BASHful wrote:I am attempting to construct a website and message board type system using PHP and MySQL. I am giong to be coding most things by hand instead of using something like phpbb or other tools that build things for me. I am mainly doing this for my own education so I want to do things in the most "secure" and stable way possible.
If you're using phpbb, IPB, vBulletin or SMF as a base, then keep in mind that the core of these are often secure, while addons are not. This goes for phpbb and wordpress in particular, but not always. (Wordpress can be used for a variety of things, not just as a blog. I've seen it used as a CMS.)
BASHful wrote:What I am looking for is a pointer to best and secure methods for getting and sending data from the forms on the html pages to the web browser to the server, etc. I want any and all data that is visible in the address bar to be as discreet as possible. Of course, I would also like any sniffed data to also be discreet.
Use POST-requests where they should be used, and GET-requests where those should be used. (POST-requests are often used to send a lot of data, where GET-requests are used for calling different parts or functions of a site, e.g. forum.php?thread=1, this shouldn't be called via a POST-request.)
Use a real SSL certificate too, not a self-signed one too.
Sanitize all user-input and -output. (This means encoding all HTML characters into their entities so e.g. quote becomes " and ' becomes e.g., ' or ') You can use htmlspecialchars($var, ENT_QUOTES) or htmlentities($var, ENT_QUOTES) to prevent XSS. For sanitizing mysql queries, use mysql_real_escape_string($var); properly and encapsulate user-input as it is otherwise useless.
You should also implement CSRF-tokens to prevent CSRF/XSRF/C-Surf attacks.
Article about XSS: http://www.xssed.com/article/31/The_Beg ... de_to_XSS/
BASHful wrote:For example, I once built a very simple message board using Perl and SQL and I used the post method to post data and of course you can see a lot of the data in the address bar (someone could easily manipulate this and exploit my system). I know this is probably not the best method for doing things, but I don't really know what specific practices peole have employed to get around those types of issues. I would assume that one practice is to make data values have obscure names, but I am not exactly sure about everything else which goes beyond this one point of information weakness.
No matter how much data is being displayed in the address bar, it doesn't necessarily mean it is exploitable, nor a vulnerability nor a bug. If your code has no bugs, it's not exploitable most likely.
Look out for logical bugs such as e.g., sending -1 to a function that only allows positive integers as input.
Furthermore, disabling error output for mysql is good, but it doesn't prevent sql injection if user-input isn't sanitized correct as hackers will simply just use blind sql injection methods, which is not error based but instead based on different output. (Therefore use mysql_real_escape_string(); )
The first thing about "This is funny", that is often just a "SEO rewrite" to optimize it for Search engines but also humans. Mod_rewrite in apache is capable of this. For example if you go here: http://forum.intern0t.net/web-hacking-w ... i-can.html
The "web-hacking-war-games" is a part of the section name, but if you would call the section name without the "rewrite" it would be something like forum.php?section=11 (pseudo name)
The "4438-can-you-cross-site-scripting-some-cases-i-can.html" part, if called direct could've been thread.php?id=4438, but this has also been rewritten and the actual extension is not html, it's php serving this page. (.html could've been anything.)
About the thing that the page doesn't reload, this is done with "ajax" and dynamically updated content. Just like twitter and facebook are as another example.
BASHful wrote:Note: I am not trying to hack reddit. I am just using them as an example of the security I am looking to achieve when posting web form data.
I am trying to realize the proper practice of separating jobs and balance of data handled by the various applications.
I know, but it's good you say it anyway