Two Simple Security Concepts with Ajax/PHP
We wanted to review a couple of very basic security concepts when building a user management system as an example. First, this user will have a photo and other identification this is sensitive information so we want to take the best measures for security hardening. That photo will reside in a folder and this folder name should be encrypted safe url string. Much like a dropbox link with all the jumbled numbers/letters. Our hash is ready the random string of characters for our folder name. Wow, that's just for the folder name dude? You must imagine every aspect that is visible in your application only opens you up to more vulnerabilities and your job as a developer is to minimize those vulnerabilities. So if your folder names are like 15,16,17 people can guess the next folder and potentially guess a file name... you should never be able to guess a folder name.
Subsequent we will do a high-level summary of how we get this completed. We understand our folders have to be hashed. Start with direct primary ID's passed from a database but ensure the encryption of the ID. A simple way is md5 built into PHP passing along your salt as well. During file upload, you write to the md5( primary ID's + salt ) folder path super simple hey? Now you with that said you can run into issues with the file path being generated not being URL safe. So wrap your function once more to ensure its URL safe urlencode( md5( primary ID + salt ) ) this ensures now are safe to use this as a file path in a web browser. Ok, we made a folder whoo! Now, what about the rest of the page we can see. We can see some AJAX requests firing in the console. We can see file paths and source code. Looking at the website strictly from port 80 or over SSL the generated source code you view is where a story is told. You can tell is this person using a CMS? You can see all the requests made over ajax and how those parameters are passed. You can see folder paths for images, paths for other scripts and easily follow all the network requests backward. This will be simply stated to have all visible data encrypted. For the next example, we will be passing an AJAX request during our photo upload to our new hashed file folder.
This AJAX request will never serve any data if the requested PHP session data doesn't pass with our permissions. Say in this user manager you have to be logged in, and the ID you're trying to update should be yours. When we pass the data request they are encrypted once again using 4-dimensional array or JSON object we will assume that all the variables will be created using PHP. Now if your AJAX script has authenticated all the premissions. Think about how can I hit this page knowing everything I know about the code and break it or hack it? Is this even possible and if you can simply pass a different ID and it will execute the command that AJAX call is a huge vulnerability. That's why you start with all data encrypted that is passed as your hacked will have a hard time using what your salt is. So even if he did somehow get the salt then your system should have a second layer to test for security at the PHP session level.comments powered by Disqus