6 Replies - 849 Views - Last Post: 08 November 2010 - 06:22 AM Rate Topic: -----

#1 james31rock  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 34
  • Joined: 12-February 09

Security Vulnerabilities with generics

Posted 05 November 2010 - 06:17 AM

Hi I've recently created generic functions to inset, update, delete and search. The problem is hackers will be able to guess the names of the files, change the file posted to and perform an update or delete and steal data.


Example - say I have this form to signup and my target is insert.php (BTW - insert.php breaks down an object instantiated from a class (in this case called user) by matching the posted variable names to the classes setters and getters, it then calls another generic class that breaks down the object to create the SQL string. I've also simplified the amount of fields in this example.

   <fieldset id="signup_menu">
                    <form method="post" id="signup" action="insert.php">
                    <p>
                        <label for="username">
                            Username</label>
                        <input id="username" name="username" value="" title="username" 
                            type="text" />
                    </p>
                    <p>
                        <label for="password">
                            Password</label>
                        <input id="password" name="password" value="" title="password" 
                            type="password" />
                    </p>
                    <p>
                        <input id="signup_submit" value="Sign up" type="submit" />
                    </p>

                    </form>
                </fieldset>



Now if I changed the target to update.php (I obviously wouldn't call the files update, and insert) someone would be able to update current user info. Even if I had a specific update for user credentials just having generics available on the server cause a risk.

Does anyone have any suggestions of precautions to take against potential hackers changing html on the fly?

I know there is encryption software to change HTML source to gibberish, but which one is the best?

Any thoughts would be appreciated as I'm unsure which security measures need to be taken first.

THANKS!

Is This A Good Question/Topic? 0
  • +

Replies To: Security Vulnerabilities with generics

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2911
  • View blog
  • Posts: 10,083
  • Joined: 08-August 08

Re: Security Vulnerabilities with generics

Posted 05 November 2010 - 06:41 AM

HTML is just text, and it can be generated on the fly by php. It can be used to do forced downloads where the user never sees the path to the file or its name.
Was This Post Helpful? 0
  • +
  • -

#3 james31rock  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 34
  • Joined: 12-February 09

Re: Security Vulnerabilities with generics

Posted 05 November 2010 - 07:10 AM

I am aware that html is text that is understood and compiled by the browser. I am also aware that php can generate html. My question was pertaining to the users ability to change the action of where it is being posted.

If you have chrome you can inspect elements and change this HTML text. You can then post back with the changed text. The security vulnerability is allowing users to do this. Its not only with html, but javascript as well. I can get past many websites security by doing this, and I dont want to fall prey to crafty hackers.

What do you mean by, "It can be used to do forced downloads where the user never sees the path to the file or its name." If you can give me an example of what you mean that will help me better understand.
Was This Post Helpful? 0
  • +
  • -

#4 james31rock  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 34
  • Joined: 12-February 09

Re: Security Vulnerabilities with generics

Posted 05 November 2010 - 09:36 AM

Can anyone help me out here??????
Was This Post Helpful? 0
  • +
  • -

#5 grimpirate  Icon User is offline

  • Pirate King
  • member icon

Reputation: 149
  • View blog
  • Posts: 714
  • Joined: 03-August 06

Re: Security Vulnerabilities with generics

Posted 05 November 2010 - 10:06 AM

What you're referring to is code obfuscation. However, if your worry is "crafty hackers" they can easily find their way around code obfuscation.

I think your thought methodology is what is flawed here so let me offer a different perspective. PHP doesn't need to concern itself with HTML because HOW the data is passed to your PHP code is irrelevant. Your code will receive data from somewhere. If it passes all the checks and balances then it's good data, regardless of how it arrived. Thus, it's how you handle the data within PHP that makes security vulnerabilities occur.
Was This Post Helpful? 2
  • +
  • -

#6 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2911
  • View blog
  • Posts: 10,083
  • Joined: 08-August 08

Re: Security Vulnerabilities with generics

Posted 05 November 2010 - 04:09 PM

View Postjames31rock, on 05 November 2010 - 09:10 AM, said:

What do you mean by, "It can be used to do forced downloads where the user never sees the path to the file or its name." If you can give me an example of what you mean that will help me better understand.

Near the top of the list Google provided me:
http://elouai.com/force-download.php
Was This Post Helpful? 1
  • +
  • -

#7 james31rock  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 34
  • Joined: 12-February 09

Re: Security Vulnerabilities with generics

Posted 08 November 2010 - 06:22 AM

View Postgrimpirate, on 05 November 2010 - 09:06 AM, said:

What you're referring to is code obfuscation. However, if your worry is "crafty hackers" they can easily find their way around code obfuscation.

I think your thought methodology is what is flawed here so let me offer a different perspective. PHP doesn't need to concern itself with HTML because HOW the data is passed to your PHP code is irrelevant. Your code will receive data from somewhere. If it passes all the checks and balances then it's good data, regardless of how it arrived. Thus, it's how you handle the data within PHP that makes security vulnerabilities occur.


Thanks for the response. With generics the PHP code I created does concern itself with HTML, whether it needs to be or not it does. I know that I can defer from using the model I started on, but I have thought about some work arounds to achieve more security.

I was thinking about adding a random number-letter combination to the session once the page is created. I will then assign the number to a hidden field. say I have code 123456 for update. I then post to a generic PHP class which checks for 123456 code to update. If this code is changed it will throw errors. The generic PHP class will then post it to another class which requires an instantiated object that is created in the generic class.

I believe this is a form of code obfuscation, but I haven't thought about the potential flaws with this approach as I haven't implemented it yet. Any thoughts?
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1