Logic flaws
A logic flaw occurs when a programmer thinks a user will do always as they expect, and fail to handle scenario in which they don't.
- The user visit the page "payment" before the page "checkout"
- The user manually send a form and do not use the HTML form
A more concrete example is that if the developer used an HTML SELECT
tag with a list of countries, the developer may not check the submitted value as they expect it to be within their list of countries.
PHP $_REQUEST logic flaw
The PHP variable $_REQUEST
is sometimes used to access $_GET
and $_POST
. It's a merge of both, in case of conflict, $_POST
values win.
It may be used for convenience, for instance, when chaining a $_POST
form to a $_GET
form. The problem is that if someone manually add key/values in $_POST
, they can erase values in $_GET
.
There is a logic flaw if the developer do not check previously checked values, such as the previous form $_GET
values, and assume that after checking them once, they are "safe" now.
Illustration πΊ
The fist form is using GET. The developer check the parameter n
β
.
$ curl 'URL/step1?n=5'
In the second form, the user submit a value in a POST form. The developer only check the new value square
β.
$ curl 'URL/step2?n=5' -d 'square=36'
But, if the user used:
$ curl 'URL/step2?n=5' -d 'square=36&n=6'
Then, in $_REQUEST['n']
there would be 6
, an uncheck value.
Random Notes
Client-Side Logic
While uncommon, if the logic is client-side and only the result is sent to the server, we can do whatever we want.
PHP Register Globals
This feature is deprecated since PHP 5.3.0, and mostly present with PHP < 4.1 or if the development tried to reproduce this behavior. Basically, global variables such as $_GET['param']
are mapped to a variable, e.g. $param
in thise case. It means, we can override the value of a variable if we know the variable's name.
We can also directly edit variables URL?_SESSION[xxx]=yyy
.
Execution After Redirect (EAR)
It occurs when a user is redirected, but if they don't follow the redirection, then they can still access the page.
In PHP, it would occur if the developper forgot to call exit
as any code after the redirecting is still executed.
You can use ncat
to read a page without being redirected.
$ nc domain 80
GET /URI HTTP/1.1
Host: domain