PHP Developers Network
http://forums.devnetwork.net/

Afraid of what I don't know...
http://forums.devnetwork.net/viewtopic.php?f=34&t=141576
Page 1 of 1

Author:  me! [ Wed Jul 22, 2015 5:01 pm ]
Post subject:  Afraid of what I don't know...

I have a project that has worked well for a company for years but now they want to expand it and offer it to other users. (the back end)

My concern is as more people know of something the more attractive to attacks it gets. All user input is validated and the entire sites configuration is password protected. My question is other than cross site scripting and malicious user input what should I be concerned about?

The other part that I am concerned about is the server must accept form data from telemetry units on Verizon's cell network like this:
Syntax: [ Download ] [ Hide ]
thesite.com/reportingpage.php?unitid=1236685&val_1=34&val_2=225 and so on...

I can send it all via https, but if someone figures out the fields they would be able to send data that will be logged as if it came from the unit with X id.
It can go POST also but same problem.

Suggestions?

Thanks

Author:  requinix [ Wed Jul 22, 2015 5:19 pm ]
Post subject:  Re: Afraid of what I don't know...

There are many, many things that can go wrong so trying to list them would be impossible. But you can check out as a starting point.

For the telemetry, can you do IP address filtering according to Verizon's subnets? The problem is that everything else can be faked - the IP address can be too, actually, but it's more awkward to do.

Author:  me! [ Wed Jul 22, 2015 7:15 pm ]
Post subject:  Re: Afraid of what I don't know...

Excellent idea. Each will have a static IP on our private network from Verizon, so yes validating by IP will work. I can also pair the ID and IP when we send out the unit and the chances of someone figuring out the IP and unit ID (non sequential) is way low!

Author:  b03tz [ Wed May 11, 2016 3:25 pm ]
Post subject:  Re: Afraid of what I don't know...

How about combining the IP with a simple randomized access token? You would generate one for each client that needs access.

Are the URL's hidden? Or publicly viewable? Because if it's the latter tokens might not do the trick. But generally adding a simple &token=a3bgha133c31faff13f5 to your URL combined with an IP block should keep people out for a long while.

Other then that you should monitor your server and be aware of server-software level vulnerabilities as well. If you expose an app to the public those are all things to worry about.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/