403 Errors

Discussion in 'All Points Bulletin / Be on the Look Out' started by purr1n, Apr 30, 2019.

  1. shotgunshane

    shotgunshane Floridian Falcon

    Staff Member Pyrate Flathead IEMW
    Joined:
    Sep 26, 2015
    Likes Received:
    6,304
    Trophy Points:
    113
    Location:
    Clear, clear water
    @dematted PM me your ad content and I’ll create it and make you author.
     
  2. shotgunshane

    shotgunshane Floridian Falcon

    Staff Member Pyrate Flathead IEMW
    Joined:
    Sep 26, 2015
    Likes Received:
    6,304
    Trophy Points:
    113
    Location:
    Clear, clear water
    It was the word Precision that was causing the error. Bizarre.
     
  3. Lyander

    Lyander Official SBAF Equitable Empathizer

    Pyrate Contributor
    Joined:
    Feb 25, 2017
    Likes Received:
    10,961
    Trophy Points:
    113
    Location:
    Philippines, The
    Silly question and a bit of an aside, but while I vaguely recall that special characters can bollix threads for whatever reason I don't quite understand how specific words can trigger 403s. I just figured that something in the script doesn't want to play well with certain characters in particular areas and that's the end of that, but is it more like a filter of some sort?

    My knowledge of computers only really goes so far as "press buttons to go bloop", so pardon if this seems banal or overly simple, but genuinely curious.
     
  4. ogodei

    ogodei MOT: Austin AudioWorks

    Pyrate
    Joined:
    Feb 9, 2016
    Likes Received:
    2,765
    Trophy Points:
    93
    Location:
    Chicago
    It's all just characters to the computer. Letters, special characters, words, spaces, punctuation, its all just strings of chars for the system to interpret to its liking. Whats more, different parts of the same system can interpret the same character/ string of chars differently depending on what it expects. Nothing surprises me anymore as far as what systems will choke on.
     
  5. amichael03

    amichael03 New

    Contributor
    Joined:
    Feb 17, 2021
    Likes Received:
    46
    Trophy Points:
    13
    Location:
    Chicago, IL
    Sorry, I know I’m new here, and don’t mean to intrude, but as someone who has XKCD’s Bobby Tables as their Twitter header picture, I find this fascinating

    To answer @Lyander question, a 403 usually means unauthorized (user permissions, no account, etc..) which I think is an odd one to use (400 bad request - request to server isn’t what would be expected - is better but it’s up to the devs of the server/service), but essentially what happens is, when searching for the thread, a database query is called using certain parameters in the request.

    Here’s the fun part, I can change my request and manipulate those parameters, I don’t need to use the words in our links AND if I’m a lucky little hacker, I can do it in a way where I can actually execute my own SQL query or command. Don’t have a username or password, manipulate the expected query through the request to think I am. Page queries a table with sensitive data, make it give me all of it because it didn’t want to validate my request and the server side code might have full read access.

    There are very easy ways to prevent this, seems like the company that implemented it took the hardest (might make sense for the use case since it is a forum that might need more dynamic queries... don’t want to get too detailed but even these are easy to handle using more modern language versions)

    Edit: Just want to say, it’s the issue I find fascinating and their solution to a simple problem, as mentioned it might be their use case

    My backgrounds more in highly scalable cloud native stuff so don’t want to make assumptions about what their needs are
     
    Last edited: Feb 20, 2021
  6. amichael03

    amichael03 New

    Contributor
    Joined:
    Feb 17, 2021
    Likes Received:
    46
    Trophy Points:
    13
    Location:
    Chicago, IL
    Anyway, I don’t know if you guys found a permanent solution to this, so disregard this message if you did

    Found a couple of culprits and solutions in the XenForo (third party software this site uses according to the footer), but because I have no insight on what plugins and such we are using, no clue if they’ll help, but thought I’d pass them on:
    1. ModSecurity Needs Words Whitelisted
    2. If using LinkChecker add on, updates have fixed 403 issues like this one (also added regex for filtering which is the right way to do it if you have to handle it at that level and not at DB/ORM level
    ModSec seems to be the most prevalent one, and again I have no insight on how this is all setup so can’t really say
     
  7. purr1n

    purr1n Desire for betterer is endless.

    Staff Member Pyrate BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    89,778
    Trophy Points:
    113
    Location:
    Padre Island CC TX
    I'm paranoid of SQL injection and don't have time (money) to tweak things.
    • Security
    • Convenience
    • Low-Cost
    Pick two of the three.
     
  8. amichael03

    amichael03 New

    Contributor
    Joined:
    Feb 17, 2021
    Likes Received:
    46
    Trophy Points:
    13
    Location:
    Chicago, IL
    @purr1n security first and foremost

    This is a free forum for us to join, which I’m very thankful for, so completely understand just found those two and wanted to throw them out there
     
  9. Pancakes

    Pancakes Friend

    Pyrate Contributor
    Joined:
    Aug 13, 2020
    Likes Received:
    1,418
    Trophy Points:
    93
    Location:
    Atl
    Not sure what sort of error this is but it started randomly happening a couple of weeks ago. If I refresh the page it clears.

    sbaf.png
     
  10. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
    My new Andromeda 2020 and MMW10 loaner thread gives an error when trying to open the thread. And here I thought I was being nice to SBAF. :(
     
  11. YMO

    YMO Chief Fun Officer

    Pyrate Contributor
    Joined:
    Apr 1, 2018
    Likes Received:
    10,517
    Trophy Points:
    113
    Location:
    Palms Of The Coasts, FL
    But but...I'm nice to you. :p
     
  12. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
    Asshole
     
  13. shotgunshane

    shotgunshane Floridian Falcon

    Staff Member Pyrate Flathead IEMW
    Joined:
    Sep 26, 2015
    Likes Received:
    6,304
    Trophy Points:
    113
    Location:
    Clear, clear water
    Fixed :piratemug:
     
  14. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
  15. Gazny

    Gazny MOT: ETA Audio

    Pyrate Contributor
    Joined:
    May 11, 2020
    Likes Received:
    2,209
    Trophy Points:
    93
    Location:
    open sky
  16. shotgunshane

    shotgunshane Floridian Falcon

    Staff Member Pyrate Flathead IEMW
    Joined:
    Sep 26, 2015
    Likes Received:
    6,304
    Trophy Points:
    113
    Location:
    Clear, clear water
  17. Pharmaboy

    Pharmaboy Friend

    Pyrate
    Joined:
    May 3, 2018
    Likes Received:
    2,463
    Trophy Points:
    113
    Location:
    Goshen, NY
    Thank you!
     
  18. Lyander

    Lyander Official SBAF Equitable Empathizer

    Pyrate Contributor
    Joined:
    Feb 25, 2017
    Likes Received:
    10,961
    Trophy Points:
    113
    Location:
    Philippines, The
  19. Pharmaboy

    Pharmaboy Friend

    Pyrate
    Joined:
    May 3, 2018
    Likes Received:
    2,463
    Trophy Points:
    113
    Location:
    Goshen, NY
  20. shotgunshane

    shotgunshane Floridian Falcon

    Staff Member Pyrate Flathead IEMW
    Joined:
    Sep 26, 2015
    Likes Received:
    6,304
    Trophy Points:
    113
    Location:
    Clear, clear water
    Fixed. It's the brackets.
     

Share This Page