.

secure methods for posting data from webpages

<<

BASHful

Newbie
Newbie

Posts: 4

Joined: Thu Jan 27, 2011 7:02 pm

Post Wed Nov 16, 2011 1:08 pm

secure methods for posting data from webpages

I am attempting to construct a website and message board type system using PHP and MySQL. I am giong to be coding most things by hand instead of using something like phpbb or other tools that build things for me. I am mainly doing this for my own education so I want to do things in the most "secure" and stable way possible.

What I am looking for is a pointer to best and secure methods for getting and sending data from the forms on the html pages to the web browser to the server, etc. I want any and all data that is visible in the address bar to be as discreet as possible. Of course, I would also like any sniffed data to also be discreet.

For example, I once built a very simple message board using Perl and SQL and I used the post method to post data and of course you can see a lot of the data in the address bar  (someone could easily manipulate this and exploit  my system). I know this is probably not the best method for doing things, but I don't really know what specific practices peole have employed to get around those types of issues. I would assume that one practice is to make data values have obscure names, but I am not exactly sure about everything else which goes beyond this one point of information weakness.

I was studying reddit's posting system a little bit and I noticed that each post's title is also the name of the page's subdirectory in the address bar. For example, if the title was "This is funny", the URL would be  reddit.com/r/funny/comments/mirzg/This_is_funny    I also noticed that the part "mirzg" seems to be a different on every post and seemingly random. Actually I think it's something else now that I look at it, but moving on... Also on reddit, when you post a comment, the page doesn't even reload... data is handled differently (javascript I assume). Basically this impresses me because a lot of information seems hidden from the user and I want to learn how to do something similar in my own web-based data systems.

Note: I am not trying to hack reddit. I am just using them as an example of the security I am looking to achieve when posting web form data.

I am trying to realize the proper practice of separating jobs and balance of data handled by the various applications.
Last edited by BASHful on Wed Nov 16, 2011 1:14 pm, edited 1 time in total.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Nov 17, 2011 1:17 am

Re: secure methods for posting data from webpages

Cue MaXe and mambru!

Sanitize user input, use SSL and read "The Tangled Web"? HD just said he was reading this http://nostarch.com/tangledweb.htm
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Thu Nov 17, 2011 11:00 am

Re: secure methods for posting data from webpages

What I am looking for is a pointer to best and secure methods for getting and sending data from the forms on the html pages to the web browser to the server, etc. I want any and all data that is visible in the address bar to be as discreet as possible. Of course, I would also like any sniffed data to also be discreet.


Then, just like cd1zz said, use SSL. Encryption will provide you all that.

I would assume that one practice is to make data values have obscure names


"security through obscurity" is not advisable at all.

Basically this impresses me because a lot of information seems hidden from the user and I want to learn how to do something similar in my own web-based data systems.


You not being able to see something doesn't mean that it isn't there and somebody can't reach it.
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Thu Nov 17, 2011 12:19 pm

Re: secure methods for posting data from webpages

A couple caveats...

SSL will protect the client/server communication from being sniffed in flight, but will NOT protect against a man in the middle attack.

Regardless of if you are passing your parameters through the URL (GET) or in form fields (POST), these parameters can always be tampered with, since the client will always need to send these to the server.  The request to the sever can be captured in flight, modified, then forwarded.  The onus is on the programmer to assure strong input filtering and output encoding.

You may want to look in to disabling method-interchange so I can't "post" to your forms using GET requests (i.e. using the URI to pass parameters and values to the app).

It may behoove you to acquire a good book on PHP security.
Poking at security since 1986.  +++ATH
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Nov 22, 2011 7:00 pm

Re: secure methods for posting data from webpages

BASHful wrote:I am attempting to construct a website and message board type system using PHP and MySQL. I am giong to be coding most things by hand instead of using something like phpbb or other tools that build things for me. I am mainly doing this for my own education so I want to do things in the most "secure" and stable way possible.

If you're using phpbb, IPB, vBulletin or SMF as a base, then keep in mind that the core of these are often secure, while addons are not. This goes for phpbb and wordpress in particular, but not always. (Wordpress can be used for a variety of things, not just as a blog. I've seen it used as a CMS.)

BASHful wrote:What I am looking for is a pointer to best and secure methods for getting and sending data from the forms on the html pages to the web browser to the server, etc. I want any and all data that is visible in the address bar to be as discreet as possible. Of course, I would also like any sniffed data to also be discreet.

Use POST-requests where they should be used, and GET-requests where those should be used. (POST-requests are often used to send a lot of data, where GET-requests are used for calling different parts or functions of a site, e.g. forum.php?thread=1, this shouldn't be called via a POST-request.)

Use a real SSL certificate too, not a self-signed one too.

Sanitize all user-input and -output. (This means encoding all HTML characters into their entities so e.g. quote becomes &quot; and ' becomes e.g., ' or ') You can use htmlspecialchars($var, ENT_QUOTES) or htmlentities($var, ENT_QUOTES) to prevent XSS. For sanitizing mysql queries, use mysql_real_escape_string($var); properly and encapsulate user-input as it is otherwise useless.

You should also implement CSRF-tokens to prevent CSRF/XSRF/C-Surf attacks.

Article about XSS: http://www.xssed.com/article/31/The_Beg ... de_to_XSS/

BASHful wrote:For example, I once built a very simple message board using Perl and SQL and I used the post method to post data and of course you can see a lot of the data in the address bar  (someone could easily manipulate this and exploit  my system). I know this is probably not the best method for doing things, but I don't really know what specific practices peole have employed to get around those types of issues. I would assume that one practice is to make data values have obscure names, but I am not exactly sure about everything else which goes beyond this one point of information weakness.


No matter how much data is being displayed in the address bar, it doesn't necessarily mean it is exploitable, nor a vulnerability nor a bug. If your code has no bugs, it's not exploitable most likely.

Look out for logical bugs such as e.g., sending -1 to a function that only allows positive integers as input.

Furthermore, disabling error output for mysql is good, but it doesn't prevent sql injection if user-input isn't sanitized correct as hackers will simply just use blind sql injection methods, which is not error based but instead based on different output. (Therefore use mysql_real_escape_string(); )

BASHful wrote:I was studying reddit's posting system a little bit and I noticed that each post's title is also the name of the page's subdirectory in the address bar. For example, if the title was "This is funny", the URL would be  reddit.com/r/funny/comments/mirzg/This_is_funny    I also noticed that the part "mirzg" seems to be a different on every post and seemingly random. Actually I think it's something else now that I look at it, but moving on... Also on reddit, when you post a comment, the page doesn't even reload... data is handled differently (javascript I assume). Basically this impresses me because a lot of information seems hidden from the user and I want to learn how to do something similar in my own web-based data systems.


The first thing about "This is funny", that is often just a "SEO rewrite" to optimize it for Search engines but also humans. Mod_rewrite in apache is capable of this.  For example if you go here: http://forum.intern0t.net/web-hacking-w ... i-can.html

The "web-hacking-war-games" is a part of the section name, but if you would call the section name without the "rewrite" it would be something like forum.php?section=11 (pseudo name)

The "4438-can-you-cross-site-scripting-some-cases-i-can.html" part, if called direct could've been thread.php?id=4438, but this has also been rewritten and the actual extension is not html, it's php serving this page. (.html could've been anything.)

About the thing that the page doesn't reload, this is done with "ajax" and dynamically updated content. Just like twitter and facebook are as another example.

BASHful wrote:Note: I am not trying to hack reddit. I am just using them as an example of the security I am looking to achieve when posting web form data.

I am trying to realize the proper practice of separating jobs and balance of data handled by the various applications.



I know, but it's good you say it anyway  ;D
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software