PHP: Location header bypassing

Published on Author YaniLeave a comment

There’s a trick where you can bypass Location headers.

It’s quite easy because if you look at how the HTTP protocol works, you’ll see that a location redirect is just a header that gets sent to the browser.

This way your browser will handle the redirection by itself, which is pretty normal.

 

Now there are a lot of bad coding practices, and I’ll show you how easy it is to bypass them and to protect yourself against it.

 

Let’s take this snippet for example:

 

$loggedIn = false;

if($loggedIn != true)
   header('Location: /login');

echo "Welcome to your user control panel.";

 

You might think that this is as foolproof as it gets, but you’re wrong.

 

Let’s look at our request through Fiddler:

 

 

That looks pretty normal right? When I navigated to the page I didn’t see anything that was on test.php, and I ended up at /login through a 302 redirect.

 

But here comes the fun part, let’s look at the actual HTTP response we got from the server (for the test.php request):

 

 

As you can see, the header does not protect anything. And you can easily see stuff that you aren’t supposed to.

 

A safe fix would be to die() right after setting the header, or as I do it:

die(header('Location: /login'));

 

This makes the response look like:

 

 

Which is far more safer. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *