Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

School of Computer Sciences UniversitiSains Malaysia, Pulau Pinang CST233Information Security and Assurance Academic Session: 2011/12 Assignment 1 White Paper Tittle: Uses of Magic URL (Mod_Rewrite) NAME: CHEW KHA SON NO.MATRIC: 110922 LECTURER NAME: DR AMAN JANTAN

1|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Table of Contents:
Tables of Content Introduction How the Magic URL (mod_rewrite) works? Why use mod_rewrite? Problem of the site without mod_rewrite Installing Magic URL (mod_rewrite) How to check on the mod_rewrite is installed on the Apache web server? URL rewrite steps Method 1: URL redirect Method 2: Mod_rewrite in regular expression (Clean URL) Demo run in Apache XAMPP The End Reference
1 2 3 4 6 8 8 9 9 10 12 13 14

2|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Introduction This paper provides you with the basic skills to apply or uses of Magic URL on website. Basically, Magic URL is a module named as mod_rewrite by Apache web server, which supports an unlimited number of rules and an unlimited number of attached rule conditions for each rule, to provide a really flexible and powerful URL manipulation mechanism. Besides, the URL manipulations can depend on various tests, of server variables, environment variables, HTTP headers, or time stamps. Even external database lookups in various formats can be used to achieve highly granular URL matching. For example, the URL is send to a web server in such a way that the link is dynamically modified at the server to include additional parameters and information along with a server initiated redirection. The web server will performs all these manipulations on the fly so that the browser is kept out of the loop regarding the change made in URL and the redirection. Simply, mod_rewrite can benefit web based applications by providing better security and friendliness with Search Engines and helps in keeping the structure of the website more easily to maintain for future changes.

3|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

How the Magic URL (mod_rewrite) works? It all begins with the user making a request to your server. They type a URL into their browsers address bar, their browser translates the URL into an HTTP request to send to the server, Apache receives that request, and then parses it into pieces. Below is the flow of mod_rewrite works on.

HTTP method such as POST, GET and so on are %{REQUEST_METHOD}

Protocol used %{REQUEST_PROTOCOL}

GET/customer_detail.php?cusId=abu HTTP/

Requested resource %{REQUEST_URL}

Query portion %{QUERY_STRING}

http://example.com/customer_detail.php?cusId=abu

This URL will display at browser

4|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Why use mod_rewrite? Simply, mod_rewrite is used for rewriting a URL at the server level, after process the URL will redirect to the page that user require. The URL that after rewrite into other format which will be safer, user friendly and easy the search engine for search. Why I said the URL after rewrite is user friendly? For instance, the URL that not rewrite by server is like, http://e-learning.cs.usm.my/course/view.php?id=123, so when users want to access this site, user need type the full URL to gain access to this site. If every time users want access to this website user needs type in full URL then will make user feel very tedious, so mod_rewrite is the solution for the end user. For example, the URL after rewrite by server, it will become like this URL, http://e-

learning.cs.usm.my/course/cst_233. As you can see, the URL is more users friendly and descriptive because the user can easily identify this URL from browser address bar if they have already visited this URL.

Besides, it also can improve the searching speed of search engines, which can save internet bandwidth. It can improve searching speed because of the URL not contain operator ?, = and &. The URL length is short and the word cst_233 is match with the URL, so it can improve the searching speed.

Mod_rewrite can improve the security of website. Why I said like that, because the attacker or hacker cannot predict the variable and the value used for developing this URL, which can prevent them from discovering query strings that could compromise the site. For example, if the attacker knows the variable and the value of the URL, it can

5|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

access easily to page. Normally, website POST or GET the id to display the data, if the web designer, didnt rewrite URL to other format or hide the variable and value, it will let the attacker gain access to website easily.

Sometimes, the attacker using technique hotlinking. That mean the attacker tried using victim bandwidth by putting the image hosted on victim server then linked to their website. If the attackers always do like this, then the victim website bandwidth will exhausted faster and quota of website will reached, so the site will become very slow.

6|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Problem of the site without mod_rewrite A website that without using the mod_rewrite to rewrite the URL to other form is not secure at all, because of the URL is exploiting to user or hacker. Many web-based programmers didnt do this kind of thing on the website, so the website is not secure at all. The URL that without rewrite to other format is like below, http://www.abc.com/productinfo.php?pid=33 As we can see, this URL is used to display the product information with the product Id from website abc.com, so this is not secure. For normal end user this link is useful, but for the hackers that want to hack this website is very useful, because the hacker can use technique SQL injection to hack the site by product Id. One of the ways is use the product Id and gain access to the administrator page by a username and password. Below is a simple SQL injection hack to get a data (Ref: http://www.youtube.com/watch?v=0z1rt9Y-ON0).

1. Firstly,

the

hacker

can

type

in

http://www.abc.com/productinfo.php?pid=-

33%20union%20select%201,2,3,4,@@version to check the SQL version. SQL version

7|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

2. Then type in Union SELECT 1,2,3,4, GROUP_CONCAT(column_name) from information_schema.columns where table_schema=database(). This query is used to group the entire table from information_schema then display out.

3. After hackers know about the column inside in the table, hackers can easily get the data from the database. Next hackers need to do is change the previous query to UNION SELECT 1,2,3,4,5,concat(username,0x3a,password) from adminlogin/*,7,8,9 from information_schema.columns where table_schema=database()then we will get the data. Username and password

4. Lastly, hacker can this username and password to access the site.

SQL injection is one of method that uses to hack a website to get data, so mod_rewrite is very import for a website, although the website doesnt have any database. Uses mod rewrite can prevent the user or hackers know the variable of value for certain query. If the URL is rewrite to other form, so it can avoid a hacker to hacker the website.

8|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Installing Magic URL (mod_rewrite) Before you install mod_rewrite, we need to ensure that the Apache web server is properly configured. Usually, mod_rewrite is installed along with the Apache web server, but in case the mod_rewrite is missing, you need to contact your web hosting company to get this module installed and loaded on Apache. Sometime, Linux machine was not compiling along with the mod_rewrite, so you must ensure that mod_rewrite is installed and can run properly.

How to check on the mod_rewrite is installed on the Apache web server? First, you need to create a PHP info page that can display all the details or information about the Apache web server. You can open a text editor (Notepad), then you type in <?php phpinfo(); ?> and save it as info.php. After that, you just upload it to your ftp (File Transfer Protocol) server. Open web browser (Firefox, Google Chrome, and IE) and enter your website URL with the PHP file. For instance, http://e-

learning.cs.usm.my/info.php, then browser will load the page up and display the information about the server. Below is an example of info.php.

Figure 1: Apache handler

9|Page

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

If the mod_rewrite is not loaded by Apache server (Loaded Modules), you can enable it by using the LoadModule Directive in the \apache\conf\httpd.conf file. Open it by text editor (Notepad) and find out this line of command, #LoadModule rewrite_module modules/mod_rewrite.so and then remove the symbol # and save it.

URL rewrite steps First, you need create an .htaccess file by text editor or tools for develop web. This file is used to configuration files with Apache directives defined in them and they provide distributed directory level configuration for a website. Inside the .htaccess file you need to type in RewriteEngine on to make URL rewriting active.

Method 1: URL redirect Now we rewrite instruction for making a request to our server for apple.php redirected to orange.php at server level. Add the given line to your .htaccess file along with the RewriteEngine directive that we have added before. RewriteEngine on RewriteRule ^apple.php$ orange.php

This two line of code is use to redirect hidden from client and this differs from the classic HTTP Redirects. The client or the browser is given the impression that the content of the orange.php is being fetched from apple.php.

10 | P a g e

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Method 2: Mod_rewrite in regular expression (Clean URL) The mod_rewrite engine uses pattern-matching substitutions for making the translations and this means a good grasp of Regular Expressions can help you a lot to make your website URL more user friendly and more secure. Usually, we can saw the website URL will display in form like below, malaysia.fruit/fruit.php?fruit_name=durian&fruit_id=10. URL above is not user friendly and not secure, so we need to convert it to a short and clean format. For example, we can convert it into this format malaysia.fruit/fruit/durian/ 10. This URL is more meaningful and looks more user friendly compare with the first URL, so we can use this few step to create this kind URL. Now we need to create a page name as fruit.php with the following code: <?php $ fruit_name = $_GET['fruit_name']; $fruit_id = $_GET['fruit_id']; echo "Fruit Name : " . $ fruit_name. "<br>"; echo "Fruit ID : " . $fruit_id; ?>

This page is use to display the variable value. Open the .htaccess file and write the Rule. <IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^fruit/([a-z]+)/([0-9]+)/?$ fruit.php?fruit_name=$1&fruit_id=$2 </IfModule>

11 | P a g e

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Table below is explain about the code:

Code Explanation The server will start check after the symbol ^ and the request URL is match with fruit or not. Checks if this part is a single word followed by a forward slash. The parenthesis is used for extracting the parameter values, which we need for replacing in the actual query string, in the substituted URL. The pattern, which is placed in parenthesis, will be stored in a special variable which can be back-referenced in the substitution part using variables like $1, $2 so on for each pair of parenthesis. Checks for digits at the last part of the URL

^fruit/
(w+)/

([0-9]+)$

The last step is try requesting the fruit.php file in your test server with the below given URL.

Malaysia.fruit/fruit/durian/10

The URL Rewrite rule you have written will kick in and you will be seeing the result as if the URL requested where:

Malaysia.fruit/fruit.php?fruit_name=durian&fruit_id=10

12 | P a g e

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Demo run in Apache XAMPP 1. Enter the following URL (http://localhost/test/fruit.php?fruit_name=durian&fruit_id=10) into browser. Then we will get output like below.

URL without convert The variable value gets from the URL

Figure 2: URL without shorten (Convert)

2. If we enter other form of URL (http://localhost/test/fruit/durian/10), we also can get a same result as above.

URL after convert The variable value gets from the URL

Figure 3: URL after convert

13 | P a g e

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

The End Mod_rewrite is a powerful tool that are designed to secure different aspects of your environment and thus provide a more complete type of firewall protection when combined into a synergized whole. In other hand, mod_rewrite also can benefit your web based applications by providing better visibility or friendliness with Search Engines and helps in keeping the structure of the website more easily to maintain for future changes. In this whitepaper we have taken only a brief look at the power of the mod_rewrite. It is only a scratch on the surface but I hope it is enough to get you started on using this module on your web server environment.

14 | P a g e

Uses of Magic URL (Mod_Rewrite)

CHEW KHA SON

Reference http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html http://httpd.apache.org/docs/2.0/misc/rewriteguide.html http://www.workingwith.me.uk/articles/scripting/mod_rewrite http://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/ http://www.sitepoint.com/guide-url-rewriting/ http://www.sitepoint.com/apache-mod_rewrite-examples/ http://www.youtube.com/watch?v=0z1rt9Y-ON0

15 | P a g e