URL filtering , issues with URL - networking

I am working on a URL filtering project . I have a database given to me which contain URLs need to be blocked (eg: a.b.com/d/e).
I get uri and domain from http request. I compare what I get with my database and redirect users without any problem. So far so good.
Problems starts with urls that contains query string and other magics with URL. As an example if user enters a.b.com/d/e?junk. What I get won't match with my database, and users will bypass my filter and they will still be able to go a.b.com/d/e.
I tried some useless actions like slicing everything after special chars like "?,#". But having problems with url like : youtube.com/watch?v=12vh55_1ul8, which becames like youtube.com/watch and blocks all youtube. That solution causes me more problems.
Now I am very confused how to handle this problem. Is there any guide or any library which I can use in C++ ?

Try this code:
string str (get_requsted_uri());
string str2 ("http://getaroundfilters.com/article/889/proxy");
if (str.find(str2) != string::npos) {
block();
} else {
get_and_return_webpage(str);
}

Related

How to force unencoded url to show in users browser?

I'm using ASP.NET and am looking to redirect users to a page that includes an easily human readable URL. Every method I've tried takes in the URL and encodes it.
Since none of the parameters are taken in to the page or processed in any way, I don't believe there's any security concerns with turning the %20 into a space. If there is an IIS rule this would work on, I would be fine to turn off encoding on this one page, but I can't turn it off for the whole page as this is a special use case.
I've already tried having Response.Redirect and Server.Transfer, and I cannot use Literals as putting the query into the page somewhere could allow an XSS vulnerability.
Expected:
example.com/test?message=Hello World
Actual:
example.com/test?message=Hello%20World
Edit For More Clarity:
<script>
console.log(window.location.pathname + window.location.search);
function replaceAll(str, find, replace) {
return str.replace(new RegExp(find, 'g'), replace);
}
console.log(window.location.pathname + replaceAll(window.location.search, '%20', ' '));
window.history.pushState(window.location.search, "Title", window.location.pathname + replaceAll(window.location.search, '%20', ' '));
</script>
This will write the current URL to the console, then the URL I'd like to see, but then the pushState does not actually update the URL to one without the encoding - it automatically re-encodes it.
I understand this may be impossible, but if someone could explain why then I will at least be able to stop trying so hard to find a solution.
As per Brando Zhang's comment this appears impossible.

Linkedin profile image url giving access denied

I have used Spring social for integration with linkedin.
When the integration completes we save the users profile image which has below url:
https://media.licdn.com/dms/image/C5603AQHQ0C7xKhQehg/profile-displayphoto-shrink_100_100/0?e=1527508800&v=alpha&t=vkxX_3Uw7qe8d_9ZSqPwQGpwa6nfUmkzMgEKtMdgf1g
But this url is giving access denied error. Is there something I am missing?
This may help, As per https://developer.linkedin.com/docs/ref/v2/media-migration,
The new id will be dynamic and can change from time to time. We recommend retrieving at least once every 60 days to update your media-typed URN.
This could be one of the issue which you might be facing.
In order to fix this, I save the image, the moment it is received on to personal storage(AWS S3).
I looked at the URL of my picture of my In Public profile and the one returned from the API.
The picture URL in the XML returned after the ? for params v and t had &amp ; instead of &:
e.g.
https://media.licdn.com/.../profile-displayphoto-shrink_200_200/0?e=152800"&amp";v=beta"&amp";t=LJTrw_oj9npH06X1u0HjQ
Replacing it with something like:
pictureURL = pictureURL.replaceAll("&amp ;","&");
fixed the issue for me.
Hope this helps
Note that there is an extra space between &amp and ;. It would have formatted otherwise.

changing url for security reason asp.net

I am writing an asp.net web application for internal automation.So, I am not thinking about SEO or user-friendly URLs. Just I want to change URLs for hide path and file name and query string. For example I want this URL "http://test.com/Admin/Create.aspx?id=345&name=pin" be shown for user something else that is not understandable like an encrypted URL "http://test.com/enc=nidfvegvbervmxvpazxczxcwefve" or show all URLs in all formats in a same way like "http://test.com/".
I read some articles about URL rewriting and URL routing. However, I think their method work reversely. I mean when user write "http://test.com/products/book", these method could assume it as "http://test.com/products.aspx?type=book" but I want that user couldn't see real URL ever.
Any idea?
I think what you might be looking for is Server.Transfer - check out:
http://msdn.microsoft.com/en-us/library/540y83hx.aspx
Just Encrypt the query string and decrypt on calling it
Something like
http://www.aspsnippets.com/Articles/Encrypt-and-Decrypt-QueryString-Parameter-Values-in-ASPNet-using-C-and-VBNet.aspx

ASPX URL is broken & Streaming WebService

I'm attempting to create a streaming webservice, unfortunally i even lack its concept overall. My idea is to have a method which will return to me a string with the value of the URL to the streaming page.
I've tried many different ways to do this, but no one of them worked; I tried using DownloadString, even writting the raw URL, but i always had errors so i found one way to just make it happen:
[WebMethod]
public string WatchMedia(string title)
{
Global.Media = title;
Streaming str = new Streaming(); //Streaming.aspx
return str.GetURL();
}
Okay so, in my aspx.cs i included this:
internal string GetURL()
{
return HttpContext.Current.Request.Url.AbsoluteUri.ToString();
}
Don't really ask me about the 'internal', i'm so tired of trying different ways to get this to work that i just go along with that VS builds for me.
That does give me the URL i thought i wanted, BUT, it doesn't work, why? Because it says, give or take (directly translated):
The request format is not recognized for the unexpectedly terminated URL in /WatchMedia
WatchMedia is the name of my method as seen above.
Now, beside's hoping someone can give me a straight answer as to what ridiculous sin am i hurting my self with here, i'd like to know if this is the way for a streaming webservice to work? I can't seem to find any real information about video streaming webservices over the www, not even Google will tell me!
If you ever have the same problem, just forget creating an object of the aspx page, and get the URL raw, by running the page and copying it, then all you have to do is change the localhost Port, which you can get from HttpContext.

Open Redirect or Header Manipulation issues from Fortify scan on asp.net

We did a Fortify scan on our ASP.net application. We found that there many header manipulation issues. All the issues are pointing to Response.Redirect(). Please have a look at the below code where I encoded the parameters. Even then the below code is counted as header manipulation issue.
int iCount = 0;
foreach (string Name in Request.QueryString.Keys)
{
iCount++;
if (iCount > 1)
{
url += "&";
}
url += Name;
if (Request.Params[Name]!=null)
{
url += "=" + AntiXss.UrlEncode(Request.Params[Name]);
}
}
Response.redirect(Server.UrlPathEncode(page.root) + "\Test.aspx?" + url);
Can some body let me know what else is required to change here to resolve the issue?
Take off the Server.UrlPathEncode(page.root) portion and use Server.Transfer() instead of Response.Redirect().
Server.Transfer() transfers the user to another page on the same site and poses little to no danger of accidentally directing someone to another site.
Response.Redirect() is good for when you want to redirect someone to another site.
Also, Fortify doesn't tend to like Request.Params[] due to its possible ambiguity. A careful attacker may be able, on some servers, to send a UTF-7 or non-printing version of a name as one of the request variables and let the name of the variable contain the actual XSS injection, or overwrite the GET-request value with a cookie of the same name. Make sure both the name and value are htmlencoded, and consider using Request.QueryString[parametername] instead of Request.Params[parametername] to avoid more issues with Fortify.
Hopefully this gets you past your Fortify issues!
It appears that Fortify percieves Name as user defined and that will triger "Manupulation" error. If it's true try to use predefined list if possible.

Resources