HTTP Front-end

Posted on April 6, 2010 by Ben

HTTP Front-end is quite an old project of mine (started in 2005). It allows you to go behind the scenes, to see exactly what is happening in a HTTP transaction.

By sending a customised HTTP request, you can see how a certain web application will behave. This makes HTTP Front-end a great tool for debugging and finding weak spots or vulnerabilities in web applications.

Take the following code for example:

<?php
if (isset($_POST['foo'])) {
    echo htmlspecialchars($_POST['foo']);
}
?>

<form action="test.php" method="post">
<input type="text" name="foo" />
<input type="submit" name="submit" value="Submit" />
</form>

You may think this is a pretty securely typed snippet of code. isset() is used to check if the variable is set, and htmlspecialchars() makes sure any special characters are converted to HTML entities.

If you typed “bar” into the text box and hit Submit, your web browser (client) would send a HTTP request to the server that looks something like this:

POST /test.php HTTP/1.0
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Connection: close

foo=bar

The response body contains:

bar
...

Everything is fine, right? Let’s take a look at a specially crafted HTTP request sent with HTTP Front-end.

POST /test.php HTTP/1.0
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
Connection: close

foo[]=bar

Now we get the following response body:

<br />
<b>Warning</b>: htmlspecialchars() expects parameter 1 to be string, array given in <b>/var/www/html/test.php</b> on line <b>4</b><br />
...

By sending an array instead of a string, this has resulted in full path disclosure. Full path disclosure by itself is not a big worry, but it is good coding practice to make sure this cannot occur, even if the display_errors directive is enabled. Let’s secure the code:

<?php
if (isset($_POST['foo']) && is_string($_POST['foo'])) {
    echo htmlspecialchars($_POST['foo']);
}
?>

<form action="test.php" method="post">
<input type="text" name="foo" />
<input type="submit" name="submit" value="Submit" />
</form>

is_string() is added to make sure the variable is of the correct type.

You may access HTTP Front-end here:

http://www.benmalen.com/projects/http-front-end/

This entry was posted in Web development and tagged , , . Bookmark the permalink.

One Response to HTTP Front-end

  1. Pingback: Tweets that mention HTTP Front-end « Ben's Blog -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>