User-Agent - GET HTTP

Networking/Security Forums -> Exploits // System Weaknesses

Author: rfresh PostPosted: Thu Jun 10, 2010 7:05 am    Post subject: User-Agent - GET HTTP
    ----
My site failed its PCI scan with the following information. The scanning vendor said the problem is the User-Agent single quote. I don't know how to fix this. Can someone tell me what the vulnerability is here? This file doesn't call the user agent so I don't understand what the single quote means.

Thanks

The following resources may be vulnerable to SQL injection (on HTTP headers):
/index_dispatcher.php
---- request ----
GET /index_dispatcher.php HTTP/1.1
Host: www.mydomain.com
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
User-Agent: '
Accept-Charset: iso-8859-1
Praqma: no-cache

Author: Fire AntLocation: London PostPosted: Thu Jun 10, 2010 11:15 am    Post subject:
    ----
First of all the scanning company should be helping you. You paid them money I assume? They should always give you remediation advise. I suspect that this noddy company has just ran a Nessus scan which you could have done yourself.

The suspected vulnerability is that the PHP file in question might be vulnerable to a SQL injection e.g.

GET /index_dispatcher.php?user=admin&pw=guess' or 1=1--

Author: rfresh PostPosted: Thu Jun 10, 2010 5:54 pm    Post subject:
    ----
They were not much help to me as I can't understand (from them or from the failure) what is wrong.

I've added sanitizing code on all the form fields. Is that enough?

Thanks

Author: Fire AntLocation: London PostPosted: Fri Jun 11, 2010 12:20 pm    Post subject:
    ----
Quote:
I've added sanitizing code on all the form fields. Is that enough?
No, you have only implemented client side validation and this can be bypassed easily.

You paid for this 'pen test' right? Then speak to the company which provided this service and get them to explain what exactly needs to be done to fix it. If they don't then don't pay them.

Fire Ant

Author: rfresh PostPosted: Fri Jun 11, 2010 7:34 pm    Post subject:
    ----
When I said

>I've added sanitizing code on all the form fields. Is that enough?

I meant on the server-side via PHP.

I've requested another scan and I'm going to change vendors.

Thanks

Author: Fire AntLocation: London PostPosted: Fri Jun 11, 2010 7:46 pm    Post subject:
    ----
Sounds like you have it all in hand now.

Author: CoreDefendLocation: USA PostPosted: Sun Jun 13, 2010 6:29 am    Post subject: Re: User-Agent - GET HTTP
    ----
rfresh wrote:
...This file doesn't call the user agent so I don't understand what the single quote means...


The User-Agent field in the HTTP Request (depending on the application code) might be submitted to the database along with the other input. If not properly sanitized, then its contents can be manipulated to execute SQL injection.

Some advice on PCI scanning vendors (ASV), they permit the use of "compensatory controls" and false positives. This happens when they detect a vulnerability, but you have some other security measure that either mitigates or minimizes the vulnerability or they mistakenly identify an item as a vulnerability.

In this specific example, if the contents of the User-Agent field is never submitted to the database, you can mark it as a false positive. This, by no means, is to indicate that you should not fix the vulnerability; but I am 150 false positives and counting with my ASV.

Thank you,

Author: rfresh PostPosted: Sun Jun 13, 2010 6:36 am    Post subject:
    ----
Thanks Core.

I am not using the User-Agent field at all so therefore it is not being submitted to the database. I am still waiting for my re-scan results. I guess they don't work on the weekends, so will have to wait until Monday.

Author: blackandwhitebg PostPosted: Mon Oct 18, 2010 3:06 pm    Post subject:
    ----
Old topic, but just to share some experience -

You should use Nekto for identifying such vulnerabilities. It provides detailed information which can be useful.

Author: lineae0211 PostPosted: Mon Mar 14, 2011 10:43 am    Post subject: single quotes
    ----
When you declare and manipulate strings in JavaScript, always write them with a single quotes' or double quotes "around them. This tells the browser that it is dealing with a string. Do not mix up your quotes, if you start on one string with a quote and complete the double quote, JavaScript does not understand what you mean. Usually, I use single quotes' as I have decided to use for HTML quotes and single quotes for JavaScript . You can do this of course the other way around, but I advise you to make some rule yourself and try to follow.



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group