I have a URL, looking below:
www.abc.com/postblog.php?url=xyz
I just want to remove [ postblog.php?url= ]. How i do this. i want my new url look like this:
www.abc.com/xyz
or
www.abc.com/blog/xyz
I am using a windows server, and i am applying both type of file web.config & .htaccess . Which one is worked and how i implement this url formation.
Check this:
https://httpd.apache.org/docs/current/howto/htaccess.html
*In general, you should only use .htaccess files when you don't have access to the main server configuration file.
Related
I was looking into suricata and I could not understand something about configuration file. As in the documentation we need to add our rule file to the suricata.yaml like this:
default-rule-path: /usr/local/etc/suricata/rules
rule-files:
- suricata.rules
- /path/to/local.rules
Should we need write the directory of the local.rules(sample file) ? Or we just keep it as /path/...
Which one is the correct usage?
Thanks in advance
Both are fine. A rule file without a leading / will be loaded relative to the default-rule-path. I will often have a section that looks like:
default-rule-path: /var/lib/suricata/rules
rules-files:
- suricata.rules
- /etc/suricata/rules/local.rules
Where suricata.rules is the output of suricata-update. And local.rules is just a rule file I manually update.
I am trying to fetch all files from a folder in SharePoint. I am looking for all file stored under "Shared%20Ducuments" path.
I am doing a GET request for an URL in Postman: https://{server_name}/sites/{sub_site}/_api/web/GetFolderByServerRelativeUrl('/Shared%20Documents')/Files
But it says:
<m:code>-2147024809, System.ArgumentException</m:code>
<m:message xml:lang="en-US">Server relative urls must start with SPWeb.ServerRelativeUrl</m:message>
My URL path for my SharePoint folder is :
https://{server_name}/sites/{sub_site}/Shared%20Documents/Forms/AllItems.aspx?AD={some extra long random mix of characters at the end}
Try to use this endpoint, prepend /sites/sub_site in GetFolderByRelativeUrl function:
_api/web/GetFolderByServerRelativeUrl('/sites/sub_sitename/Shared%20Documents')/Files
If we have a web page that able to read or delete file (based on name) inside certain folder, for example: 'public/upload/', what kind of filtering we must use to prevent security issues?
For example in Ruby/Sinatra:
file_name = params[:file_name]
base_dir = 'public/upload/'
# prevent user from entering ../../../../../etc/passwd or any other things
file_name.gsub!('../','')
File.delete "#{base_dir}/#{file_name}"
Is it enough?
This kind of filtering is always error prone. However, something that could work, but which I cannot say is bulletproof, would be this:
Preventing Directory Traversal in PHP but allowing paths
Ruby has something like php's "realpath" afaik.
OWASP also has bit on how to prevent path traversal:
https://www.owasp.org/index.php/File_System#Path_traversal
Along with examples of how path traversal can be exploited:
https://www.owasp.org/index.php/Path_Traversal
I have a Java Web App running on Tomcat on which I'm supposed to exploit Path traversal vulnerability. There is a section (in the App) at which I can upload a .zip file, which gets extracted in the server's /tmp directory. The content of the .zip file is not being checked, so basically I could put anything in it. I tried putting a .jsp file in it and it extracts perfectly. My problem is that I don't know how to reach this file as a "normal" user from browser. I tried entering ../../../tmp/somepage.jsp in the address bar, but Tomcat just strips the ../ and gives me http://localhost:8080/tmp/ resource not available.
Ideal would be if I could somehow encode ../ in the path of somepage.jsp so that it gets extracted in the web riot directory of the Web App. Is this possible? Are there maybe any escape sequences that would translate to ../ after extracting?
Any ideas would be highly appreciated.
Note: This is a school project in a Security course where I'm supposed to locate vulnerabilities and correct them. Not trying to harm anyone...
Sorry about the downvotes. Security is very important, and should be taught.
Do you pass in the file name to be used?
The check that the server does is probably something something like If location starts with "/tmp" then allow it. So what you want to do is pass `/tmp/../home/webapp/"?
Another idea would be to see if you could craft a zip file that would result in the contents being moved up - like if you set "../" in the filename inside the zip, what would happen? You might need to manually modify things if your zip tools don't allow it.
To protect against this kind of vulnerability you are looking for something like this:
String somedirectory = "c:/fixed_directory/";
String file = request.getParameter("file");
if(file.indexOf(".")>-1)
{
//if it contains a ., disallow
out.print("stop trying to hack");
return;
}
else
{
//load specified file and print to screen
loadfile(somedirectory+file+".txt");
///.....
}
If you just were to pass the variable "file" to your loadfile function without checking, then someone could make a link to load any file they want. See https://www.owasp.org/index.php/Path_Traversal
I am trying to download multiple files from yahoo finance using wget.
To do that i used a python script to generate a text file with all urls that i need.
When downloading a single file (a csv file) using the following code:
wget ichart.finance.yahoo.com/table.csv?s=BIOM3.SA&a=00&b=5&c=1900&d=04&e=21&f=2013&g=d&ignore=.csv
everything goes OK!
However, when the option -i is added and instead of reading the url directly, but instead reading it from the file, i get the error:
Invalid URL ichart.finance.yahoo.com/table.csv?s=BIOM3.SA&a=00&b=5&c=1900&d=04&e=21&f=2013&g=d&ignore=.csv: Scheme missing
The file that contains the urls is a text file with a single url in each line. The urls are exactly like the one in the first example, but with some different parameters.
Is there a way to correct this?
Thanks a lot for reading!!
To solve the problem I added double-quotes on the links and a web protocol. For example:
"http://ichart.finance.yahoo.com/table.csv?s=BIOM3.SA&a=00&b=5&c=1900&d=04&e=21&f=2013&g=d&ignore=.csv"