Developer forum

Forum » CMS - Standard features » 404 because of security check

404 because of security check

Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Reply

When I try to sign up for an account here: (removed) I get a 404 back and the account is not created. I think it's caused by the SQL Injection and/or other seucrity checks, but I cannot find out why my request is being rejected. Is any logging done when requests are rejected that may shed some light?

Thanks!


Replies

 
Nicolai Pedersen
Reply

Hi Imar

Right now I get a connection timeout on those URLs, so I cannot see anything.

If you are on a 9.5, the event viewer will have information on SQL injections and Form antispam information. But if that happens, you would get a 404 on first request, and a 403.1 on subsequent requests. You can receive emails when it happens by setting that up on the security page. Rapido uses user creation, and that does work.

You might also want to check the response headers of the 404 - it will in most cases include some kind of information that will indicate what happened - in abbrevated form anyways.

BR Nicolai

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Reply

Thanks Nicolai. We're on 8.9 and the headers reveal this:

X-404-status-by: dw.inj.check
X-check: (?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$)
 
Looks like something is being rejected because of the regex. All I can find so far in a thrird-party cookie is %3D which seems like an innocent = symbol to me.
 
Nicolai Pedersen
Reply
This post has been marked as an answer

%3D is URL encoded '='-sign which can be used in SQL injection attacks.

Cannot remember how the scripts are on 8.9, but that one has been modernized quite a bit on later versions.

The issue is that the cookie contains %3d and the word create from create user account and that gets detected. Only workarounds I see is disabling the check or remove the cookie...

BR Nicolai

Votes for this answer: 2
 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Reply

Alright, thank you! We'll investigate our options and do one or the other...

 
Charles Johnson
Reply

Thanks!

  I renamed the page to "New Account", and that fixes this issue.  The information in Imar's post above is enough for me to provide guidance to our Marketing team about page names to avoid going forward, but is that documented anywhere else?  Or is the new script more robust, and wouldn't catch this type of issue?

 

Thanks!
Charles

 
Nicolai Pedersen
Reply

Hi Charles

Great workaround - well spotted. Yes, it is an issue we have seen in recent solutions - that tracking scripts start to contain a lot of nasty stuff. Later versions of Dynamicweb 9 has its security checks updated and is not affected by this. I just merged the updated cookie injection checks to DW8 from DW9, TFS#59948. So we can give you an update if required.

BR Nicolai

 

You must be logged in to post in the forum