Category: Uncategorized

Today I had a phone call which went along the lines of ….

Prospect: Do you develop web applications?
Me: Yes… <cue sales pitch>
Prospect: I’ve got a great idea, it’s like eBay…. I need a programmer….
Me: <thinking: oh not another….>
Prospect: I think it’s about 2 developer months worth of work….
Me: Well, we’d need to see your requirements spec to determine that.
<snip>
Prospect: Would you be willing to do the work for free in return for a stake in the resultant venture? How much would it cost?
Me: Well, I’ve not seen any sort of requirements specification; I’ve no idea what’s involved….. Just how long is a piece of string?

I don’t quite understand why people think they’ll be able to create an eBay/Amazon/Google/whatever killer/competitor with minimal funding, a couple of months development and also persuade me to do the work for free on the outside chance they’re successful (that’s like a <5% chance). I might consider reducing the price of the development in return for a share in any resultant company – but I’m sure as not going to commit to anything before I’ve seen any sort of business plan.

Perhaps tomorrow I’ll get someone wanting a site “like Facebook” costing a few thousand pounds… ‘cos we do PHP just like them… and it can’t be hard can it?

A customer has a relatively busy web site, which contains lots of juicy information (business names, addresses, email address, phone numbers etc etc). Currently there is nothing in place to stop people spidering it – unless someone explicitly looks at the log files and does something.

Blocking annoying people who spider the site is easy enough –

iptables -I INPUT -s 80.x.x.x -j REJECT

However, I’d obviously rather automate this if possible – and ideally without having to change the PHP code (as each request would need perform some sort of DB lookup it’s part of a spidering attempt)

So, my first idea was to manipulate an existing rule I have to limit SSH connection attempts, giving something like :

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 40 -j LOG --log-prefix "http spidering?" --log-ip-options --log-tcp-options --log-tcp-sequence --log-level 4

Annoyingly however, even though these are the first rules in the iptables output – and they should therefore work, they don’t – i.e. I’m not seeing anything being logged, when doing e.g. the following on a remote server :

while [ true ] ; do

wget -q -O - http://server.xyz/index.php

done

So, I’m still trying to avoid making changes to the code base – although doing so would produce the best user experience (namely we could display a captcha or something and if someone really can browse that quickly they’d not encounter any problems).

And as I’ve just found mod_evasive which claims to provide DoS and DDoS protection. Thankfully Jason Litka has packaged it – so I have no problems from an installation point of view 🙂 (yum install mod_evasive)

Installation on Debian doesn’t result in a config file – but it’s not difficult to create (see /usr/share/doc/mod_evasive). However, it’s not a shiney, sunny ending – mod_evasive appears to be “tripped” by people requesting images – and in my case the client has about 10-20 images per page; so it’s difficult to differentiate between a normal user loading a page or someone running httrack on the website and only requesting the “php page”. If only mod_evasive took a regexp to ignore/match… and I can’t seem to find anyway of fixing this.

So application logic it is :-/ Perhaps caching in APC may be the way forward ….

On Wednesday I was trying to buy train tickets for an upcoming trip to London.

So, I book the tickets, and get to point of being asked for my card details … tap tap tap … kapow … Up comes the Verified by Visa payment screen (in a stupid iframe [how do I know this isn’t a phishing site?]). Well, it displays my ‘username’ correctly – a terrificly hard to guess one of MRDAVIDGOODWIN… I enter my details and it keeps decling them. Hmm.. Fine… perhaps I’ve incorrectly stored the password – “oooh look – reset password…” *click* – “You want me to enter my date of birth… is that the ONLY security check you’re going to do? WTF??? ”

Grr.. Why do they bother….

See also http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-security-fails/

Here’s the slides from the PHPWM talk I gave last week PHPWM Presentation – The Security Journey Begins ; thanks to DeanC on #phpwm for reminding me to upload them 🙂

The presentation focusses on security issues in web applications – specifically, PHP – although obviously other web facing languages face the same problems. It’s a very condensed version of what I normally give as a two day PHP security training course – so there are bits missing, and many things aren’t explained fully… and obviously the demonstration after the slides is missing 🙂

(250kb, PDF file… I think)