Security

How to properly secure remote API calls over SSL from PHP code

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE!

I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment.

Steps to follow

  • Change your host file settings to point something like www.somedomain.com to your development server
  • Create a self signed certificate for this domain and setup a https virtual host to serve it on local IP or alias
  • Put a test file on that URL

How to check if you have PAX in your linux kernel - address space randomization

I guess most of people have heard of address space randomization and linux kernel patches that provide that. PAX is a project that has been running for years and it is an awesome way to reduce risk of buffer overflow attacks on your linux server. The great thing about it is that it makes it harder to execute most common buffer overflows system-wide.

A horrible PHP denial of service vulnerability fix in 5.3.5 and 5.2.17

Please make sure you upgrade your PHP version to the latest version as soon as possible as it has a major security flaw which makes websites subject to the following DOS attack.

All you have to do is make PHP interpreter (older than 5.3.5 or 5.2.17) to convert string "2.2250738585072011e-308" to be casted into a numeric type. So if you have a form that accepts numbers which are then cast from strings into numeric values on server side you are probably affected.

Q: What is a rainbow table? A: The reason why salting matters

Its not a new thing that passwords have to be kept safe. Unfortunately you cant protect every part of every system and you have to face the fact that some day your system may be hacked. Up till recently it would be safe enough to hash passwords using MD5 or SHA1 and put in some relatively safe place.

Unfortunately times have changed :-)

HTTP response splitting and mail headers splitting attacks

There are two similar security issues both taken care of by Suhosin patch and strict escaping/encoding rules. They both relate to injecting new lines into headers of network protocols. They are not very well known and i think its worth mentioning it.

HTTP response splitting is a web based attack where hacker manages to trick the server into injecting new lines into response headers along with arbitrary code. If you use GET/POST parameters in the headers like cookie or location, then someone could provide new lines with XSS attack.

Common example would be server redirecting to new location based on some variable (like url). To do it safely you should always encode/escape/cast strings before passing them into header PHP function.

Where can an XSS injection occur on your page - different scopes need different escaping

XSS can be caused by inserting pieces of html or javascript in different places of the page (HTML) or CSS / JS files loaded.

To prevent XSS you will have to escape all the strings coming from GET/POST/COOKIES before you output them. You should escape things that come from other sources as well in case there is XSS attack string (for example dont include posts from RSS without escaping them properly).

Type of XSS attack where you inject JS into the links on the page

Some websites validate some bits and pieces but fail in other cases assuming that user will not pass anything strange there.

French OS Con website is and example of that XSS security risk.

Locating simpliest XSS vulnerabilities

The simplest way to find XSS security hole is to look for forms and ajax calls that result in printing request parameters on the returned page.

Here is some simple example which took 5 mins to find. Just go to a website you want to verify and look for forms and action urls.

This example shows UCD website XSS vulnerability (possible in 2010).

This is a sample to show how to locate XSS attacks, do not try to hack sites this way

Review - SISSP Exam Guide Fourth Edition - 8-11 and summary

This post is my final look at the total of nearly 1200 pages long CISSP book.

In the end i think it was not a total waste of time as i really liked the physical security chapter and also chapter about cryptography was not that bad. Maybe it was not that bad of a refresh. But was it really worth it?

I would definetly not recommend it as i cant see who can really benefit from that book, its not senior and not junior, does not explain things well nor provide deep insights. Its just a too long poorly written book in my opinion.

XSS attack within CSS file or injected into page inline style

There is a very little known method of injecting javascript int CSS files. It would not work in all the browsers (works in my latest IE8) but it is important fact to know.

Syndicate content

About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!

Web Scalability for Startup Engineers

If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.

Follow my RSS