Afraid of what I don't know...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
me!
Forum Contributor
Posts: 133
Joined: Sat Nov 04, 2006 8:45 pm

Afraid of what I don't know...

Post by me! »

I have a project that has worked well for a company for years but now they want to expand it and offer it to other users. (the back end)

My concern is as more people know of something the more attractive to attacks it gets. All user input is validated and the entire sites configuration is password protected. My question is other than cross site scripting and malicious user input what should I be concerned about?

The other part that I am concerned about is the server must accept form data from telemetry units on Verizon's cell network like this:
[text]thesite.com/reportingpage.php?unitid=1236685&val_1=34&val_2=225 and so on...[/text]
I can send it all via https, but if someone figures out the fields they would be able to send data that will be logged as if it came from the unit with X id.
It can go POST also but same problem.

Suggestions?

Thanks
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Afraid of what I don't know...

Post by requinix »

There are many, many things that can go wrong so trying to list them would be impossible. But you can check out OWASP as a starting point.

For the telemetry, can you do IP address filtering according to Verizon's subnets? The problem is that everything else can be faked - the IP address can be too, actually, but it's more awkward to do.
me!
Forum Contributor
Posts: 133
Joined: Sat Nov 04, 2006 8:45 pm

Re: Afraid of what I don't know...

Post by me! »

Excellent idea. Each will have a static IP on our private network from Verizon, so yes validating by IP will work. I can also pair the ID and IP when we send out the unit and the chances of someone figuring out the IP and unit ID (non sequential) is way low!
b03tz
Forum Newbie
Posts: 3
Joined: Wed May 11, 2016 3:14 pm

Re: Afraid of what I don't know...

Post by b03tz »

How about combining the IP with a simple randomized access token? You would generate one for each client that needs access.

Are the URL's hidden? Or publicly viewable? Because if it's the latter tokens might not do the trick. But generally adding a simple &token=a3bgha133c31faff13f5 to your URL combined with an IP block should keep people out for a long while.

Other then that you should monitor your server and be aware of server-software level vulnerabilities as well. If you expose an app to the public those are all things to worry about.
Post Reply