Allowing Unwanted Query String Variables

Forum Moderators: coopster

Message Too Old, No Replies

Allowing Unwanted Query String Variables

Best practices question

Kahless

8:28 pm on Jan 30, 2010 (gmt 0)

I notice many sites allow page load if a user adds an additional query string variable to the URL. Sites and code I am familiar with just ignore the unwanted query string variable. What are the ramifications of restricting to your own keys or not restricting at all? If you are ignoring the unwanted variables does it matter at all?

The last bit of code I wrote I designed the CMS to intentionally 404 error if the end user adds a bogus query string variable. I am wondering perhaps this is a bad idea since other sites are allowing it for some reason and I remember once seeing in my apache logs some search engine bots adding bogus query strings to the URL when crawling my site.

For example authorized query

test.com?id=1&a=b

Bad query (user added f variable)
test.com?id=1&a=b&f=http://www.webmasterworld.com

^^I would normally drop this but see other sites do not.

Readie

9:21 pm on Jan 30, 2010 (gmt 0)

I tend to code in such a way that it doesn't matter if any other bogus values are specified.

if(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validString") {
Page
} elseif(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validStringTwo") {
Page two
} else {
Generic home page
}

They can specify all the extra values they like and it'll make no difference - so why 404 it?

Kahless

9:54 pm on Jan 30, 2010 (gmt 0)

They can specify all the extra values they like and it'll make no difference - so why 404 it?

I was concerned they could use the url for some nefarious purpose I am not familiar with. So as long as my app is ignoring it I am ok then so something like this is not a concern?

test.com?id=233&f=http://www.someothersite.com/dosomething

But something like this I still have to 404 and strip <script>bad code</script> I assume?

test.com?id=233&f=http://www.othersite.com/dosomething<script>bad code</script>

jdMorgan

10:04 pm on Jan 30, 2010 (gmt 0)

Any client request for any non-canonical URL -- including the query string appended to that URL, should be 301-redirected to the canonical URL.

If you do not validate URLs and query strings, you're allowing *anyone* to create a duplicate-content issue for your site -- whether accidentally or intentionally.

Jim

Kahless

6:05 am on Jan 31, 2010 (gmt 0)

The URL is checked for validity and if it requires query string keys they are checked for validity.
If a key shows up that is not used I 404 it and if it is used but has bad data I send a 400 "bad request.

I however tested sending a bogus query string key to a valid page on a few of the most popular web sites on the internet and they still accept the request as http 200.

I am therefore thinking maybe I need to be less restrictive -- allow bogus keys in the URL and not redirect like they do. This since if your top websites are handling it that way maybe there is some good reason I am not aware of. (maybe some search engines that I see sending bogus keys in my logs)

Maybe I am just over thinking security measures and this is a non-issue. I always worry I am not doing enough or am I doing too much when it comes to security.