5 Replies - 561 Views - Last Post: 10 May 2012 - 10:26 PM

#1 the1corrupted  Icon User is offline

  • D.I.C Head

Reputation: 13
  • View blog
  • Posts: 165
  • Joined: 31-March 09

General Website Security

Posted 23 April 2012 - 04:31 PM

I was wondering about general website security. If you have hidden input values, would there be a way for a Bad Guy to input his own values into those inputs?

What about Javascript? While I have security measures (like encoding ALL user text input with PHP's htmlspecialchars() and mysqli_real_escape_string()), I'm worried someone might be clever enough to figure out the way my Javascript powered forms work, and input erroneous information.

Am I being too paranoid, or should I start implementing a re-validation script?

What isn't secure? What is secure?

Is This A Good Question/Topic? 0
  • +

Replies To: General Website Security

#2 JackOfAllTrades  Icon User is online

  • Saucy!
  • member icon

Reputation: 5954
  • View blog
  • Posts: 23,217
  • Joined: 23-August 08

Re: General Website Security

Posted 23 April 2012 - 04:37 PM

Quote

If you have hidden input values, would there be a way for a Bad Guy to input his own values into those inputs?


Yup. Check out the Firefox extension Tamper Data.

Quote

What about Javascript? While I have security measures (like encoding ALL user text input with PHP's htmlspecialchars() and mysqli_real_escape_string()), I'm worried someone might be clever enough to figure out the way my Javascript powered forms work, and input erroneous information.


All you have to do is View Source to see the Javascript.

Reading material:

https://code.google....rity/index.html
http://coding.smashi...of-the-problem/
https://www.owasp.or...x.php/Main_Page
Was This Post Helpful? 0
  • +
  • -

#3 rpgmaker  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 224
  • Joined: 02-October 11

Re: General Website Security

Posted 04 May 2012 - 05:53 AM

I own a rpg and was passing monster ids though hidden fields. I then found out users was editing the id passed though in the hidden field using firebug. So they could sell any monster they want even other users monsters. You can use hidden field but do loads of checks be for doing any big changed e.g inserts or updates.
Like with me i would check to see if the user owns the monster and if the monster id / name is real and stuff :rolleyes:

And to get rid of java scripts and be safe from sql injection ( via forms )

Use this

$time= mysql_real_escape_string($_POST['message_date']);
$time2= strip_tags($time);


The first line of the code escapes the post and makes it into a variable. Then the second line of code takes all tags out from it . E.g java code and java tags and other nasty stuff.
Was This Post Helpful? 0
  • +
  • -

#4 the1corrupted  Icon User is offline

  • D.I.C Head

Reputation: 13
  • View blog
  • Posts: 165
  • Joined: 31-March 09

Re: General Website Security

Posted 04 May 2012 - 06:05 AM

Well, I was going to have a server-side session validator for one of my forms (that needed JS to survive). In theory, this is how it works (because it's over two pages of code)

User clicks item -> Item ID is fetched via the getElementById('base64 item id') -> item ID is AJAX'ed to the post handle where the "session shopping cart" has been set up set to only increment/decrement the value of the item by 1. Validate the user has the item, and the quantity stated. Vice versa when dealing with the NPC. When the user is finished, I would essentially just use the session array I just built to enact the DB query. Then unset that particular array. I was thinking of leaving the hidden fields to catch any would-be bad guys.

In the old version, I left it up to the hidden forms to tell me which items are being transacted (obviously flawed) and I'm glad it didn't go live with this issue.

This post has been edited by the1corrupted: 04 May 2012 - 06:07 AM

Was This Post Helpful? 0
  • +
  • -

#5 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3635
  • View blog
  • Posts: 5,756
  • Joined: 08-June 10

Re: General Website Security

Posted 04 May 2012 - 06:30 AM

View Postthe1corrupted, on 23 April 2012 - 11:31 PM, said:

If you have hidden input values, would there be a way for a Bad Guy to input his own values into those inputs?

If somebody is really trying to pass his own values for those inputs, he can easily create the request manually. It's not even hard, really. If you understand how the browser and server communicate, you can duplicate any form or any AJAX request. There are event tools like Curl that allow you to build requests without having to know the finer details of the HTTP protocol.

Consider if, using rpgmaker's NPC example, each user were given a list of monsters he owns, and the ability to submit a form to delete each monster. No matter how you set that up, whether you use hidden inputs or AJAX, all a malicious user would have to know is the names of the inputs and the URL. (Both easily obtainable by viewing the source in the browser.)

Then he'd just telnet into the server (or use curl, or wget, or whatever) and send his own request. It wouldn't have to be more complex than this:
POST /deleteMoster.php HTTP/1.1
Host: rpg.example.com
Cookie: PHPSESSID=<sessionIDHash>
Accept: */*
Connection: close
Content-Length: 10
Content-Type: application/x-www-form-urlencoded; charset=utf8

npcID=1234




Assuming the deleteMoster.php script uses the $_POST["npcID"] field to determine which NPC to delete, that request wold allow to send any ID to it, regardless of what precautions your client-side code takes.

You need to make the PHP script bullet-proof, to make sure it doesn't accept the ID without validating them first and making sure the user is allowed to delete that monster. You can't rely on the client-side code for any of that.
Was This Post Helpful? 0
  • +
  • -

#6 the1corrupted  Icon User is offline

  • D.I.C Head

Reputation: 13
  • View blog
  • Posts: 165
  • Joined: 31-March 09

Re: General Website Security

Posted 10 May 2012 - 10:26 PM

(I know this reply is about a week overdue but I've had a hectic schedule)

Well, in validation, I'd run the numbers against the database. Simple confirmation, really in that I check for each ID passed through. The script in question here handles the transaction between an NPC trader and the player. If a player tries to pass an ID he doesn't have, it won't be added and nothing will happen. If the player tries to pass an ID that the NPC has, he'll still pay for it out of his in game money. If he doesn't have enough money, a message is issued about not having enough money. All of that is handled server-side. The only purpose of the "cart" would be to temporarily store a small list of items that each party antes up for trade. Of course it will be checked.

I am doing my best to be able to run this without the use (or reliance) on Javascript. While that can't happen (as there are DIV overlays for various interfaces), the most that the Javascript does is aesthetic. In this case, it kinda exerts some control over what goes down in the trade, but kinda just for show so I don't have page reloads.

For everything I do in the Javascript, there's a PHP side validator against it. For example, when I make one of my content overlays using an iframe, I set the 'src' attribute to 'frame.php?page=thispage', but then it gets validated against my array of pages.
$core=new Core;
$pages=array("this", "that", "thispage");
if (!in_array($_GET['page'])) {
  $core->terminate("Invalid page selected");
}


Was This Post Helpful? 0
  • +
  • -

Page 1 of 1