how do i check sql injection, XSS, and CSRF in my php site ? for example i have a pages like viewentry.php?id=3 How to check such pages ?
You can use SQL injection scanner.
There is also JAASCOIS Anti Web-Injection.
Related
I'm using TYPO3 11.3.3 for my server and i need a PHP Script, that can read and check the typo3_fe cookie. Are there any solutions? I can't use an extension and I have to keep it simple.
What exactly should the PHP script do apart from reading the cookie?
You can use a TypoScript condition to check if the cookie is present:
[request.getCookieParams()['foo'] == 1]
See the documentation for details.
The only way would be a content object USER. Check out the documentation.
Example
page = PAGE
page.10 = USER_INT
page.10 {
userFunc = Vendor\ExtensionName\ExampleTime->printTime
}
However the doc also states
The property includeLibs has been removed in TYPO3 8.0. In earlier
versions the userFunc classes were sometimes stored in fileadmin/ -
this is no longer possible out of the box and not recommended.
For the best result you should always, without exception, place your
class files in an extension, define composer class loading for this
extension and add this extension as a dependency of your project.
Then, your classes will load without issues when you refer to them by
their class name.
Cookies are being sent along with the request. With that being said, the best way to check for the cookies is Middlewares. With the middlewares you can check for the sent cookies and evaluate them with your script.
Here is the documentation about middlewares.
This might be helpful as well https://stackoverflow.com/a/63951593/7162477
Best regards
My application has a search functionality which uses a query param fullText for the search term. But on my QA server, any query parameters are being removed and csrf token is being added.
Example, on homepage, if I search for 'tax', the url should be:
https://www.qaserver.com/en/search.html?fullText=tax
Instead, it changes to below url and remains on the 'same' page it is on.
https://www.qaserver.com/en/home.html?%3Acq_csrf_token=eyJleHAiOjE1MDAyNDk5NzgsImlhdCI6MTUwMDI0OTM3OH0.EXoQy8xeVh3j9kdFdnenLGLl2sFEh_boi_jFareO1is
Is there any AEM/dispatcher config missing or incorrect ?
The dispatcher or AEM logs don't show who is appending this param or why.
The same thing happens with direct IP of publish server as well.
Include <cq:includeClientLib categories="granite.csrf.standalone"/> on the page from you are making POST ajax or form submit. This should resolve the issue.
Or the other option is to exclude particular servlet path from CSRF Filter Configuration (Which is not recommended).
I have a Drupal 7 with Pathauto and restws modules. I am able to configure Pathauto module to create a url alias for my content type so now the content that I could access with url http://mycms.org/mydrupal/node/4 is accessible using http://mycms.org/mydrupal/content/1-sampleID.
Also, I am able to access the content over ReST using http://mycms.org/mydrupal/node/4.json.
However i need to access the content over ReST api using the url alias, say, http://mycms.org/mydrupal/content/1-sampleID.json. When I try doing this, I get a 404 error.
I am new to Drupal and PHP. Can someone please help me fix this issue? Do I need some custom Drupal module that could help me expose my contents over ReST api through the defined url aliases.
I use the RESTful module, and here's a blog post on how to do what you need.
I'm developing my first real project with ZF2 and Doctrine ORM. And I cannot find any good example of user authentication through doctrine orm authentication adapter. Now I'm using standard Zend Db Adapter authentication. In addition, I use
$adapter->setIdentityColumn(filter_var($request->getPost('useremail'),FILTER_VALIDATE_EMAIL) ? 'useremail' : 'userlogin');
in my login controller to login either via email and login.
But I want to perform all job through doctrine ORM. Could someone show me a similar example with doctrine.authentication.orm_default and storing user identity data in session/storage to access in any controller or module.php? Is it possible to use two fields - userlogin or email for login?
Thank you in advance for your help.
Updated: I kept seaching and as a result this and this helped me so much
One problem, that i haven't solved yet. How can I check user status (activated or not) with doctrine adapter?
Like
$authAdapter = new AuthAdapter($dbAdapter,'user','username','password','MD5(?) AND status = 1');
You can use credential_callable option (Doctrine Module doc.). It can be any callable (PHP Manual), for example with closure:
'credential_callable' => function(User $user, $passwordGiven) {
return md5($passwordGiven) == $user->getPassword() && $user->isActive();
},
or with static class method:
'credential_callable' => 'Application\User\UserService::verifyUser'
What about an external module idea? If you are OK with that you can take a look at https://github.com/ZF-Commons/ZfcUser and https://github.com/SocalNick/ScnSocialAuth or the whole modules repositories http://modules.zendframework.com/?query=user. Even if you don't install just download and see what other people do stuff.
Using the new ASP.NET Web API beta. I can not seem to get the suggested method of authenticating users, to work. Where the suggested approach seems to be, to add the [Authorize] filter to the API controllers. For example:
[Authorize]
public IEnumerable<Item> Get()
{
return itemsService.GetItems();
}
This does not work as intended though. When requesting the resource, you get redirected to a login form. Which is not very suitable for a RESTful webapi.
How should I proceed with this? Will it work differently in future versions?, or should I fall back to implementing my own action filter?
Double check that you are using the System.Web.Http.AuthorizeAttribute and not the System.Web.Mvc.AuthorizeAttribute. This bit me before. I know the WebAPI team is trying to pull everything together so that it is familiar to MVC users, but I think somethings are needlessly confusing.
Set your authentication mode to None:
<authentication mode="None" />
None Specifies no authentication. Your application expects only anonymous users or the application provides its own authentication.
http://msdn.microsoft.com/en-us/library/532aee0e.aspx
Of course then you have to provide some sort of authentication via headers or tokens or something. You could also specify Windows and use the built in auth via headers.
If this site is mixed between API and actual pages that do need the Forms setting, then you will need to write your own handling.
All the attribute does is return an HttpUnauthorizedResult instance, the redirection is done outside of the attribute, so its not the problem, its your authentication provider.
Finally, I've found a solution at:
ASP.NET MVC 4 WebAPI authorization
This article shows how you can fix this issue.
You are being redirected to login page because forms authentication module does this automatically. To get rid of that behavior disable forms authentication as suggested by Paul.
If you want to use more REST friendly approach you should consider implementing HTTP authorization support.
Take a look at this blog post http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/
ASP.NET 5 Introduced the new Microsoft.AspNet.Authorization System which can secure both MVC and Web API controllers.
For more see my related answer here.
Update:
At that time 2 years ago it was Microsoft.AspNetCore.Authorization.
As #Chris Haines pointed out. now it resides on
Microsoft.AspNetCore.Authorization.
From .NET core 1.0 to 2.0 many namespaces have been moved i think.
And spread functionality between .net classic and core was obscure.
That's why Microsoft introduced the .net standard.
.net standard
Also, look at my answer for:
How to secure an ASP.NET Web API
There is a NuGet package I have created which you can use for convenience.
If you're using a Role, make sure you have it spelled correctly :
If your role is called 'Administrator' then this - for instance will not work :
[System.Web.Http.Authorize(Roles = "Administator")]
Neither will this :
[System.Web.Http.Authorize(Roles = "Administrators")]
Oops...
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Produces("application/json")]
[Route("api/[controller]")]
public class CitiesController : Controller
{
[HttpGet("[action]")]
public IActionResult Get(long cityId) => Ok(Mapper.Map<City, CityDTO>(director.UnitOfWork.Cities.Get(cityId)));
}
Use
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
Filter with authentication type