Securing my script that is invoked by getElementById against DOS attacks

[Bes]

Hi,

I have a PHP script which is called using:

getElementById

There are some parameters submited alongside it like this:

OnClick="javascript:document.getElementById ('mainimg').src = 'myscript.php?an=' + document.customEdit.cString.value">

Now the problem is that I want to use a nonce to stop people from hitting myscript.php directly. I have tried doing this, but submitting the nonce's value as a parameter alongside the an=... value (i.e. &nonce=...) has the obvious flaw that the user can see the nonse, hence spoof requests. Is there a way I can prevent this?

Thanks

 

[philjohn]

Now the problem is that I want to use a nonce to stop people from hitting myscript.php directly. I have tried doing this, but submitting the nonce's value as a parameter alongside the an=... value (i.e. &nonce=...) has the obvious flaw that the user can see the nonse, hence spoof requests. Is there a way I can prevent this?

Thanks

Does it matter if they can see the nonce? If it's a single use thing then it shouldn't pose a problem. As for spoofing requests: you need to protect against that server side as any client side tomfoolery is simply security through obscurity.

What is it exactly you are trying to achieve?

 

[Bes]

It's not a single use thing though and the nonce will be visible immediately after the first submit.

It is a textbox which when submitted writes the submited text on to an image using the MagickWand for PHP API

Thanks

 

[philjohn]

It's not a single use thing though and the nonce will be visible immediately after the first submit.

It is a textbox which when submitted writes the submited text on to an image using the MagickWand for PHP API

Thanks

Have the nonce tied to a session and IP address then, and have it expire after a certain period of time (15-20 minutes for instance).

Any reason why the MagickWand and not GD2? GD2 is available on most shared hosts whereas MW needs to be specially compiled and installed.

 

[Xenoxide]

In my opinion your best bet would be to get the PHP script to check the referer and make sure that it's only that page requesting it.

 

[philjohn]

In my opinion your best bet would be to get the PHP script to check the referer and make sure that it's only that page requesting it.

Referer is very easy to spoof - so it's not going to help. The session idea with a rolling timeout would be the best idea IMHO.

 

[Bes]

Have the nonce tied to a session and IP address then, and have it expire after a certain period of time (15-20 minutes for instance).

Any reason why the MagickWand and not GD2? GD2 is available on most shared hosts whereas MW needs to be specially compiled and installed.

Because MagickWand is more powerful/ efficient than GD2... Some of the functionality in MW is not in GD2. My host was happy to install MagickWand for me

Thanks for the idea, will look into it.

 

[Ed]

Referer is very easy to spoof - so it's not going to help. The session idea with a rolling timeout would be the best idea IMHO.

Correct about the referer. Also, IP's are unreliable sources of information too. AOL for example can dynamically change this during single sessions. Best to use a random token and MD5 it.

 

[Blackstar_solar]

I'm not sure about PHP but in ASP.NET I wouldn't use client side to access the page. Have the button cause a postback and the server do a Server.Transfer (or whatever the PHP equivilient is)

Then the requester never sees the url of the page doing the image drawing.

 

[Bes]

The problem is that imagemagickscript.php is actually the image. Right clicking on the image and hitting properties reveals the script name. If I can fake that using Apache trickery, I can solve the problem.

About MD5 hashing, won't work as the random token is only generated on first time the page is hit, and I can't refresh it as far as I know. (unless user reloads whole page) also all the rogue/ attacker has to do is put the hashed token onto the URL string and then they are able to invoke the script anyway AFAIK

Would something like this article help me at all?

http://www.evolt.org/article/Making_clean_URLs_with_Apache_and_PHP/18/22880/

Thanks

 

[Ed]

The problem is that imagemagickscript.php is actually the image. Right clicking on the image and hitting properties reveals the script name. If I can fake that using Apache trickery, I can solve the problem.

About MD5 hashing, won't work as the random token is only generated on first time the page is hit, and I can't refresh it as far as I know. (unless user reloads whole page) also all the rogue/ attacker has to do is put the hashed token onto the URL string and then they are able to invoke the script anyway AFAIK

Would something like this article help me at all?

http://www.evolt.org/article/Making_clean_URLs_with_Apache_and_PHP/18/22880/

Thanks

You don't run a hashed token through the URL, you set it and check for it in PHP. Also, mod_rewrite will hide the script but won't stop direct access, which is your main concern.

If the script checks for a session token and one doesn't exist, they didn't come from your site.

As for refresh/renew, just make it conditional:

[COLOR=White]if (!isset($_session['token'])){
create hash and add to session
}[/COLOR]

 

[Bes]

You don't run a hashed token through the URL, you set it and check for it in PHP. Also, mod_rewrite will hide the script but won't stop direct access, which is your main concern.

If the script checks for a session token and one doesn't exist, they didn't come from your site.

As for refresh/renew, just make it conditional:

[COLOR=White]if (!isset($_session['token'])){
create hash and add to session
}[/COLOR]

Hi,

Ok yes I understand that the hashed token is not part of the URL and is set and checked via PHP. However....

I have 2 elements that make up the page: a mix of php and html (pagea.php) that creates the page the user sees (This is where the token/ nonce is generated. It has to be this way as the second element is called using img src="imagemagickscript.php", so is not invoked until AFTER the initial page is at least partially loaded and the PHP executed by the server.)

The second element which is a 100% php script which is a bunch of calls to MagickWand and make up the image the user sees. (The script actually blobs (is this the correct term?) the completed image so in the php/ html page, we (unsuprisingly) see an image in place of the <img src="imagemagickscript.php"> tag. At the moment I am checking the nonce/ session ID here. I have to submit the nonce in the URL alongside any values I want to pass into imagemagickscript.php for MagickWand to use, as the PHP on (Remember I am using getElementByID to avoid a page refresh), and PHP (to regenerate the nonce on pagea.php) will not be executed again until refresh.

Maybe I misunderstood your post, and maybe I am missing your point (forgive me, I am still a newbie to PHP) but I hope that helps in understanding my problem here.

Thanks

 

[Bes]

Hi,

Ok so re-reading Ed's post, simply checking for a session ID should see me safe? Can this be spoofed?

Thanks

 

[Bes]

Surely the answer is to obfusticate the real location of my php file using .htaccess to rewrite the URL (i.e. rewrite it to test.jpg) and then prevent any kind of hotlinking to my "jpeg" file... That means only hits to it that originate locally will cause any rendering.

Next I simply put a detector on it that pickus up on fast refreshes/ submits from a single IP (like flood control)

How does that sound?

 

[Beansprout]

Surely the answer is to obfusticate the real location of my php file using .htaccess to rewrite the URL (i.e. rewrite it to test.jpg) and then place it in a directory outside public_html? Then it cannot be accessed directly, and (I think) no one can link to it?

No, because that's identical to just changing the name of the file.

 

[Bes]

No, because that's identical to just changing the name of the file.

Hang on I updated my post above- can you tell me if that is better?

 

[Bes]

edit: got the solution to my issue now

Any comments on the above appreciated