Security and paginate |
11-02-2021, 03:57 AM
(This post was last modified: 11-02-2021, 04:01 AM by captain-sensible. Edit Reason: inform web down )
I have a web site i'm working on set up in Apache local host, with virtual host etc so that the url to serve the landing page is:127.0.0.2
now there is a useful program from owasp called zap. You can use that program to attack webs even on local host, to see what issues are brought up. now I got this output: Code: SQL Injection The route I set up is : Code: $routes->get('displayGallery','Gallery::displayGallery'); The relevant section of that controller class is: Code: $handle = new GalleryModel(); and the section of GalleryModel is: Code: class GalleryModel extends Model So in summary i'm think i'm following reasonable coding in that I use CI4 model and what it provides to paginate results. The pagination by the way works perfectly. Now I always thought that SQL injection was a problem , where there was an input field and that whats entered would find its way to a database. Now i think i also read. Probably its a good idea to avoid GET requests as much as possible since , it involves a url , and somebody can play with that. My overall thinking is that since the pagination simply retrieves data and there is no input field , this is a false posative. I thought it prudent to find out what other people think ? ps 11.01 am Uk time : Code: Internal Server Error
I think it was reported as an SQL injection because it succeeded in crashing the application. A crash can display sensible information if the application is not correctly configured. Inputs should always be validated for what you expect to receive. In this case you expect the page number to be a number greater than 0. Not a random string with invalid characters.
So I think the best practice would be to type cast the page number to "int" and if the number is <= 0 set the page number to 1. In this particular case, I would blame the framework for not sanitizing the page number since it's a built-in feature of the Pagination library.
Do you mean the request `http://127.0.0.2/displayGallery?page=1+AND+1%3D1+--+` caused Internal Server Error?
I don't know where 500 error occurs. > Probably its a good idea to avoid GET requests as much as possible since , it involves a url , and somebody can play with that. It is the way of CodeIgniter v1. The principle is to validate all user input.
salain Ah! Thanks.
(11-02-2021, 03:57 AM)captain-sensible Wrote: So in summary i'm think i'm following reasonable coding in that I use CI4 model and what it provides to paginate results. The pagination by the way works perfectly. It seems this is just false positive of OWASP Zap. page=1+AND+1%3D1+--+ does nothing to CodeIgniter.
11-04-2021, 09:28 AM
(This post was last modified: 11-04-2021, 09:30 AM by captain-sensible. Edit Reason: edited tags manually )
[quote pid="391196" dateline="1635912699"]
> Probably its a good idea to avoid GET requests as much as possible since , it involves a url , and somebody can play with that. [/quote] i agree but it seems to be the way that CI4 paginate system works. I once did write a way of doing pagination with POST requests but forgot how i did it cheers all zap didn't crash the app ; it was simply the point about it saying there was a ssecurity issue . I will have a look at includebeer sugestion. i'm going to mark this solved (11-02-2021, 04:38 PM)includebeer Wrote: So I think the best practice would be to type cast the page number to "int" and if the number is <= 0 set the page number to 1. In this particular case, I would blame the framework for not sanitizing the page number since it's a built-in feature of the Pagination library. CI4 does what you say. See https://github.com/codeigniter4/CodeIgni...#L415-L417
(11-05-2021, 06:10 AM)kenjis Wrote:Ha ok! I thought it was odd that CI4 didn't do that already. Thanks for the confirmation that it already do it! It seams the 500 error has nothing to do with this false positive problem...(11-02-2021, 04:38 PM)includebeer Wrote: So I think the best practice would be to type cast the page number to "int" and if the number is <= 0 set the page number to 1. In this particular case, I would blame the framework for not sanitizing the page number since it's a built-in feature of the Pagination library. (11-04-2021, 09:28 AM)captain-sensible Wrote: Probably its a good idea to avoid GET requests as much as possible since , it involves a url , and somebody can play with that. FYI, POST is no more secure than GET. It's just a different way of sending data. |
Welcome Guest, Not a member yet? Register Sign In |