Securing my script that is invoked by getElementById against DOS attacks

Bes · 29 Dec 2008 at 16:53

Hi,

I have a PHP script which is called using:

getElementById

There are some parameters submited alongside it like this:

OnClick="javascript:document.getElementById ('mainimg').src = 'myscript.php?an=' + document.customEdit.cString.value">

Now the problem is that I want to use a nonce to stop people from hitting myscript.php directly. I have tried doing this, but submitting the nonce's value as a parameter alongside the an=... value (i.e. &nonce=...) has the obvious flaw that the user can see the nonse, hence spoof requests. Is there a way I can prevent this?

Thanks

Bes · 30 Dec 2008 at 11:57

It's not a single use thing though and the nonce will be visible immediately after the first submit.

It is a textbox which when submitted writes the submited text on to an image using the MagickWand for PHP API

Thanks

Bes · 31 Dec 2008 at 11:19

philjohn said:
Have the nonce tied to a session and IP address then, and have it expire after a certain period of time (15-20 minutes for instance).

Any reason why the MagickWand and not GD2? GD2 is available on most shared hosts whereas MW needs to be specially compiled and installed.

Because MagickWand is more powerful/ efficient than GD2... Some of the functionality in MW is not in GD2. My host was happy to install MagickWand for me

Thanks for the idea, will look into it.

Bes · 5 Jan 2009 at 18:39

The problem is that imagemagickscript.php is actually the image. Right clicking on the image and hitting properties reveals the script name. If I can fake that using Apache trickery, I can solve the problem.

About MD5 hashing, won't work as the random token is only generated on first time the page is hit, and I can't refresh it as far as I know. (unless user reloads whole page) also all the rogue/ attacker has to do is put the hashed token onto the URL string and then they are able to invoke the script anyway AFAIK

Would something like this article help me at all?

http://www.evolt.org/article/Making_clean_URLs_with_Apache_and_PHP/18/22880/

Thanks

Bes · 6 Jan 2009 at 08:45

Ed said:
You don't run a hashed token through the URL, you set it and check for it in PHP. Also, mod_rewrite will hide the script but won't stop direct access, which is your main concern.

If the script checks for a session token and one doesn't exist, they didn't come from your site.

As for refresh/renew, just make it conditional:

Code:

[COLOR=White]if (!isset($_session['token'])){ create hash and add to session }[/COLOR]

Hi,

Ok yes I understand that the hashed token is not part of the URL and is set and checked via PHP. However....

I have 2 elements that make up the page: a mix of php and html (pagea.php) that creates the page the user sees (This is where the token/ nonce is generated. It has to be this way as the second element is called using img src="imagemagickscript.php", so is not invoked until AFTER the initial page is at least partially loaded and the PHP executed by the server.)

The second element which is a 100% php script which is a bunch of calls to MagickWand and make up the image the user sees. (The script actually blobs (is this the correct term?) the completed image so in the php/ html page, we (unsuprisingly) see an image in place of the <img src="imagemagickscript.php"> tag. At the moment I am checking the nonce/ session ID here. I have to submit the nonce in the URL alongside any values I want to pass into imagemagickscript.php for MagickWand to use, as the PHP on (Remember I am using getElementByID to avoid a page refresh), and PHP (to regenerate the nonce on pagea.php) will not be executed again until refresh.

Maybe I misunderstood your post, and maybe I am missing your point (forgive me, I am still a newbie to PHP) but I hope that helps in understanding my problem here.

Thanks

Bes · 7 Jan 2009 at 10:16

Hi,

Ok so re-reading Ed's post, simply checking for a session ID should see me safe? Can this be spoofed?

Thanks

Bes · 17 Jan 2009 at 13:07

Surely the answer is to obfusticate the real location of my php file using .htaccess to rewrite the URL (i.e. rewrite it to test.jpg) and then prevent any kind of hotlinking to my "jpeg" file... That means only hits to it that originate locally will cause any rendering.

Next I simply put a detector on it that pickus up on fast refreshes/ submits from a single IP (like flood control)

How does that sound?

Bes · 17 Jan 2009 at 13:24

Beansprout said:
No, because that's identical to just changing the name of the file.

Hang on I updated my post above- can you tell me if that is better?

Bes · 17 Jan 2009 at 15:25

edit: got the solution to my issue now

Any comments on the above appreciated