Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 months ago.
Improve this question
I know all the security issues. SQL injection, XSS issues, SSL, session hijacking , I have read security books etc. But yet, I feel that a backroom boy laugh me !
I want to hack my site ethically before backroom boy did this illegally?. From Where I can start? How can I make sure that I use security preventions correctly?
Thanks
Is this a trick question or something? Like, "Where's the beginning of a perfect ring?"
You say that you know the issues which you need to worry about. Write everyone that comes to mind into a list. Analyze that list, determine some priority order and get to it! If you know the issues, you should know ways to attack those issues.
I did find this decent looking article, which may very well provide you exactly what you're asking:
http://goodfellas.shellcode.com.ar/docz/web/php-fuzzing.pdf
What I was looking for is PHP Fuzzer, to add another layer of testing.
Found this list:
http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html
At this page, which explains fuzzing a bit, hence its appearance here:
http://www.owasp.org/index.php/Fuzzing
If you can hack your site, it's a bad thing. The only real gotcha is probably CSRF. Aside from that, you might want to setup TLS or something to secure against man in the middle attacks. Since you seem to know about input sanitization, I'd assume you don't have to worry about abuse of things like eval, include (or anything else that opens a file), system, etc.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 months ago.
Improve this question
I'm trying to offer to the users (will be open to the internet, anyone can register) a WYSYWIG editor where users can input BLADE code to code their pages.
I want to provide them with the ability to create small functions to parse arrays/strings so I saw the #php tag of Blade useful for this.
My question: I can't find anywhere if this is like a sandboxed environment where only certain "safe" functions can be run or if this is more like an eval() and thus allowing people to basically inject PHP code to destroy the server and/or pull sensitive content?
I tried testing running basic commands with blade, but I would like a professional opinion on whether it's a bad idea regarding security (like, know exploits or other performance issues)
Thank you
Having a WYSIWIG open to the public on it's own has it's own challenges, because you will have to look into sanitizing the input/output otherwise you'll be opening yourself up to XSS attacks.
Allowing PHP code as well is obviously going to have lots of security risks, I wouldn't advise it personally - but it is technically possible. There are other online php sandbox editiors available, how exactly they secure themselves is beyond me. There are a lot of clever tricks that can be done, trying to whitelist or blacklist functions you deem as safe/unsafe is probably the way to go - but I still personally wouldn't feel comfortable implementing something like that. You may think you've covered all possible attacks, but it only takes one that bypasses what you've setup to essentially take over your server.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I am considering redoing my WordPress website by rewriting myself to get something a little lighter weight. The only problem I see myself getting into is rewriting my WooCommerce section. I certainly don't want anyone getting in danger. I will only be using Paypal but we still have to collect shipping information.
Is it too much of a security risk to write my own online store?
Simple answer: Unless you are an expert, it is generally too risky to write your own anything. Well, you can write stuff, just don't use it or publish it for others to use unless you're damn sure it's secure. Since you're asking, I'm going to assume you're not an expert.
The only problem I see myself getting into is rewriting my WooCommerce section. I certainly don't want anyone getting in danger. I will only be using Paypal but we still have to collect shipping information. Any thoughts?
I can't speak to the security features of WooCommerce, as I've never audited a WooCommerce project as of this writing.
Unless you can do it better than what's available, use what's available. They might have prevented vulnerabilities that you would never even have thought could exist.
However, if you're doing it for your own educational purposes, please do experiment with your own solutions. You might find a better way to implement a feature than what already exists and possibly not realize it.
As long as you make it plain and clear that the code is experimental, and you don't actually deploy it to a production system without getting examined by a security expert, the "don't write your own" advice can be ignored.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I want to start a project, technically based on the code of another project -- a clone. E.g. a forum or an online shop, whatever. I'll buy the code base. But then it's theoretical possible, that the developer/seller is able to manipulate something remote, e.g. export the customer database or just change/delete files with code and make the code useless, if he wants to.
What strategies (maybe best practices) are there to defend oneself in such cases?
The only viable option is a code review by a person competent in detecting such security flaws. This is by no means a cheap process, nor will there be any guarantee of success.
Even teams of people writing and reviewing code designed to be secure often fail to fill every possible security hole, eventually some hacker finds these holes and exploits them. Take for example the heartbleed bug in OpenSSL.
Regardless of it being the developer who has malicious intent or it being a hacker attacking his otherwise good code the same approaches apply. To prevent your customer DB being downloaded put it on a separate layer with it's own security. If the DB server will only provide the web app with one customer at a time and not provide a list then downloading th whole db is very hard.
Hackers do manage to change and delete code on servers. To mitigate this a tripwire system should be used to detect these changes, then the code can be restored from a simple backup.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
I'm writing the documentation for a WordPress theme project that I've been working on for a long time. The theme is usable and stable enough for release. I'm releasing it, plus its documentation and tutorials for free but am charging for support/customization. However, there are some issues with the code (optimization, mostly) that I've been unable to resolve after months of trying. While I've learned a lot about PHP while doing this project, I'm still a novice and I want people to know that I'm aware that my code has these specific issues, and that with support (via donations or them purchasing support from me), I might be able to hire someone in the future to fix these problems.
My question is, should I include a disclaimer that basically states what I just said above in the documentation? So that people are aware right from the start that while my product is usable and I'm confident in it, it still has these known issues that were beyond my skill level to fix? Non-coders would probably not notice the issues much, but more advanced people in the community may...
...or would it be best to not mention the known issues or my novice skill level at all, and wait to see if people bring them up?
We have a standard 'Known Issues' section in our release documentation. I'd say yes.
If you were going to invest money or time in a new acquisition, would you want to know about its limitations? Probably, so make that information available. You might lose one or two potential users who consider the known issues showstoppers, but they're people who would have got frustrated when they discovered the issues anyway.
Yes, it's always good to have a known issues section; if nothing else, to keep your inbox empty of the same emails complaining about the same bugs you already know about.
In my opinion, you should just list all of these issues/bugs and state that you are currently trying to fix them. You don't want to be bombarded with e-mails of issues you already know about.
would it be best to not mention the known issues or my novice skill level at all, and wait to see if people bring them up?
I can bet they will come up. Don't think that they will not come across these issues. Better to publish the known issues. It should have sections one is things to avoid and then if the user does that, what the user should do to come out of it. If I am paying for any software I would certainly like to know what are the limitations first.
Definitely Yes! A well-informed user is better than a frustrated one!
Treat your customer the way that you would want to be treated.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I'm writing a little website (webapp) in php+codeigniter, I'd really like to make it open source (to attract collaborators and to have a free VCS hosting).
Is that a good practice?
This mine security?
Which are the best tools to change important data before uploading? (like config files with db names and passwords used for testing etc..)
Is that a good practice? Will this mine security?
Yes, it can be a good practice. If your project is interesting and you think that is has potential for attracting contributors, and you are comfortable with your source code not being "your ownership", then this is a good move.
It has benefits, but of course it has its drawbacks. You'll get new ideas, you can learn much, you will have someone to talk to about the project and ideas, and with a bit of luck you can create a great team. You won't be alone doing the work. Your project may grow, and become important.
Any drawbacks? Well, the fact, as I mentioned, that your code is not your own property anymore. Then the fact that you will be forced to confrontation, and sometimes to arguments among the contributors: you will start a community, with all the related challenges. I think it is worth it, anyway. Then, for example, security. In the medium term, if you have contributors, your security will increase for sure, because more people will be looking at the code and can spot problems, and fix them. In the short term however, someone malicious may look into it and find a weak spot and use it. So you should have your code reviewed by some contributors first, with a private disclosure, before going fully open source.
Which are the best tools to change important data before uploading?
You should put all the important data into a single configuration file, which is client-dependent, and distribute a template for it. If this file is called "config.php", then EXCLUDE this file from the distribution, and distribute a "config-dist.php" file, with example values: at first installation, the user will fill the data, and they will stay there even if you update.