I've a problem with an htaccess redirect.
In my Google Search Console I've found this link
http://www.example.com/index.php?id=10&L=2%27%2520AnD%25201%253D1--
that return error 403.
"index.php" doesn't exists in my website and I want write a rule that redirect this link to homepage.
The problem (in my opinion) it's that in this url there is a symbol "=" without an "*&var*" before.
The decoded version of the url is
http://www.example.com/index.php?id=10&L=2' AnD 1=1--
If I remove (manually) the symbol "=" (or it's encoded version "*%253D*") my htaccess woks perfectly.
Thanks
Lorenzo
**ADD NEW DETAILS**
OK, for url that has 1=1 it's probably sql-injection
But i've found also link as
http://www.example.com/index.php?eID=tx_cms_showpic&file=uploads%252Fpics%252FIMG_5213.jpg&width=800m&height=600m&bodyTag=%253Cbody%2520style%253D%2522margin%253A0%253B%2520background%253A%2523fff%253B%2522%253E&wrap=%253Ca%2520href%253D%2522javascript%253Aclose()%253B%2522%253E%2520%257C%2520%253C%252Fa%253E&md5=edc3c713d0e239f8a7e786cf52f29774
that decoded is
http://www.garnicristin.com/index.php?eID=tx_cms_showpic&file=uploads/pics/IMG_5213.jpg&width=800m&height=600m&bodyTag=&wrap= | &md5=edc3c713d0e239f8a7e786cf52f29774
I'm not shure that is older version of website (I not made older version) and the problem is the same, symbol = in url
AnD 1=1-
This looks like a lame attempt at a SQL injection attack. The fact that your server returned a 403 ("Forbidden") error might mean that a security module in your web server detected the attempt, and served the error.
In that case, I would not add a rule trying to cater to these requests.
Related
I am new to this topic. I have deployed my app to Azure (following the tutorial from Autodesk). When I try to press to the login to BIM360 is return an error 500 (internal Server Error). I have changed the FORGE_CALLBACK_URL = "htttp://forgeSample1234.azurewebsite.net/api/forge/callback/oauth"
The code has no problem when in localhost.
Does anyone has the same problem?
Please note that when updating the callback URL, you actually have to change it in two places:
in your code (that's typically the FORGE_CALLBACK_URL)
in your Forge app page in https://forge.autodesk.com/myapps
And of course, the URL has to match exactly in both places.
Also, it looks like there might be a typo in your URL: you say htttp instead of http, and I'm also wondering if you shouldn't be using https?
I am getting the error IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null.
https://testing.demo.com/message=IDX21323:%20RequireNonce%20is%20'[PII%20is%20hidden]'.%20OpenIdConnectProtocolValidationContext.Nonce%20was%20null,%20OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce%20was%20not%20null.%20The%20nonce%20cannot%20be%20validated.%20If%20you%20don't%20need%20to%20check%20the%20nonce,%20set%20OpenIdConnectProtocolValidator.RequireNonce%20to%20'false'.%20Note%20if%20a%20'nonce'%20is%20found%20it%20will%20be%20evaluated.
I checked in other SO links and found this issue is related to redirect URI mismatch like if you have one URL in the code but different one in AZure.
IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null
For me Redirect URI same for both i.e. in code and Azure. moreover I registered one application with two redirect URI (http://localhost:11111/ and https://testing.demo.com). so when I am running through local using localhost it's working fine but when I use https://testing.demo.com, I got IDX21323 error in my system, where as in different system its in a loop.
https://login.microsoftonline.com/{tenantID}/oauth2/authorize?client_id={client ID}&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%{tenant ID}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce 1}state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6qswsdwdY2OTAtNzlk
The above URL remains same but only the nonce got changed everytime.
So is it because I have kept two redirect URI for the same application. Do I need to create two different application one for localhost (Redirect URI - http://localhost:11111) and another for Dev (Redirect URI - https://testing.demo.com)
Your expertise matters.
Thanks!!
Its always recommended to use different application for development and production. Mainly from security and isolation point of view.
Your redirect_url seems to be wrong, its pointing to the tenant itself and hence in a loop. The redirect_uri below should be your app's reply url - http://localhost:11111 or https://testing.demo.com,
https://login.microsoftonline.com/{tenantID}/oauth2/authorize?client_id={client ID}&redirect_uri=http://localhost:11111/&response_type=id_token&response_mode=form_post&nonce={nonce 1}state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6qswsdwdY2OTAtNzlk
I want to host a Netlify website where you can search for specific users. Currently its like this https://example.com/users?q=exampleuser . (its https://example.com/users.html but pretty url'ed)
But what I want is to make the URL query pretty. So the endresult should be https://example.com/users/exampleuser but it should still be a url query so the JavaScript can make calls based on the query.
e.g.:
https://example.com/users?q=test123 to
https://example.com/users/test123
https://example.com/users?q=example456 to
https://example.com/users/example456
The rewrite rule will work with:
/users q=:q /users/:q 200
When you navigate to https://example.com/users?q=exampleuser, you must have an existing endpoint at https://example.com/users/exampleuser/ or it will give a 404 status code, but will still rewrite the original path.
Note: If you have an existing endpoint at /users/ this method will not fallback if the rewrite path has an invalid endpoint. Meaning you can't fallback to /users/ endpoint if the query path is an invalid endpoint.
using iis rewrite is great, but how does the module interpret a hashsign in the url.
This works:
/fromurl;/anotherurl
But this does not:
/fromurl#;/anotherurl
How do I "output excape" a hashsignin the from url.
I'm pretty sure the hashmark isn't sent to the server, so the rewrite module can't react to it.
This means that /fromurl and /fromurl# would result in the same url (as seen by the server)
Im trying to combine several tutorials about Codeigniter and bootstrap and understand per codes so i can integrate it in my project. What i am trying to do right now is create a login form using the two framework.
And i setup my View according to the turotial included in Codeigniter 'user_guide/tutorial/static_pages.html' which my landing page is named as 'home.php' is inside the folder 'pages' and header.php, and footer.php is inside the 'templates' folder. I created also a controller: Page.php.
I also use .htaccess to hide 'index.php'. Now i follow this tutorial how to create a login page:
http://learnjquerybootstrap.blogspot.com/2015/01/login-session-using-codeigniter-and-bootstrap.html?m=1
-the only difference is this since i use htaccess:
<?php echo form_open(clogin/index); ?>
But when I try to submit the page i receive a: 404 page not found.
My navbar links are working fine. I understand that the codeigniter works like this:
http://localhost/myfolder/index.php/class/function/
so when i submit my form the url that show up is:
http://localhost/myfolder/clogin/index
and gives me: 404 page not found.
Question:
What is wrong with it?
is there something wrong with the tutorial that i am using? i check other tutorials and the controller structure is just the same, like on this link:
http://www.kodingmadesimple.com/2014/08/how-to-create-login-form-codeigniter-mysql-twitter-bootstrap.html
do i need to include clogin.php in route.php?
or is it about the htaccess? my
uri_protocol
is configured as
'REQUEST_URI'
in config.php. i tried other options but still the same.
Don't need include to route.
I recommented ready auth library.
If you use DevTools in your browser maybe "Network" tab of devtools can help you to why you get 404 error.
i already firgured it out.The mistake was in the route.php, since i tried to combine two examples.. i realized that the wildcard route that i included from the Codeigniter user guide will not work with the Clogin.php.
Since it was set as
$route['(:any)']='pages/view/$1';
So the url works as
http://localhost/myfolder/pages/view/clogin
instead of
http://localhost/myfolder/clogin.
I removed it and now it is working.