How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon

Question

I scanned my login script using SQL Inject Me Firefox addon

According to the Test Results, my script was vulnerable to SQL Injection. Result by example

Results:
Server Status Code: 302 Found
Tested value: &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49
Server Status Code: 302 Found
Tested value: 1' OR '1'='1
Server Status Code: 302 Found
Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE
Server Status Code: 302 Found
Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

My script

1. login.php - Login form

2. check-login.php - To check login detail and here is the code.

   $email = clean($_POST['username']); $pass = clean($_POST['password']); $user = "select * from tbl_admin where admin='$email' and pass='$pass'";

   // some code

   $_SESSION['login_mes'] = "You have successfully logged in !"; header("Location:admin.php"); exit();

   } else {

   $_SESSION['login_mes'] = "Invalid email address or password, please try again."; header("Location:login.php"); exit(); }

The problems came when login failed. If I remove the

} else {

$_SESSION['login_mes'] = "Invalid email address or password, please try again.";
header("Location:login.php");
exit();
}

No failures detect by SQL Inject Me and how to fix this part?

Answer 1

302 is the server's way of saying "I want you to go to [somewhere else]" (in this case login.php). It is not an error but a perfectly normal response. Especially in your case it makes much more sense (if you ask me) to send the user to a login page after a SQL injection attempt than to let him in.

Answer 2

Four years later but I was just looking into this question and thought that I would share for the next person.

After some analysis, we concluded that the 302 is in itself not a concern. The concern is what page preceded the 302 which might have been sent but was swept away by the 302 before it could be displayed. If the previous page received by the browser (and perhaps recorded by Fiddler) contained database errors (or other information that a hacker might find useful) than that is bad. If the 302 is the initial response and it has an empty body, just a header, then I think that you are OK.

You have to display the error page (the purpose of the 302) so I don't see how that could be considered "too much information".

Answer 3

"// some code" doesn't help much, but the problem may to be with this clean(). Try mysql_real_escape_string() instead.

Edit: As said above, 302 code means "you are being forwarded". It doens't mean the SQL Injection was sucessfull, as it doesn't mean it wasn't either. In this case you will only know that if you can determine where this 302 is forwarding you, to "admin.php" or "login.php".

Answer 4

Some penetration testing tools prefer servers to return no error messages or at least very generic messages. For example, on the SQL Inject Me page it says

The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.

So perhaps when it sees the 302 response code, it assumes that your app is returning too much information. You can test this theory by setting a different status code for your response and seeing if SQL Inject Me still gives an error, like so:

header('HTTP/1.1 404 Not Found');

Of course, sending them a 404 won't help your user find their way back to the login page, so you may have to experiment with other 3XX messages, perhaps 303 or 307.