What is Your Web Server saying to Your Browser Behind Your Back?

If you are wanting information…

Login

Blog History

If you are wanting information about the interaction between your PHP web application framework (WordPress, Joomla, CakePHP, Drupal, etc), your web server (Apache, IIS, Nginx) and your browser. You can do the following.

Create a file on your PHP enabled web server with the following:

Use the ereg statement to only display what you want to see

<?php

header('Content-type: text/html');

foreach($_SERVER as $h=>$v)
   if(ereg('HTTP_(.+)|REMOTE_ADDR',$h,$hp))
          echo "<li>$h = $v</li>\n";
?>

Or if you want to see everything, remove the ereg:

<?php

header('Content-type: text/html');

foreach($_SERVER as $h=>$v)
       echo "<li>$h = $v</li>\n";
?>

Running the above script (the one without the ereg gives you a heap of different information)

USER = rupert
HOME = /var/www/rupert
FCGI_ROLE = RESPONDER
QUERY_STRING =
REQUEST_METHOD = GET
CONTENT_TYPE =
CONTENT_LENGTH =
SCRIPT_NAME = /test_scripts/server_env.php
REQUEST_URI = /test_scripts/server_env.php
DOCUMENT_URI = /test_scripts/server_env.php
DOCUMENT_ROOT = /var/www/rupert/web
SERVER_PROTOCOL = HTTP/1.1
GATEWAY_INTERFACE = CGI/1.1
SERVER_SOFTWARE = nginx/1.4.6
REMOTE_ADDR = 8.8.8.8
REMOTE_PORT = 30488
SERVER_ADDR = 172.16.252.14
SERVER_PORT = 80
SERVER_NAME = example.com
REDIRECT_STATUS = 200
SCRIPT_FILENAME = /var/www/rupert/web/test_scripts/server_env.php
HTTP_HOST = example.com
HTTP_AUTHORIZATION = Basic amfRouioJHIOJURudio=
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36
HTTP_REFERER = http://example.com/test_scripts/
HTTP_ACCEPT_ENCODING = identity,gzip,deflate
HTTP_ACCEPT_LANGUAGE = en-AU,en;q=0.8,en-US;q=0.6
HTTP_COOKIE = PHPSESSID=pktjm1ldfddfd8u1l3ev9gggt75g; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_87837362763cf1ee934f2959a3c2f=pcuser%8478d867d7d%7XKCD90809898988-; _ga=GA2.4.9999999999.172782789389636
HTTP_VIA = 1.0 proxy (squid)
HTTP_CACHE_CONTROL = max-age=259200
HTTP_CONNECTION = keep-alive
PHP_SELF = /test_scripts/server_env.php
PHP_AUTH_USER = ruperto
PHP_AUTH_PW = s3cr3tp@ssw0rd
REQUEST_TIME = 1394752438

To look at your PHP Environment create a web accessible php with an arbitrary name like php_info.php with:

<?php

phpinfo();

?>

If this doesn't show anything perhaps you have security setting denying it so check that phpinfo doesn't appear in the the disable_functions= line of your php .ini file.

disable_functions="phpinfo, eval, exec, passthru, shell_exec, system, proc_open, popen, show_source" 
# remove phpinfo and restart your web server and / or fpm-php
disable_functions="eval, exec, passthru, shell_exec, system, proc_open, popen, show_source"

If you are using a GNU/Linux or BSD based operating system, or you have installed Cygwin on Windows you can use curl or wget to have a look at what your webserver is saying to the client

curl -v -I  http://example.com
# or wget
wget -S http://example.com

Finally inside the browser you can use Google Chromes developer Tools or Firebug on Firefox to look at the interaction.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.