December 4, 2015

How to know if a page loaded via iframe is within sandbox?

Layke’s Question:

I’m trying to detect if a page is loaded via a sandboxed iframe. Is this possible?

For example,we provide custom embeddable widgets and some people think they are being smart by sandboxing them in their iframe, but this breaks certain things.. such as window.top.location

Obviously, they could enable the features we need, but ideally, I should be able to just do something like:

"sandbox" in window.top

I have also tried doing

try {
    // do something that would not work if within sandbox
} catch(e) {

}

But this doesn’t work because it’s a browser security error, and not related to javascript.

JSFiddle actually sandbox their iframes to prevent window.top.location navigation, so this would be a good example to show you.
If you look at this example here:

http://jsfiddle.net/mwsb8geL/show/

You can see the error when you press the Instant Book Online button.

enter image description here

A project sandblaster can help you detect if you running being sandboxed.

Inside the iframe where you are testing if it is sandbox, open up your script tag and paste the contents of https://raw.githubusercontent.com/JamesMGreene/sandblaster/master/dist/sandblaster.js. This is due to the security issue.

After this, its as simple as the following.

var result = sandblaster.detect();
if(result.sandboxed === true) {
    //sandboxed
}

Here is a demo I made for another answer but shows that the solution works.

September 28, 2012

Difference between typing and pasteing in a field

Question by Ferenc Dajka

If I use xss, what’s the difference between typing in ALERT(‘DSSA’);, or just paste it to a search textfield? In a site, typing works, and makes the alert, but if I just paste it, than it doesn’t. To prevent the question, I don’t want to hack any site, I’m just interested in network security.

thanks for the answer

Answer by Starx

I may not have understood the question properly.

Typing triggers keyUp, keyDown and keyPress events on the element. If the codes are programmed to capture them only, then only those events will be captured.

Pasting can be done using keyboards, mouse and browser options. So this depends on which events you are listening too. There is a separate event called onpaste which will ease everything.

What I mean is, lets say my code is written to capture the pasting my pressing “Ctrl” + “v” only, but if mouse and browser options are used to paste on the
element, then it is configured to capture mouse events also, it cannot
be captured.

September 21, 2012

PHP backend / frontend security

Question by William Yang

Hello all,

While taking my time in the bath I though of something interesting. In PHP, how do you tell if the users’ forms submitted is valid and not fraud (i.e. some other form on some other site with action=”http://mysite.com/sendData.php”)? Because really, anyone can create a form that will try send and match $_POST variables in the real backend. How can I make sure that that script is legit (from my site and only my site) so I don’t have some sort of cloning-site data-steal thing going on?

I have some ideas but not sure where to start

  • Generate a one-time key and store in hidden input field
  • Attempt (however possible) to grab the url on which the form is located (probably not possible)
  • Using some really complicated PHP goodies to determine where the data is sent (possible)

Any ideas? Thanks all!

Answer by Nathan Sire

Most of these attempts from hackers will be used by curl. It’s easy to change the referring agent with curl. You can even set cookies with curl. But spoofing md5 hashed keys with a private salt and storing it in session data will stop most average hackers and bots. Keeping the keys stored in a database will add authentication.

Answer by Starx

There are few simple ways like:

  • Checking $_SERVER['HTTP_REFERER'] to ensure your host was the referring script
  • Adding hashing keys in the forms and checking them with the server session variable stored.

But all the above can be manipulated and spoofed in some way. So, you can use CSRF Validations. Here is a very good article on this.

Other additional techniques I have encountered are:

  • Adding time limits to forms and ensure they are submitted with in that time.
  • On every interaction with the form, send AJAX request to validate and reactive the form’s timelimit.
May 3, 2012

How to prevent the clientside user from changing arguments in an onClick function?

Question by user1113531

I just realized while testing an onClick function with firebug that it would be really easy for a user to change the value of the arguments being passed. This could mess thins up.

Is there any easy way to prevent this, especially when arguments need to be passed?

Answer by Quentin

It is impossible. The code is executing on the user’s computer. They are in control.

If they edit it and “mess it up”, then that is on their head.

If they edit it and it submits an HTTP request to your server, and your server allows (for instance) that request to delete data belonging to another user then the problem is that your server didn’t check that the user submitting the request had permission to delete that data before following through.

Answer by Starx

No, this simply can’t be done.

Once the script is loaded to the client’s machine. He can use/modify it, as he wants.

April 17, 2012

Best practice for storing database password

Question by beshiros

I am developing a custom server application that will access a database. I need to decide where I will store the credentials (and to address) to that server.

A common solution is to put the credential in a config file. However, I do not want a compromised server to mean that the hacker has access to the DB (which is hosted on a separate server).

I could store the credentials in the environment, but that is just security through obscurity. Mr. Evil can just look in the environment to find it.

Someone suggested encryption. However, if I store the key in the executable, a quick de-compile (we are using Java) and I am still doomed.

I also want to avoid having to enter a paraphrase every time I start the server.

Any suggestions? I feel like I’m missing something simple.

Thanks

Answer by T.J. Crowder

I don’t think you’re missing something simple. Either the server in question can connect to the database without your help, in which case it has to have the credentials; or it cannot connect without your supplying them. You can take various steps like the ones you’ve listed to make it harder for a compromised server to reveal the credentials to the database, but at the end of the day, if it has to have those credentials and supply them to the DB server to connect, they’ll have to be stored on it somewhere — or at least, it will have to have some means of getting them, and so will be hackable in that sense.

Your best bet is to focus on finding out about intrusions (compromised servers) as quickly as possible, keeping good off-site, off-line backups for the worst case, putting up lots of barriers to intrusion in the first place, etc.

Answer by Starx

I am sharing, the way I had solved this.

  • Build API, to query the authentication details from a foreign domain.
  • Use public key, and private key to read through the details.

But, honestly the only thing this did was over complicate simple things. After that, I created several users to the database, with different privileges.

Like

  • guest can only to SELECT
  • mod can only CREATE, INSERT, UPDATE, DELETE

etc and switched the user, whenever authenticated users appeared.

With the combination of users and session, I have been able to escape the threats so far. But ofcourse the code vulnerability have to be tested thoroughly.

April 9, 2012

How Remember Me works with Restful Web Service

Question by yogesh prajapati

I am working in Java,Restful Web Services at Server side and Jsp,javascript at Client side

I want to know how Remember me works

I have doing analysis so many sites and i am getting one thing is that they dont use Cookie for this purpose.

Answer by Starx

Remember Me works with Cookies. You dont need to use REST for this.

Check this answer from Balcus to see how.

March 19, 2012

Using variables to check if certain things are allowed

Question by Marshall Mathews

i was thinking of implementing features of turning on and off certain things on my website like registering and logging of.
I could include a file with variables like so

<?php
$upload = 1;
$register = 1;
?>

And then in suppose my register.php file i could do a check like so

if($register == 1){
//Show form
} else { echo "Registration is disabled" }

i was wondering if this would be a security issue as i read somewhere that stuff can be suffixed the url to bring the same effect
Like so

register.php?register=1

But that does not work if register globals are turned off, is this much of a security issue?

Answer by Starx

NO

register.php?register=1 will only be accessed from $_GET['register']
Unless you’re using an older version of PHP with register_globals turned on Thanks Lex

If you are configuring some features on the server, I suggest you use sessions instead.

$_SESSION['upload'] = 1;
$_SESSION['register'] = 1;

Unlike constants, they can be changed, if some criteria is met.

And register_globals() is removed from the latest PHP 5.4.0, so, dont use that.

March 5, 2012

Is using a for-loop on submitted POST data in PHP safe?

Question by ACobbs

I’m always a worry-wart about security in my PHP applications, and I just (potentially) thought of a way a hacker could kill my script. Currently my application takes form data and submits it as an array to a PHP script via AJAX, then loops through this array.

foreach($_POST['form_data'] as $field => $value){
   //Do something here.
}

However, what if a hacker were to forge an AJAX request, and repeatedly submit the ‘form_data’ array with 100000000000 random elements? The loop would have to iterate through each element, possibly causing a DoS (or at least slow down service), correct?

I’m not entirely educated here, so I may have some incorrect assumptions. Thanks for any input!

Answer by NikiC

This will not be an issue: PHP limits the maximum number of POST vars using the max_input_vars directive, which defaults to 1000 variables.

This limit is actually enforced to prevent a much more serious type of DOS attack than the one you are thinking about (really, iterating a few thousand array elements is like nothing), namely hash table collision based attacks (often referred to as HashDOS). For more info on that issue see my article Supercolliding a PHP array.

Answer by Starx

Yes, ofcourse the hacker might sent all those datas, and it will definitely be unwise to iterate through them all. Could do many unexpected things.

I will suggest you trim down your application to only those, which is accepted. What you are doing now is taking all the values from the form_data.

Instead of this, you should know what values to expect. Could be something like name, address, phone and only iterate through such known values.

Thus, The problem that might occur will be reduced but not completely blocked. With additional size check, like Pekka suggested, you will trim down the risk even more.

March 2, 2012

Am I protected from MySQL injection when I am using $this->data?

Question by huzzah

I am new to cakephp and security. I have read that security is built in for protection from MySQL injection if you follow cake’s conventions, but can someone tell me if my save() will be safe without manually calling the Security class?

function edit($id) {
 $this->set('title', 'Edit your property');
 $this->Unit->id = $id;    
 if (empty($this->data)) {        
$this->data = $this->Unit->read();    
} else { 

    if ($this->Unit->saveAll($this->data)) {            
        $this->Session->setFlash('Your property has been updated.');            

        }   
}
}

Answer by Achamenes

CakePHP will quote the data for you. Unless you are using a method similar to:

$this_year = date('Y-m-d h:i:s', strtotime('-1 year'));

$this->Baker->updateAll(
    array('Baker.approved' => true),
    array('Baker.created <=' => $this_year)
);

which takes SQL literals, you are safe and must not quote the data yourself to avoid getting the quotes in the data. Source: http://book.cakephp.org/2.0/en/models/saving-your-data.html

Answer by Starx

I will say no as your parameter is not specialised or sanitized anywhere. Something like this, would limit the risk

function edit($id) { 
   // type cast the id to be forced into number and check if $id has greater than 1 
   if((int)$id > 0) {

   // hence the injection vulnerability at $id is fixed
   //....remaining part
   }
}
February 29, 2012

Prevent hotlinking to files using hashes?

Question by Andrew Butler

I am looking to have my files on my PHP site like so

http://mysite.com/files/file.exe?auth=qwe1245efmkrkn%$!e12 <– some generated hash…

I haven’t written any code, but I was wondering how I would implement the auth variable for a direct link to a file.. any ideas? Thanks!

Answer by Starx

You can do this, better with .htaccess

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ - [NC,F,L]

Copy and paste this code, rename it with .htaccess and save on the root.

As Gumbo mentioned, its true that some browsers, do not send any request header and forging a request is very easy, unless you apply CSRF protection on your website.
So an updated .htaccess to allow this

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com/ [NC]
#Redirect to an image
RewriteCond %{REQUEST_URI} !hotlink.(gif|png) [NC]
RewriteRule .*.(gif|jpg|png)$ http://yourdomain.com/images/hotlink.png [NC] 

and adding

Header set X-Frame-Options DENY

ensures the website from being framed, even from the same website. Might be a little helpful against CSRF.

Alternative to this, might be redirecting an image request to a page to handle it.

...

Please fill the form - I will response as fast as I can!