[OWASP_PHPSEC] Update ?

Abhishek Das das.abhshk at gmail.com
Tue Jul 2 00:45:43 UTC 2013


I have a doubt on point 2.

How should I go about extracting the fragment because it is never sent to
the server as part of an HTTP request and is solely a property of the
browser (available via document.location.hash in JS)?


On Sun, Jun 23, 2013 at 12:29 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> Ok
> I found a few points.
> 1. First, instead of getParameter and its behavior, add something that
> overwrites and wraps $_SERVER using an ArrayInterface. The functionality is
> good but the way its implemented is dull.
> 2. We need methods to retrive every part of the URL, as well as some mixed
> parts that are more common. A URL can be:
> scheme://username:[email protected]:port/path?query_string#fragment_id
> Now we have at least 8 parts in such URL by looking at it, but if we look
> deeper we have 9.
> The PATH segment can actually be divided into two parts, the path that
> points to our application and the path that is inside our application:
>
> example.com/my/application/folder/categories/perfumes
>
> We also need mixed retrival of those two parts.
>
> 3. We need methods that directly manipulate the URL. We do not want the
> user to do that via string functions and end up having security holes. For
> example we would need a method that converts a HTTP URL to a HTTPS
> equivalent (needed when redirecting to secure login area). I don't want
> these convertor methods to be inside the library directly, but a wise
> scheme should be advised.
>
> 4. DRY is not properly used here. You have
>
> if (php_sapi_name() === "cli")
> 				return '127.0.0.1';
>
> Everywhere. Put it in a private function, and call that instead.
>
> 5. Consider IPv6, in most cases the local address that is directly
> returned by the environment and PHP is ::1 which is equivalent of 127.0.0.1
> in IPv6. Not all IPs are returned as IPv4.
>
> 6. Some methods that return the interface (IP) that the request is being
> served on could be useful. We can use that to detect where the application
> is being run from without being prone to HTTP Host Alteration.
>
> Thanks
> -Abbas
>
> On Tir 2, 1392, at 11:12 AM, Abhishek Das <das.abhshk at gmail.com> wrote:
>
> phpsec/libs/http/Http.class.php<https://github.com/OWASP/phpsec/blob/master/libs/http/Http.class.php>
>
>
> On Sun, Jun 23, 2013 at 12:07 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Well I was on vacation as well. Please point to the file  here.
>> -A
>>
>> On Tir 2, 1392, at 11:06 AM, Abhishek Das <das.abhshk at gmail.com> wrote:
>>
>> Hi,
>>
>> I did that already. Almost 2 weeks back.
>>
>> Thanks
>>
>>
>> On Sun, Jun 23, 2013 at 12:01 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> Hi Abhishek,
>>> Commit and I'll review.
>>> -A
>>> On Tir 2, 1392, at 1:11 AM, Abhishek Das <das.abhshk at gmail.com> wrote:
>>>
>>> Hi Rahul,
>>>
>>> I realize it's been a while since I pushed any code. I was on vacation.
>>> I will get back to coding regularly now.
>>>
>>> I did implement a significant part of the HTTP Request Handling Library.
>>> It would be great if Abbas or Johanna could have a look at the code and
>>> guide me as to what other functions I should write as part of this library.
>>>
>>> Thanks
>>> Abhishek
>>>
>>>
>>> On Sat, Jun 22, 2013 at 12:15 AM, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>>> Guys, Please update your latest reports. Its been a while since you
>>>> submitted any code. Last I remember, Abhishek was doing "HTTP Request
>>>> Handling Library" and Chetan was also doing some library.
>>>>
>>>> If you do not wish to continue with those libraries and wish to take up
>>>> new library, then please inform me so that I can work on them.
>>>>
>>>> --
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>>
>>>
>>>
>>>
>>> --
>>> Abhishek Das
>>> IIT Roorkee
>>>  _______________________________________________
>>> OWASP_PHP_Security_Project mailing list
>>> OWASP_PHP_Security_Project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>
>>>
>>>
>>
>>
>> --
>> Abhishek Das
>> IIT Roorkee
>>
>>
>>
>
>
> --
> Abhishek Das
> IIT Roorkee
>
>
>


-- 
Abhishek Das
IIT Roorkee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130702/06502ebb/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list