HTTP access logs - Weird Querystring

Support for security such as Firewalls and securing linux
Post Reply
BandC
Posts: 5
Joined: 2006/06/17 03:27:08

HTTP access logs - Weird Querystring

Post by BandC » 2006/10/07 05:36:13

Hi. While looking at my HTTP access log I noticed something weird. I have a web page. let's call it test.php which is supposed to be called with a numeric ID querystring parameter i.e. test.php?ID=123

Looking at logs I noticed that from a couple of particular users it is being called like:

test.php?ID=123ab45jhj5

That is: some (a few) random letters and numbers are being appended to the ID number. Now first thing I thought was SQL injection so I made sure I'm checking for type but this seems to be too short for SQL injection and the characters appended by this particular request randomly changes every request so it's like 123asb7dhh one time 123hkj84j another etc. My question is should I be concerned about this? Do you know if a particular configuration of the user can do this such as a possible anonymous browsing tool that the user uses etc. I don't know so I'm just taking wild guesses. Have you seen anything like this?

Centos 4

jwalden
Posts: 4
Joined: 2007/01/04 19:00:27

Re: HTTP access logs - Weird Querystring

Post by jwalden » 2007/01/04 19:30:42

The extra data could be from a fuzzer, a security testing program that automatically varies inputs to attempt to find vulnerabilities in a program. Most web testing tools like Paros and WebScarab provide fuzzing capabilities.

To prevent it from being a problem, be sure that your program has good whitelist input validation, i.e. if numeric input is all you want for ID, then refuse anything that doesn't match a regular expression like /^[0-9]+$/.

Post Reply

Return to “CentOS 4 - Security Support”