PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Jun 24, 2017 12:18 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Jul 22, 2015 5:01 pm 
Offline
Forum Contributor

Joined: Sat Nov 04, 2006 9:45 pm
Posts: 133
I have a project that has worked well for a company for years but now they want to expand it and offer it to other users. (the back end)

My concern is as more people know of something the more attractive to attacks it gets. All user input is validated and the entire sites configuration is password protected. My question is other than cross site scripting and malicious user input what should I be concerned about?

The other part that I am concerned about is the server must accept form data from telemetry units on Verizon's cell network like this:
Syntax: [ Download ] [ Hide ]
thesite.com/reportingpage.php?unitid=1236685&val_1=34&val_2=225 and so on...

I can send it all via https, but if someone figures out the fields they would be able to send data that will be logged as if it came from the unit with X id.
It can go POST also but same problem.

Suggestions?

Thanks


Top
 Profile  
 
PostPosted: Wed Jul 22, 2015 5:19 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6441
Location: WA, USA
There are many, many things that can go wrong so trying to list them would be impossible. But you can check out OWASP as a starting point.

For the telemetry, can you do IP address filtering according to Verizon's subnets? The problem is that everything else can be faked - the IP address can be too, actually, but it's more awkward to do.


Top
 Profile  
 
PostPosted: Wed Jul 22, 2015 7:15 pm 
Offline
Forum Contributor

Joined: Sat Nov 04, 2006 9:45 pm
Posts: 133
Excellent idea. Each will have a static IP on our private network from Verizon, so yes validating by IP will work. I can also pair the ID and IP when we send out the unit and the chances of someone figuring out the IP and unit ID (non sequential) is way low!


Top
 Profile  
 
PostPosted: Wed May 11, 2016 3:25 pm 
Offline
Forum Newbie

Joined: Wed May 11, 2016 3:14 pm
Posts: 3
How about combining the IP with a simple randomized access token? You would generate one for each client that needs access.

Are the URL's hidden? Or publicly viewable? Because if it's the latter tokens might not do the trick. But generally adding a simple &token=a3bgha133c31faff13f5 to your URL combined with an IP block should keep people out for a long while.

Other then that you should monitor your server and be aware of server-software level vulnerabilities as well. If you expose an app to the public those are all things to worry about.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group