Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Currently I am working on a contact form(E-mail contact form) for somebodies website.
After some research, I heard that there were ways of securing you're contact form and that got me thinking.
1.Is there an actual big threat if you don't "secure" you're contact form other then spams ? What would be the worse possible scenario ?
2.If I were to follow some guidelines on how to make a contact form that is secure, where would be the best place to start ? (Plugins, tutorials any recommendations would help !)
Thanks guys !
1.Is there an actual big threat if you don't "secure" you're contact form
You need to treat all user input as a potential threat. It's your responsibility to mitigate potential threats according to your exposure.
The severity of a threat can't be generalized: you need to look at the value of your assets, the visibility of the application, and the type of attacker you may encounter (automated/passive or targeted/active).
2.If I were to follow some guidelines on how to make a contact form that is secure, where would be the best place to start ? (Plugins, tutorials any recommendations would help !)
Many application frameworks come with some form security features but you are still responsible for understanding the mechanics. There is no such things as a turn-key security: context is everything.
Security is a deep topic but here are some guidelines:
never trust user supplied data
prefer whitelisting to blacklisting; if you can't whitelist than you really have to understand output escaping
in fact either way you really need to understand output escaping: understanding data in context and escaping output appropriately is essential
understand the http protocol and understand how php abstracts it
Here some good jumping off points:
http://phpsec.org/projects/guide/2.html
http://php.net/manual/en/intro.filter.php
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
https://github.com/padraic/phpsecurity
https://leanpub.com/securingphp-coreconcepts
https://leanpub.com/buildingsecurephpapps
"Security" is an extremely broad topic, but for starters you can secure the data being transferred by buying a (--or generating your own self-signed) SSL certificate. That will encrypt any data sent to your form. Whether or not you need the encryption depends on what kind of info you're asking for. If you're just asking for suggestions you probably don't need it to be too secure, but if you're requesting sensitive info like CC numbers or SSNs it's actually illegal not to have SSL (at least here in the states).
http://www.akadia.com/services/ssh_test_certificate.html
https://www.youtube.com/watch?v=iQsKdtjwtYI
http://franz.com/support/tutorials/ssl-tutorial.htm
http://google.com
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 months ago.
Improve this question
I'm trying to offer to the users (will be open to the internet, anyone can register) a WYSYWIG editor where users can input BLADE code to code their pages.
I want to provide them with the ability to create small functions to parse arrays/strings so I saw the #php tag of Blade useful for this.
My question: I can't find anywhere if this is like a sandboxed environment where only certain "safe" functions can be run or if this is more like an eval() and thus allowing people to basically inject PHP code to destroy the server and/or pull sensitive content?
I tried testing running basic commands with blade, but I would like a professional opinion on whether it's a bad idea regarding security (like, know exploits or other performance issues)
Thank you
Having a WYSIWIG open to the public on it's own has it's own challenges, because you will have to look into sanitizing the input/output otherwise you'll be opening yourself up to XSS attacks.
Allowing PHP code as well is obviously going to have lots of security risks, I wouldn't advise it personally - but it is technically possible. There are other online php sandbox editiors available, how exactly they secure themselves is beyond me. There are a lot of clever tricks that can be done, trying to whitelist or blacklist functions you deem as safe/unsafe is probably the way to go - but I still personally wouldn't feel comfortable implementing something like that. You may think you've covered all possible attacks, but it only takes one that bypasses what you've setup to essentially take over your server.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I am considering redoing my WordPress website by rewriting myself to get something a little lighter weight. The only problem I see myself getting into is rewriting my WooCommerce section. I certainly don't want anyone getting in danger. I will only be using Paypal but we still have to collect shipping information.
Is it too much of a security risk to write my own online store?
Simple answer: Unless you are an expert, it is generally too risky to write your own anything. Well, you can write stuff, just don't use it or publish it for others to use unless you're damn sure it's secure. Since you're asking, I'm going to assume you're not an expert.
The only problem I see myself getting into is rewriting my WooCommerce section. I certainly don't want anyone getting in danger. I will only be using Paypal but we still have to collect shipping information. Any thoughts?
I can't speak to the security features of WooCommerce, as I've never audited a WooCommerce project as of this writing.
Unless you can do it better than what's available, use what's available. They might have prevented vulnerabilities that you would never even have thought could exist.
However, if you're doing it for your own educational purposes, please do experiment with your own solutions. You might find a better way to implement a feature than what already exists and possibly not realize it.
As long as you make it plain and clear that the code is experimental, and you don't actually deploy it to a production system without getting examined by a security expert, the "don't write your own" advice can be ignored.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I want to start a project, technically based on the code of another project -- a clone. E.g. a forum or an online shop, whatever. I'll buy the code base. But then it's theoretical possible, that the developer/seller is able to manipulate something remote, e.g. export the customer database or just change/delete files with code and make the code useless, if he wants to.
What strategies (maybe best practices) are there to defend oneself in such cases?
The only viable option is a code review by a person competent in detecting such security flaws. This is by no means a cheap process, nor will there be any guarantee of success.
Even teams of people writing and reviewing code designed to be secure often fail to fill every possible security hole, eventually some hacker finds these holes and exploits them. Take for example the heartbleed bug in OpenSSL.
Regardless of it being the developer who has malicious intent or it being a hacker attacking his otherwise good code the same approaches apply. To prevent your customer DB being downloaded put it on a separate layer with it's own security. If the DB server will only provide the web app with one customer at a time and not provide a list then downloading th whole db is very hard.
Hackers do manage to change and delete code on servers. To mitigate this a tripwire system should be used to detect these changes, then the code can be restored from a simple backup.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I am creating a form that users will use to register for an event. However, I just discovered that there are some really tight security limitations due to policies due to the site's hosting and also policies the organization has about external-facing scripts (such as PHP) that are seen as an unneeded vulnerability.
I haven't been told flat-out that all PHP is completely banned, but I think that I won't be able to create a file and send email with it. However, I do want to be able to have an online registration form that can be filled out and emailed in as low-tech a way as possible.
I'm aware that you can use mailto: to prepopulate the subject and body of an email sent through the users normal email client:
mailto:my#addy.com?subject=subject+here&body=body+of+email
This is not the best solution because not everyone will be able to use mailto in this way, and for those that do, they must be relied upon not to mess up the formatting of the email. It isn't very consistent. Is there anything better than mailto: but which is still less of a security risk than PHP?
If you don't have the ability to run server side code, then sending an email is pretty much out of the question. Unless of course, you can make javascript calls to some other website that emails or store the form information for you.
Your best bet might be outsourcing it entirely, and using a Google Doc form or something.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 months ago.
Improve this question
I know all the security issues. SQL injection, XSS issues, SSL, session hijacking , I have read security books etc. But yet, I feel that a backroom boy laugh me !
I want to hack my site ethically before backroom boy did this illegally?. From Where I can start? How can I make sure that I use security preventions correctly?
Thanks
Is this a trick question or something? Like, "Where's the beginning of a perfect ring?"
You say that you know the issues which you need to worry about. Write everyone that comes to mind into a list. Analyze that list, determine some priority order and get to it! If you know the issues, you should know ways to attack those issues.
I did find this decent looking article, which may very well provide you exactly what you're asking:
http://goodfellas.shellcode.com.ar/docz/web/php-fuzzing.pdf
What I was looking for is PHP Fuzzer, to add another layer of testing.
Found this list:
http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html
At this page, which explains fuzzing a bit, hence its appearance here:
http://www.owasp.org/index.php/Fuzzing
If you can hack your site, it's a bad thing. The only real gotcha is probably CSRF. Aside from that, you might want to setup TLS or something to secure against man in the middle attacks. Since you seem to know about input sanitization, I'd assume you don't have to worry about abuse of things like eval, include (or anything else that opens a file), system, etc.