Preventing XSS Attacks

xss-attacks
XSS Attacks

In my last post I explained you what an XSS attack mean in this post I will explain how can we prevent such attacks.

Preventing a webpage from an XSS attack should always be there in your mind.You can better create a function that prevents these attacks and call it everytime.Fortunately its very simple to prevent these attacks.You should never trust a user that he or she will always input proper data.There are millions of attackers sitting online just to find a prey.

Every bit of data must be validated on input and escaped on output. This is the golden rule of preventing XSS.

To prevent attacks we should follow data validation,data sanitization and output escaping.

Data Validation

It is a process where you validate data according to its requirement.Every piece of data must be validated.

Eg : When you want to validate a phone number you should only allow the user to enter numbers and discard strings or characters.And if you want to allow some special characters like “plus”,”brackets” or “dashes” as such characters are also an acceptable phone format you may use a regular expression for same.

<?php
// validates an Indian mobile number
if (preg_match('^((\\+91-?)|0)?[0-9]{10}$', $phone)) {
    echo $phone . " is valid format.";
}

Data Sanitization

Its a process where you clean up the data by removing any unwanted bits.

Eg : You may want to remove all HTML markups from the data.

<?php
// sanitize HTML from the comment
$comment = strip_tags($_POST["comment"]);

Output Escaping

When presenting the data as output via a browser the output should be escaped to protect its meaning.

<?php
// escape output sent to the browser
echo "You searched for: " . htmlspecialchars($_GET["query"]);

Summary

Never trust the data coming from users and take all required actions to prevent such attacks.You can prevent them with Data Validation and Sanitization and also by escaping Output to protect users.

 

 

 

Advertisements

HOWTO: Create a Flex Relate for other modules

Sugar Developer Blog - SugarCRM

You may recall seeing this field in the various activity modules in Sugar:

This is what’s known as the “Flex Relate” field, which allows you to relate a record to one in a different module that you specify. This allows you to create a relationship where the target entity is flexible, which allows you to represent all sorts of business logic clearly. A great example of this the various activity entities in the app ( Calls, Meetings, Tasks ), which make it so you can relate the activity to one of many different record types.

The only downside of this field, is there’s no good way to build it using Module Builder or Studio ( or least in a very useful way ). However, it’s a pretty easy code customization you can do which is upgrade-safe. Let’s look at how.

We’ll assume we made a new custom module via Module…

View original post 167 more words

Cross Site Scripting Attacks (XSS)

 

xss-attacks
XSS Attacks

An XSS attack is one of the top most tried out attacks on a PHP enabled system and your PHP script may not be immune.

This attack is made by injection of code via a web form. The code injected can be any malicious client-side code, such as JavaScript, VBScript, HTML, CSS, Flash, and others. The code is used to save harmful data on the server or perform a malicious action within the user’s browser.

Sadly , many developers fails to deliver a secure code thus open to attacks.Every programmer should consider such attacks and vulnerabilities and try to make the program or script free from getting attacked.

Example

Let me give you an example which will explain you how does such attacks happen.

Below is an index.php page with the following code.

<form method="post" action="save.php">
   <input type = "text" name = "name">
   <input type="submit" name="submit" value="Save">
</form>

In the above html code there is a simple form with a textbox and submit button.On click of the button the form is submitted to save.php for further processing.

A genuine user will fillup his/her name but an attacker can inject code instead of name.

Suppose on save.php just prints out the name.

   echo $_POST['name'];

Suppose instead of writing a plane name the attacker inputs <script>alert(‘HaHa You are attacked!!’);</script>.

If the scripts are not filtered the user will see the popup with message “HaHa You are attacked!! “.

Such JavaScript alert messages though are not harmful still are malicious.But think about what could happen in the JavaScript code was written to steal a user’s cookie and extract sensitive information from it? There are far worse XSS attacks than a simple alert() call.

Types of XSS Attacks

  1. Non-Persistent : The kind of attack shown in the above example falls under this category.It means attacks in which the code is not actually stored on the server but is rather presented to the user.
  2. Persistent : This attack is more dangerous one in which the code is actually injected into server.

Summary

Hopefully this article gave you a good explanation of what cross-site scripting attacks are.Never trust data coming from the user or from any other third party sources.In my next post I’ll explain how these attacks can be prevented.

Send SMS with PHP.

php-smsRecently I had a customer’s requirement to send an sms from his web portal.

The SMS gateway that he was using didn’t had that meaningful documentation.After planning on how do I connect to the SMS Gateway , I decided to use PHP cURL.

PHP cURL is a very efficient and powerful library that allows you to connect and communicate to different servers.For more information on cURL visit http://www.php.net//manual/en/book.curl.php .

The below code connects to the SMS gateway and then sends the message.

$url = "http://smsurl/sms1"; // URL of the SMS Gateway
$curl_connection = curl_init($url); //Initialize curl handle
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string); //Set the post variables like username , password , sms text etc.
$result = curl_exec($curl_connection); //run the whole process and return the response
curl_close($curl_connection);  //close the curl handle

In the above code first the connection to the SMS Gateway is made.
Then the variables like username,password etc is passed.
These parameters and url are given by the SMS Gateway Provider.
The URL is then executed and finally the connection with the Gateway is closed.

 

 

allows you to connect and communicate to many different types of servers.. – See more at: http://goyal1989.blogspot.in/2011/06/how-to-send-sms-to-mobile-using-php.html#sthash.RDvKIBms.dpuf
very impressive library that allows you to connect and communicate to many different types of servers – See more at: http://goyal1989.blogspot.in/2011/06/how-to-send-sms-to-mobile-using-php.html#sthash.RDvKIBms.dpuf
very impressive library that allows you to connect and communicate to many different types of servers – See more at: http://goyal1989.blogspot.in/2011/06/how-to-send-sms-to-mobile-using-php.html#sthash.RDvKIBms.dpuf

 

 

 

Create User and Grant Permissions in MySQL.

mysql-database
MySql

Normally we do a whole lot of things with the MySQL root user who have full access to all the Databases.

However, in the cases where more restrictions may be required, there are ways to create users with custom permissions.

In this post we’ll go through how to create a new MySQL user and provide him with specific permissions.

How to create a new user.

Let’s first start by creating a new MySQL user.
[sourcelang =’sql’]
CREATE USER newuser@’localhost’ IDENTIFIED BY ‘password’;
[/sourcelang]

Just creating the user doesn’t mean that the user will now get access to MySQL.Unfortunately, at this point even if the user tries to login will be unsuccessful.

Therefore we need to provide privileges to the user.

Set Privileges

[sourcelang =’sql’]
GRANT ALL PRIVILEGES ON *.* TO ‘newuser’@’localhost’;
[/sourcelang]

Here first asterisk means the database  and second asterisk means the tables.So the above command will provide ALL(read,update,delete etc) privileges to newuser on all Databases and all tables.

You can replace these asterisk according to your requirements Eg : schoolDatabase.* or schoolDatabase.students.

Once done with providing specific privileges remember to reload the privileges.

[sourcelang=’sql’]
FLUSH PRIVILEGES;
[/sourcelang]

To provide particular permission to a user you may use.

[sourcelang=’sql’]
GRANT [type of permission] ON [database name].[table name] TO ‘[username]’@’localhost’ (Refer below for possible permissions.)
[/sourcelang]

To revoke the permissions use

[sourcelang=’sql’]
REVOKE [type of permission] ON [database name].[table name] FROM ‘[username]’@’localhost’;
[/sourcelang]

 

NOTES

  • If you want the MySQL server to be accessed remotely you may replace localhost with the IP address of the remote machine.
  • If you want the database to be accessed remotely from all IP addresses replace localhost with %.
  • Possible permissions are ALL PRIVILEGES,SELECT(read the database),INSERT(insert rows to a table),DELETE(delete records from a table),UPDATE(update rows of a table),DROP(drop the whole table),CREATE(create a new table),GRANT OPTION(grant or remove other user’s privileges).
  • Each time you update or change a permission be sure to use the Flush Privileges command.

Run Scheduler without accessing Cron.

Cronless
Cronless Job

 

To run a Scheduler you need to add an entry in cron.Many times hosting provider limits cron usage and without an entry in cron the Scheduler wont run.

However there is an easier way out as show in the below steps.

If you are using SugarCRM you will have to follow step 3 else the first two steps will suffice.

 

  1. Setup a cronjob at a free cron provider like http://www.cronless.com or www.setcronjob.com .
  2. Point them to the cron.php to your SugarCRM directory. For example http://yourdomain/SugarCRM/cron.php
  3. Comment the code as shown below in cron.php and save it. You dont need to this if you are not using SugarCRM.
                   
                       //$sapi_type = php_sapi_name();
                     //if (substr($sapi_type, 0, 3) != 'cli') {
                        //    sugar_die("cron.php is CLI only.");
                    //}

                

Now when the cron.php is visited on scheduled time it will trigger the Scheduler.

Isn’t it an awesome way to execute the Scheduler.Thanks to the cron providers.

 

 

 

 

Remove Create Action button.

At times you will have a requirement to remove Create or any other action from menu of a particular module.

My module requires only to list the data and not allow creation or import of data.This can be simply achieved simply by changing some files of the modules.You just need to have access to the files of the module.

To remove the create and import action from the menu do the following :

Open Menu.php of the module and just comment or remove the actions you dont want.

before-menu
Before
after-menu
After

Here you may see that the add and import actions have been removed from the menu and the only available option is list action.

Though the user can access the EditView by passing required parameters in the URL.

Eg : localhost/sugarcrm/index.php?module={module}&action=EditView.

If you want to disable or disallow such an access follow below steps.

  1. Create view.edit.php at custom/module/{module}/views/view.edit.php
  2. Write the following code therein.
 <?php
  require_once('include/MVC/View/views/view.edit.php');
  class User__User_ActivityViewEdit extends ViewEdit{
    function display(){
        if(!$this->bean->fetched_row){
              sugar_die('You cannot create new records here, sorry'); 
       }
        parent::display();
    }
}
?> 

Now if the user still tries to access the edit view below screen will be displayed.

editview disabled
EditView Disabled