2

Are their any security issues regarding the use of class names and/or parameters in the url?

I have created a simple PHP page router that routes paths, for example:

www.mysite.com/classname/methodname/param1/param2/etc/etc

Are there any dangers in revealing the names of my classes and methods? Or should there be sufficient filtering in the classes methods to make it not a concern?

Also, my AJAX calls would be routed the same way. To ensure a legitimate AJAX call, could I somehow generate a session token that changes each time the call is made. For example, a random number gets generated in the PHP script that is being accessed by AJAX, which is also sent by the call. If they match then its an authorised request. The only problem is how would I get them to match?

imperium2335
  • 23,402
  • 38
  • 111
  • 190
  • Why not reuse robust, well tested components like Symfony2's [Routing](http://symfony.com/doc/current/components/routing/introduction.html) and [Http Foundation](http://symfony.com/doc/master/components/http_foundation/introduction.html). – ChocoDeveloper Nov 26 '12 at 08:21
  • @ChocoDeveloper Thanks, I know there are many solutions out there alrady, but I'll understand them and the URL routing concept better if I try to make my own first. – imperium2335 Nov 26 '12 at 09:00
  • You still should check it out. Reading how other people did it will give you lots of ideas. For example, it is common to add something like 'Action' to the method, to prevent the access to public methods that weren't supposed to be accessed via URL. So for example, if you receive 'user/profile', you should create the User class, and call the method 'profileAction'. If you don't add 'Action', an attacker could try calling 'deleteUser', you get the idea. – ChocoDeveloper Nov 26 '12 at 17:50
  • @ChocoDeveloper How would user/profile call profileAction though? – imperium2335 Nov 27 '12 at 05:56
  • 1
    `$class = $class . 'Controller'; $controller = new $class(); $action = $method . 'Action'; $controller->$action();`. Something like that... This way, only a class that ends in 'Controller', with a method that ends in 'Action' can be executed. – ChocoDeveloper Nov 27 '12 at 08:21
  • @ChocoDeveloper +1 I get it, so I could use some kind of obscure word that each of my controller files have. Although obscurity is not security, it's still a good idea. – imperium2335 Nov 27 '12 at 08:37
  • It's not about obscurity, it's about whitelisting the methods you want to be accessible to the world. So all the methods in your class will fail by default when someone tries to access them. You whitelist them by adding the word and making them public (sometimes you also need public methods for internal use, that's why you also need the word). – ChocoDeveloper Nov 27 '12 at 09:50

1 Answers1

2

The biggest security concern is that you are not blindly including the class name like:

require_once('classes/' . $_GET['class'] . '.php');

The above would be a vulnerable example so be sure to validate the class names or any files that you include so as to avoid a Local File Inclusion vulnerability.

class_exists() won't be enough. I would validate it first so that it only contains a-z. Then use file_exists, class_exists etc.

I imagine not all of your classes and methods will be used by the public through the routing, so have some system where you check if the router is allowed to access the specified class and method. This could be done a number of ways, for example derive publicly available classes from a base class e.g. BaseController and check if the class being included derives from that, or just keep your controllers in a separate directory to internal classes, and control access within the class as needed.

As for revealing your classes and methods - this is not really a concern, in fact it's how most MVC frameworks work. Make sure you validate everything that comes in as user input.

For your AJAX suggestion, yes that can be done by storing the token in the session, so that you can check if it matches when the call is made. I don't think this would add a great deal of security though. Usually AJAX services give the same data that is available on the page anyway.

MrCode
  • 63,975
  • 10
  • 90
  • 112
  • Thanks for that. So to avoid that vulnerability I am ok just using the class_exists() and method_exists() functions in my front-controller? – imperium2335 Nov 26 '12 at 08:20
  • @imperium2335 see my edit: I would check `a-z` then check if the class can be accessed from the URL/router. – MrCode Nov 26 '12 at 08:28