I recently delivered a website to a client and he claims that he can access database and database tables using "Python and SQLMap binaries" tools on his server. Same website copy is set on my development server and he cannot access database of tables using same tools.
So, is this any server setting which is stopping him ? If yes then what setting we have to do to stop hackers access database using this tool?
SQLmap and other vulnerabilities scanners kind of crawls the website and uses forms to make requests to the server to see the vulnerabilities. One way to fix this is to create a dummy login/signup form that has the body display set to none and has no links connected on the website. That means any normal user will not see it but a crawler will. Now anytime a crawler submits the form, you log the crawler's IP address to a log file and let Fail2ban block them
Related
I'm making an web application, it's a kind of online shop using PHP, jQuery, AJAX and JavaScript.
I want to launch my site on only one PC on local host. How should I set my site so that it only runs on my single PC?
Even if anybody copy my code files and database files to his/her own PC it should not run on their PC. How to do this?
The one way I know is by using the IP address. but I not quite sure about this method works or not.
If someone gains access to your source code then there is nothing that you can do to stop them.
When hosting it on your own you can prevent external access but beyond that there is nothing you can do.
You can use an encoder script to encrypt your source code, and some of these come with an ability to lock down to MAC address. I think they are all commercial solutions, though; start with IonCube and SourceGuardian. Zend might have something as well.
I would imagine each of these solutions would have comprehensive tutorials on their respective sites. Your workflow is basically to check out a copy of your source code from version control, and encode that folder as part of your build process.
Technically, encrypted code can be reverse-engineered, since the encryption key is built into the code. However, it is a lot of work for someone to do so, and even if they decode it, they won't have your comments or your meaningful variable/method/class names.
Make sure no one gains access to that PC (where your application resides). Only in that case you can protect your application from being run by unauthorized person. Once you take this security measure then you can easily disable your application from being accessed from any other LAN computers by using your IP. This is how professional servers works so should you.
You can change the webserver binding to localhost 127.0.0.1 only.
Alternative way you can create a filter rule that the server only accepts remote from localhost/127.0.0.1
With apache you can do this by .htaccess or directory/server rules.
When you want to share that code, you need to encrypt it with zend-guard or equal tools. there is also some licence management inside it, where you can bind licences to machines.
I have developed a website application that includes a custom built CMS and PayPal payments etc...
My client already has hosting for his main website via the developer of that site.
I wish to host the new application under a subdomain such as:
application.website.com
I have reservations about storing my complete source code on the other web designers server.
Is there a way that the code can remain on my server but with the required subdomain or somehow password protect the folder?
Thanks for the help.
You might be able to store your source code on your server and use the PHP include function to get the pages on your client's website to use the code on your server. I've not tried this so it may not be possible for PHP to communicate between two servers like this, but give it a go and see what happens.
optimizepress is a wordpress plugin. I own a copy and use it and am wondering how they use the licensing to secure the product.
I would like to consider this for securing my own php script if it's viable.
Here's what they do to secure their product:
On there server where you download the script you have to enter your domain url in a text box to license the plugin for that url.
They have 2 textboxs to enter your domains in: 1. if it's first time licensing sites 2. adding more sites to your account
Then you click a submit button and a serial code is sent back
After you install the plugin in wordpress, you must goto the settings area where it asks you to enter the serial code for verification otherwise you can't use the script
How is this done? Could this be used with my php script I'll be distributing?
thanks for your thoughts
I'm not specifically familier with this script however it is very possible it is a script using cURL, the serial number will be used to authenticate your account for verification to access your account.
Next it will most likely pull the URL the script is being run from and verify that the URL is listed on your account.
From there if the URL is not listed it will probably send a fail command killing the script, if the URL is listed it will authenticate.
If it is listed then the script will check the status of the license and either run or kill the script.
There is a division in using this type of model whereby some developers believe if there is no response from the auth server then the script should assume it is allowed to run to not interrupt the user experience, others believe if the auth server doesn't reply its very possible it could be an unauthorised usage so they kill the activity.
There are other technologies available to do the same thing and depending on your application this may not be suitable, just have a look at various licensing models.
As a note, for this style of distribution you may want to use a PHP encoder such as ionCube so the script cannot be hacked to bypass authentication.
In addition when writing a script to use an API, I also recommend having the user assign the IP address, this way the first query to the API for auth is am I allowed to talk to this server. This provides a lot of protection to your API script that will then move on to verify the license is valid or not.
I hope this will be helpful for you.
Hey. Am new to the world of web programming and learning a bunch of fairly simple new pieces of tech, trying to piece them all together.
So, we have a simple client (currently iPhone, to move to J2ME soon) that's pulling down lists of data via PHP, which is talking to a MySQL db. I have a rudimentary user/login system so that data is only served to someone who matches a known user etc, either on the website or on the client.
All the php scripts on the website that query the DB check to make sure an active session is in place, otherwise dumping the user back to the login screen.
I've read a little about SSL and want to know if that is sufficient to protect the website AND the data passing between the server and the client?
HTTPS is about protecting data and authenticating the endpoints. You still have to worry about properly authenticating the client to access your services. You also have to worry about vulnerabilities such as SQL Injection and other vulnerabilities that affect PHP. I highly recommend reading The OWASP Top 10 2010 A3: Broken Authentication and Session Management to make sure your session implementation is secure.
Yes, SSL is sufficient to secure the connection between the client and the server, given that it's properly setup.
Your user credentials should also be sent across from client to server over an SSL connection.
I am hoping there is a way to do this but have had difficulty searching because the terms all seem too general and the results don't seem to be what I'm looking for.
I travel a lot and am often in areas where the internet on a shared computer is the ONLY method for accessing the web. I can't use SSH or SFTP.
I would like to make a web page (hosted publicly, accessible to the world) that will 1) be password protected itself (can do that with .htaccess, pretty sure), and then 2) when logged in, will present me a list of links that IF CLICKED will rename, remove, or move files on a server that's NOT on the same server as the web page is served.
Can this be done?
Basically, with SSH I'd just ssh to Server 1 (where the web server is) and then ssh AGAIN to the Server 2 (where the files I want to access are). Easy. But with just access to HTTP, it seems like this is much more complex.
I suspect the method is to create public/private keys and then use some php commands to trigger processes that are tied to hyperlinks on the page? For example:
Delete file 001
Rename file foo to bar
My idea is that the "deletefile001.php" file would contain the necessary ssh and link to a bash script that does what I need it to. That way, I wouldn't need access to SSH directly. It would be done in advance, with the process started by clicking the link.
Lastly, what kind of security risks are there in this? Can spiders trigger the links automatically? I'm not worried too much about people accessing maliciously, but mainly about accidental triggering that would cause sudden loss of the files.
Any and all help would be fantastic. Thank you!
What you're looking for is a web-based FTP or SSH client, something that would be a very large task to code yourself. Here are a couple frameworks that I found after a couple minutes of Google searching. I cannot guarantee the quality or the security of any of these services, as I have not used them myself.
Open-source frameworks that you could install on your own server:
Web-based FTP framework: Monsta FTP
Web-based SSH framework: Web Console
Online services that you could use independently of your website:
Online FTP client: net2ftp
Online SSH client: consoleFISH