Security, removing unapproved parameters

Forum Moderators: coopster

Message Too Old, No Replies

Security, removing unapproved parameters

csdude55

5:58 pm on Jan 11, 2021 (gmt 0)

Trying to make sure that there aren't any potential vulnerabilities, I'm wanting to ensure that there aren't any $_GET params that aren't pre-approved.

This is where I'm going with this, but is there a better (read, faster or more secure) way?

$allow = [
 'foo' => 1,
 'bar' => 1
];

$remove = [];
foreach ($_GET as $key => $value)
 if (!isset($allow[$key])) {
  $remove[] = $key . '=' . $val;

  // probably not necessary, really
  unset($_GET[$key]);
 }

if (!empty($remove)) {
 $request_uri = str_replace('&&', '&',
  str_replace($remove, '', $_SERVER['REQUEST_URI'])
 );

 header("Location: https://www.example.com" . $request_uri);
 exit;
}

The allow[] array would likely be different for each page, so I think it's probably better to do this in PHP than in Apache configuration, unless there's a significant reason why I shouldn't.

w3dk

6:26 pm on Jan 11, 2021 (gmt 0)

"Security" shouldn't really be a factor here, since you shouldn't even be referencing "other/unknown" URL parameters in your script.

However, SEO could be a factor, if these URLs are being linked to and indexed by search engines. In which case, the "order" of these URL parameters is also a factor.

So, instead of "removing" the invalid parameters, I would consider rebuilding the query string instead - this way you can ensure the URL params are in the correct order (the order of your $allow array).

csdude55

6:44 pm on Jan 11, 2021 (gmt 0)

@w3dk, in this case the page process through Perl, and if there's an error then it redirects back to the PHP script with the entered data in the query string so that it can autofill the form back to what the user had entered. Or after it's processed, there's a status=success param set to show a "success" message to the user. Those links shouldn't be referenced outside of that, but it's possible if a user shares that link for some reason.

I see occasional crack attempts where a bot tries to inject using the query string. Up until now I've been automatically writing IPs that use unapproved params that to a blacklist and then forbidding them from future pageviews. But then I realized that I'm getting the occasional "name=foo&bar" (as discussed in the other thread), so I've been blacklisting those references by accident :-O Based on that, my current goal is to still not allow the injection attempts, but maybe still let them view the page.

Do you mean to modify the string $_SERVER['QUERY_STRING'] without a redirect? Something like:

$allow = [
 'foo' => 1,
 'bar' => 1
];

$found = false;
foreach ($_GET as $key => $value)
 if (!isset($allow[$key])) {
  $found = true;
  unset($_GET[$key]);
 }

if (found) {
 $_SERVER['QUERY_STRING'] = '';

 foreach ($allow as $key => $val)
  $_SERVER['QUERY_STRING'] .= $key . '=' . $_GET[$key] . '&';

 $_SERVER['QUERY_STRING'] = rtrim($_SERVER['QUERY_STRING'], '&');
}