I am attempting to construct a website and message board type system using PHP and MySQL. I am giong to be coding most things by hand instead of using something like phpbb or other tools that build things for me. I am mainly doing this for my own education so I want to do things in the most "secure" and stable way possible.
If you're using phpbb, IPB, vBulletin or SMF as a base, then keep in mind that the core of these are often secure, while addons are not. This goes for phpbb and wordpress in particular, but not always. (Wordpress can be used for a variety of things, not just as a blog. I've seen it used as a CMS.)
What I am looking for is a pointer to best and secure methods for getting and sending data from the forms on the html pages to the web browser to the server, etc. I want any and all data that is visible in the address bar to be as discreet as possible. Of course, I would also like any sniffed data to also be discreet.
Use POST-requests where they should be used, and GET-requests where those should be used. (POST-requests are often used to send a lot of data, where GET-requests are used for calling different parts or functions of a site, e.g. forum.php?thread=1, this shouldn't be called via a POST-request.)
Use a real SSL certificate too, not a self-signed one too.
Sanitize all user-input and -output. (This means encoding all HTML characters into their entities so e.g. quote becomes " and ' becomes e.g., ' or ') You can use htmlspecialchars($var, ENT_QUOTES) or htmlentities($var, ENT_QUOTES) to prevent XSS. For sanitizing mysql queries, use mysql_real_escape_string($var); properly and encapsulate user-input as it is otherwise useless.
You should also implement CSRF-tokens to prevent CSRF/XSRF/C-Surf attacks.
Article about XSS:
http://www.xssed.com/article/31/The_Beginners_Guide_to_XSS/For example, I once built a very simple message board using Perl and SQL and I used the post method to post data and of course you can see a lot of the data in the address bar (someone could easily manipulate this and exploit my system). I know this is probably not the best method for doing things, but I don't really know what specific practices peole have employed to get around those types of issues. I would assume that one practice is to make data values have obscure names, but I am not exactly sure about everything else which goes beyond this one point of information weakness.
No matter how much data is being displayed in the address bar, it doesn't necessarily mean it is exploitable, nor a vulnerability nor a bug. If your code has no bugs, it's not exploitable most likely.
Look out for logical bugs such as e.g., sending -1 to a function that only allows positive integers as input.
Furthermore, disabling error output for mysql is good, but it doesn't prevent sql injection if user-input isn't sanitized correct as hackers will simply just use blind sql injection methods, which is not error based but instead based on different output. (Therefore use mysql_real_escape_string(); )
I was studying reddit's posting system a little bit and I noticed that each post's title is also the name of the page's subdirectory in the address bar. For example, if the title was "This is funny", the URL would be reddit.com/r/funny/comments/mirzg/This_is_funny I also noticed that the part "mirzg" seems to be a different on every post and seemingly random. Actually I think it's something else now that I look at it, but moving on... Also on reddit, when you post a comment, the page doesn't even reload... data is handled differently (javascript I assume). Basically this impresses me because a lot of information seems hidden from the user and I want to learn how to do something similar in my own web-based data systems.
The first thing about "This is funny", that is often just a "SEO rewrite" to optimize it for Search engines but also humans. Mod_rewrite in apache is capable of this. For example if you go here:
http://forum.intern0t.net/web-hacking-war-games/4438-can-you-cross-site-scripting-some-cases-i-can.htmlThe "web-hacking-war-games" is a part of the section name, but if you would call the section name without the "rewrite" it would be something like forum.php?section=11 (pseudo name)
The "4438-can-you-cross-site-scripting-some-cases-i-can.html" part, if called direct could've been thread.php?id=4438, but this has also been rewritten and the actual extension is not html, it's php serving this page. (.html could've been anything.)
About the thing that the page doesn't reload, this is done with "ajax" and dynamically updated content. Just like twitter and facebook are as another example.
Note: I am not trying to hack reddit. I am just using them as an example of the security I am looking to achieve when posting web form data.
I am trying to realize the proper practice of separating jobs and balance of data handled by the various applications.
I know, but it's good you say it anyway
GPEN - GIAC Certified Penetration Tester : Karen Millen Outlet as an example SFTP
