=Inkeliz">

This would cause me (Inkeliz) to receive a notification when loading such content, for example. So if I have a website and add such code it would be possible to discover the account on such social network of each visitor of the site.

An exit in this case would be to add a code "random".

For example:

<?php $_SESSION['token'] = rand(); ?>
<input type="hidden" name="token" value="<?= $_SESSION['token'] ?>">

Then on the search page:

<?php if($_GET['token'] === $_SESSION['token']){} ?>

Again, it depends on what research you have.

Sounds like a bizzaro example? Yes, but just so you realize that your site can come up with the same mistake. How? Imagine you want to include a list in order of "most wanted", or reward more wanted posts, without the such token this can be easily manipulated.

I could not find any site to cite a real example, unprotected, if I find edit again!

Another thing is to allow other people to know whether or not the user is logged in through any link, including or not their search field, if it displays or has specific parameter for a logged in user.

For example Google, it is possible to know whether or not you are logged in using the link:

function logado(){
    alert('Você está CONECTADO no Google');
}

function deslogado(){
   alert('Você está DESconectado do Google :(');
}
<img style="display: none;" onError='deslogado()' onLoad="logado()" alt="" src="https://accounts.google.com/CheckCookie?continue=https://www.google.com/intl/en/images/logos/accounts_logo.png" />

Try accessing this post in an anonymous window to see the magic occur. :)

Same process may occur with tag script in your case, for example.

The correction of this is complicated, so much so that even Google itself is with such problem, Twitter had something similar and was fixed. Twitter’s output was to take all the images and JS/CSS out of the twitter.com domain, creating another site/subdomain for that. Thus the https://twitter.com/login?redirect_after_login=, link responsible for redirecting the user automatically if connected, does not work for files external to twitter.com. This very link only allows the redirect_after_login does not contain the http://img.twitter.com, for example.

There is no such treatment in Google. What made it possible to include a Google Accounts logo outside the accounts.google.com. The CheckCookie returns error if user is not logged in, then everything works.

Don’t get caught up in the examples cited!

  • Inkeliz, I understood much of what you said, but I did not understand part of the "exit in this case", could reinforce this part?

  • It depends on each case and if it is worth the effort for it. In the case "random code" you need to create a Token. This token will always be checked with the current session. There are more elaborate articles in https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_cheat_sheet, to really understand. The idea is that another site will not be able to perform the action instead of the user. How does the token prevent this? Simple, the site will not be able to obtain the valid "token" (random code), so without token nothing is done. It is logical that rand() is little, but is an example. I will edit soon.

  • I’ve added other examples that I can think of, but they all don’t actually expose your code or compromise (directly) your site. I even hope that other users will insert problems that really affect the "site system" directly.

  • I could say that this is how websites like zoom, access and compare the prices of various products?

  • Yes and no. Maybe when they started the site they used these hidden "Apis". But... Many store sites have an API for advertisers, or an API of their own, specific for this purpose. But, when you are a small site (or are afraid to invest) you can use these "problems" to monitor product prices and keep it up to date easily. An alternative is to use Buscapé, they have an API for this. But I think, personally, very outdated, better go snooping the seller’s own website directly, then contact them for something "official".

Browser other questions tagged

You are not signed in. Login or sign up in order to post.