I’ll be changing my website URL soon (eg example.net to example.com) and since my website is quite old and there is many users that saved their passwords in browser’s built-in password manager I’m afraid that they won’t be able to login with autofill after I change the website address.
I know most of browsers will let they obtain their passwords on settings but is there any way to let browser know that the new url is owned by the website as the other url? Probably 301 redirect will not warn browser to change the saved password url to the new one, right?
I tried to find anything related to this but seems like there’s not a pattern approach to the problem. Perhaps I’ll need to alert the users about the change some days before…
I’ve tried to search for a pattern way to solve the problem but couldn’t find any.
Related
I have in my main website root the file...
lib.php
So hackers keeps hitting my website with different IP addresses, different OS, different everything. The page is redirected to our 404 error page, and this 404 error page tracks visitors using standard visitor tracking analytics do allow us to see problems as they may arise.
Below is an example of the landing pages as shown in analytics by the hackers, except that I get about 200 hits per hour. Each link is a bit different as they are using a variable to set as a page url to goto.
mysite.com/lib.php?id=zh%2F78jQrm3qLoE53KZd2vBHtPFaYHTOvBijvL2NNWYE%3D
mysite.com/lib.php?id=WY%2FfNHaB2OBcAH0TcsAEPrmFy1uGMHgxmiWVqT2M6Wk%VD
mysite.com/lib.php?id=WY%2FfNHaB2OBcAH0TcsAEPrmFy1uGMHgxmiWVqJHGEWk%T%
mysite.com/lib.php?id=JY%2FfNHaB2OBcAH0TcsAEPrmFy1uGMHgxmiWVqT2MFGk%BD
I do not think I even need the file http://www.mysite.com/lib.php
Should I need it? When I visit mysite.com/lib.php it is redirected to my custom 404 page.
How can I stop this best? I am thinking by using .htaccess, but not sure the best setup?
This is most probably part of the Asprox botnet.
http://rebsnippets.blogspot.cz/asprox
Key thing is to change your password and stop using FTP protocol to access your privileged accounts.
I've read lots about what can be done with mod_rewrite but I haven't found one to solve my problem. Maybe it can't be done?
I have a sub-domain on my primary domain that I have a customer direct user to to use one of my programs. The customer doesn't want his customers to see that that are on my domain and he doesn't want to use an iframe.
So, is it possible for the user to only see www.subdomain/program.php instead of www.subdomain.mydomain.com/program.php?
If you want the browser to show www.subdomain/program.php in its location bar, you need to register the www.subdomain domain name. There is no way to remove bits of the domain name using anything in the htaccess file. For example, if you've registered example.com and you have a server at foo.example.com, and you want to be able to go to http://foo/some/path/index.html, you're out of luck because the browser is going to attempt to do a DNS lookup of foo and it will most likely fail unless there happens to be a "foo" server under the DNS search domain. Browsers put a great deal of effort to prevent spoofing of the domain name, since it would be really bad if I was able to spoof my website to show the domain of a bank in a browser's location bar while actually visiting an entirely different website.
I'm sending emails to customers, and I'm providing a custom URL for each, which when they go to, will log them in.
This is fine, except if they are using a shared browser that will remember the URL.
Is there any way at all to suggest to the browser that it shouldn't remember a URL?
Edit: This question has nothing to do with caching of the page.
Have the link log them in once. Then make them create credentials that let them access the site in the future. Whats to stop a random person from typing in the url and gaining access to the content?
Yes. You can redirect them with a 301 or 302. Then the browser won't save the URL they went to. At least that work with the Mozilla based browsers and I would imagine others too.
Another way, it is uglier though is to reply with an error and include a body which does a refresh. Whether that works in most browsers, probably not. However, browsers do not cache pages that return an error (404 Page Not Found would work, you could also use 403 Forbidden.)
Other than that, there isn't much you can do. JavaScript does not allow you to temper with the history anymore...
I read many of the articles to this topic, including the OWASP PAGE and the Google blog article about open redirects...
I also found this question on open redirects here on stack overflow but it's a different one
I know why i should not redirect ... this makes totaly sense to me.
But what I really don't understand: Where is exactly the difference between redirecting and putting this in a normal <a href link?
Maybe some of the users are looking in the status bar but i think most of them are not really looking to the status bar, when they klick a link.
Is this really the only reason?
like on this article they wrote:
Click here to log in
The user may assume that the link is safe since the URL starts with their trusted bank, bank.example.com. However, the user will then be redirected to the attacker's web site (attacker.example.net) which the attacker may have made to appear very similar to bank.example.com. The user may then unwittingly enter credentials into the attacker's web page and compromise their bank account. A Java servlet should never redirect a user to a URL without verifying that the redirect address is a trusted site.
So, if you have something like a guestbook, where the user can put the link to their homepage, then the only difference is that the link is not redirected, but it still goes to the evil webpage.
Am I seeing this problem right?
From my understanding, it is not that the redirect is the problem. The main problem here is allowing a redirect (where the target is potentially controllable by the user) that contains an absolute url.
The fact that the url is absolute (meaning it begins http://host/etc), means that you are un-intentionally allowing cross-domain redirects. This is very similar to classic XSS vulnerabilities whereby javascript can be reflected to make cross-domain calls (and leak your domain's information).
So, as I understand, the way to fix most of these sorts of problems is to make sure that any redirect (on the server) is done relative to the root. Then there is no way for the user-controlled query string value go somewhere else.
Does that answer your question or just create more?
The main problem is that its possible for an attacker to make the URL appear to be trustworthy as it’s actually a URL to web site the victim trusts, i. e. bank.example.com.
The redirect target does not need to be that obvious as in the example. Actually, the attacker will probably use further techniques to trick both the user and possibly even the web application if necessary with special encodings, parameter pollutioning, and other techniques to spoof a legitimate URL.
So even if a victim is so security-conscious to check a URL before clicking a link or requesting its resource otherwise, all they can verify is that the URL points to the trustworthy web site bank.example.com. And that alone suffices too often.
I've got a section on my site which allows users to upload a link in their profile, to their MySpace account. In order to secure other users, I want to to hard code the domain name (www.myspace.com/) and append the user's (sanitized) input. To me, this seems pretty secure and ensures that it always goes to MySpace.com. However, is there any way a malicious user can append a tag to the end "www.myspace.com" which redirects it to another site? Or, since the domain name is hardcoded, anything added after that will simply lead to a 404 error?
Thanks
Firstly, you must sanitize the input (as you note). Assuming you do, then if the domain is hardcoded, the link will go to the servers at myspace.com, and it's up to myspace.com to do the right thing with possibly bad input. But it will not be hijacked to another domain.
If you don't sanitize, a user could enter something like
myname" onclick="do_evil_stuff...">...
and that could hijack the link.