Consider a dynamic website running an application, where you can see the URL from your browser as:
www.example.com/game
Now the /game is probably a folder? And how can i see the actual path to the application?
Can't I see the server side scripting language, such as:
www.example.com/game/robobo.php or
www.example.com/game/robobo.aspx or something similar?
Now, I know you can guess some of these (typically with the "index" name), however there may be many subfolders.
Now the /game is probably a folder?
It is part of the URL. That's all you can know about it.
And how can i see the actual path to the application?
You cannot.
How the URL maps on to the server's file system (or even if it maps on the file system at all) is not information that the webserver will expose.
Can't I see the server side scripting language
Not really.
There might be fingerprints in the HTTP response headers that could clue you in, or HTML returned in the response body might include fingerprints from a particular CMS which would imply a programming language, but there is nothing certain.
This is not possible. When you think about it, dealing with a blind url like .../game, you have no idea whatsoever what the underlying platform is - might be Asp.Net, might be classic Asp, might be PHP - might even be Python or Ruby... Since you don't know what system sits on the server, you are not going to be able to know what to do to get the full path...
Most CMS systems allow the website owner to change the true URL to something more user and search engine friendly (sometimes called Permalinks or SEO URLs). /games, does not mean that there is such a folder, it could be a category name or a tag. The only place where you can see full paths is for media assets such as images and videos. (right click, view image source or open image in a new tab).
Unless you are the admin of the website, it is nearly impossible to find the real path.
I am saying nearly impossible since you already pointed out on guessing.
The server side is obviously hidden from visitors.
You can guess what is the technology used on a website by testing it on other websites such as builtwith.com.
For example if it shows php, then there is a great probability that all files end with .php.
Related
I have a website builder which allows users to drag and drop HTML blocks (img, div, etc...) into the page. They can save it. Once they save it, they can view the page.
I also allow custom code like JavaScript. Would it be safe to have their page be displayed on another server on a subdomain (mypage.example.com) but still fetched from the same database as the main server, or does it not matter to put it on the same server as the main server?
As far as I know, they cannot execute any PHP code since I will be using echo to display the page content.
Thanks for help!
That depends on your setup. If you allow them to run custom JavaScript, they can probably steal session tokens from other users, which could be used to steal other accounts. I would recommend reading about XSS (Cross-Site-Scripting).
In short: XSS is the vulnerability to inject code into a site, which will run on other peoples computers.
It wouldn't make sense to give you a strict tutorial on how to do this at this point, because every system is different and needs different configuration to be attack-resistant.
Letting users put code somewhere is always a risk!
there is no need for another server, but you do need another domain to prevent Cross Site Scripting attaks on your main page. and no, a subdomain may not be sufficient, put it on another domain altogether to be on the safe side. (luckily domains can be acquired for free if you're ok with a .tk domain)
Would it be safe to have their page be displayed on another server on a subdomain
even a subdomain could be dangerous, just put it on another domain altogether, and you'll be safe.
or does it not matter to put it on the same server as the main server?
you can have it on the same server. btw, did you know that with shared webhosting services (like GoDaddy, hostgator, etc) there's thousands of websites sharing a single physical server?
also, DO NOT listen to the people saying you need to sanitize or filter the HTML, that is NOT true. there is no need to filter out anything, in my opinion, that is corruption of data. don't do that to your users, there's no need to do it. (at least i can't think of any)
As far as I know, they cannot execute any PHP code since I will be using echo to display the page content.
correct. if you were doing include("file"); or eval($code); then they could execute server-sided code, but as long as you're just doing echo $code;, they won't be able to execute server-side code, that's not a security issue.
I'm stumped. So I've written a nice little web app that gets all its data from a JSON that has one array in it. To bridge the AngularJS-parts and the data, I have this line in my services.js
.constant("baseURL","http://localhost:3000/")
This of course only works with me locally. But I haven't considered that I might have to get my web host to serve up the data.
Now, I'm a complete beginner at this. I've managed to code my app with moderate effort, having only started coding in January. So I'm completely out of my league here. I don't even know what I'm looking for. I mean, I have to replace the localhost:3000with something. But if I do http://domain.com/db.json that obviously doesn't work.
I've talked to Godaddy's tech support and they go "Nuh-uh, not helping" the second I show them this line of code. Because, to be honest, I don't even know what the address I'm looking for is called. Is it a URI?
I have a few questions regarding this and I turn to you, because - this story gets worse - there's a possible job on the line for me. Not a coding thing, but the data that is parsed from the JSON into the site.
What is the address I'm looking for called?
How do I get my hosting to serve up JSON data? I mean, I don't even know what I need to ask the tech support people here. Do I need a JSON server?
If they don't offer it, where could I get my JSON data served in a way that I can push more articles into the array and preferrably edit it, too?
Thank you so much!
EDIT #1
If it helps, here's the contents of my /webroot/personalfolder
You will need to change your localhost:8000 to your domain name. For example, if you bought www.foobar.com then your base URL would just become www.foobar.com On a rented web server (like GoDaddy Hosting) ports 80 and 443 are normally open so you wouldn't need to specify this. If you are self hosting, you will need to open these ports on your router and apply port forwarding rules to your PC.
When you host your published website, you will just put your JSON file in with your Website Source. For example your structure may look like this:
AngularAppFolder/index.html
js
csss
Just add another folder called db place your JSON file in there, and reference it in your Angular code, no need to worry, its just another file just like your HTML or CSS which makes up your website. Remember though that your JSON data will be publicly available here!
If your looking for an alternative way of getting your JSON data, you may want to look into creating a REST API. This uses a web server to dish out data depenant on the HTTP request you send to it. but that's a very big topic! Here is some reading into it if your feeling brave! Node.js REST API tutorial
Final note: if you are self-hosting this application (running it on your own computer or server) then you will need to change the DNS record for your domain name to the global IP address of the server! you shouldn't have to worry if your using the hosting offerings from a company such as GoDaddy however.
You need to change the baseURL value to whatever the URL on which the site is hosted. Something like http://<mysite>.com.
I want to have a "control panel" on a website, and when a button is pressed, I want it to run a command on the server (my computer). The panel is to run different python scripts I wrote (one script for each button), and I want to run the panel on my Mac, my iPod touch, and my wii. The best way I see for this is a website, since they all have browsers. Is there a javascript or something to run a command on my computer whenever the button is pressed?
EDIT: I heard AJAX might work for server-based things like this, but I have no idea how to do that. Is there like a 'system' block or something I can use?
Here are three options:
Have each button submit a form with the name of the script in a hidden field. The server will receive the form parameters and can then branch off to run the appropriate script.
Have each button hooked to it's own unique URL and use javascript on the button click to just set window.location to that new URL. Your server will receive that URL and can decide which script to run based on the URL. You could even just use a link on the web page with no javascript.
Use Ajax to issue a unique URL to your server. This is essentially the same (from the server's point of view) as the previous two options. The main difference is that the web browser doesn't change what URL it's pointing to. The ajax call just directs the server to do something and return some data which the host web page can then do whatever it wants with.
On the client side (the browser), you can do it with the simplest approach. Just an html form. javascript would make it nicer for validation and to do ajax calls so the page doesnt have to refresh. But your main focus is handling it on the server. You could receive the form request in the language of your choice. If you are already running python, you could write a super fast cgi python script. Look at the cgi module for python. You would need to put this into the apache server on osx if thats where you will host it.
Unfortunately, your question about exactly how to write it is beyond the scope of a simple answer. But google for how to write and html form, or look at maybe jquery to build a quick form that can make ajax calls easily.
Then search for how to use the python cgi module and receive POST requests.
Javascript is basically for doing work in the browser (usually to render something nice for the end user to look at). What you want (as others have said already) is a way to connect an HTML form action to an action on the webserver "back end". And this is exactly (as RobG has pointed out) what CGI is for. An alternative to CGI which is quite popular with Apache users is mod_python - the difference is basically whether the "back end" operation runs as a standalone process (CGI) or inside a webserver process (mod_python), but for most basic applications your server side scripts don't need to care. And if you're in a shared hosting environment you may not have a choice - ask your sysadmin (or read your hosting service docs) to learn how best to run CGI scripts in this case.
Caveats:
You will probably need fairly elevated webserver admin access & expertise in order to get everything set up the way you want. You will at least need to be able (both in the sense of permissions and technical understanding) to view your webserver logs, edit your webserver configs and bounce (restart) your http service.
Whatever "back end" operations you want done will be done with the permissions/privileges of the webserver, which may not be the same as the permissions/privileges of the user account which you normally use to perform these operations. There are various ways around this (using custom daemons and/or sudo operations), but you really need to have a clear understanding with the webserver sysadmin (if the webserver is exposed to the Big Bad Internet) about how this is going to work before you deploy anything, otherwise you run the very real risk (especially if you are a noob) of making it possible for hackers to exploit your "command gateway" to hack the webserver.
Of course if you're just doing all this for fun on your personal laptop (there is an OSX tag on the question, after all), then you are the webserver sysadmin, and you're free to hack away and happily shoot yourself in the foot repeatedly while learning everything you need to know along the way, which is fine as long as you're not on a network. In this case, you may find this tutorial to be useful.
Theoretically JS runs in the browser, then after the first download can be easily copied and made to run directly from the local, without going through the remote server. Because I need to sell an application * js (pay-as-you-use) I need to check each request and make it available ONLY if required by that particular site and, of course, only if he paid.
It doesn't work. As soon as someone downloaded a copy of the JavaScript file, he or she can always save a copy of it and even redistribute it.
Thus you cannot protect the JavaScript itself - but assuming you rely on some client-server interaction (i.e. AJAX), the server would not respond to requests coming from non-authorized sources, thus rendering the client-side worthless.
If you need to protect your business logic, don't put it into JavaScript. Alternatively, sue everybody who uses your scripts without having obtained a license (not sure if this is practical, though ...).
I wouldn't make the JS file that you plan to sell available directly on a URL like
yourdomain.com/yourfile.js
I would offer it on a URL like
yourdomain.com/getfile
Where /getfile is a URL that is processed by a PHP/Java etc server-side language where you can check whatever credentials you need to check, be it requesting domain name, IP address, some token or something else.
if your application is made in java you can use a ServletFilter to check if the request is valid (if the IP is correct, or maybe you can use a ticket like the facebook, twitter, whatyouwant rest API), and if isn't valid don't show nothing
if you aren't using java I think that something similar can be made with every programming language
It may be a little more trouble than it's worth. Yes, you could require clients to provide a token and whitelist certain domains, etc. But they can still open any site that uses that particular JavaScript -- even someone else's -- and just Save As... .
A better bet is controlling the script's interaction with your server. If it makes any AJAX calls a server you control, then take that chance to authenticate. If it doesn't depend on data from you in that way, I think you'll just have to face the problem that anyone dedicated enough will be able to download your script and will be able to use it with a little bit of playing around.
Your best bet is, in addition to the above, keep track of domains that have paid and search every once in a while to find if anyone's taking your code.
I just implemented uploadify in my project, and I noticed what seems like an important security issue with the uploading process:
The folder in which the file should be uploaded is provided as a javascript argument, so client-side. If the user changes the script, and fills in a different folder (i.e. "/") for the upload, the file gets uploaded to the different folder.
There is an option in the config to filter the filetypes, but again it's provided on the client side ("fileExt").
So am I wrong to think this could lead to a possible hack? Uploading a php file anywhere in the Web Root and executing it seems easy.
Is it the desired behavior?
Should I just cross-check the upload folder in the uploadify.php file?
Should I send a notice to the uploadify makers?
I'm sure I'm not the first one to think about this. Oh, and the same goes for other config parameters, like sizeLimit and queueSizeLimit.
Just looked at the code (haven't installed it anywhere), and it certainly looks like this is a security problem. Looking at uploadify.php, I see this:
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
Which means that passing "/" would put the file in the document root (i.e. the home directory of your website). Of course, the user could easily (for example) pass in a folder parameter like '../../etc' and a file named 'passwd'. Or, more trivially, he could upload a "logo.jpg" to the document root and, hey, now you've got porn for a site logo!
Of course, even if you sandbox the users, there are still lots of potential problems with allowing a user to arbitrarily upload a file to your server. What if they upload a .php file, then go to that file with their browser? They suddenly have the ability to execute arbitrary code on your server!
If you want to do this, you should force the user's uploads into a restricted directory (the realpath function will sanitize the path, in case the user created crazy paths with "../.." or whatever), and you should restrict the types of files allowed (i.e. to only ".jpg", ".gif", ".png" or whatever). Even then, a malicious user could DOS you by filling up your disk quota.
i just want to give my opinion about your post.
You forget a important thing in your analyse.
Developpers HAVE TO check variables in the server side script.
If you use javascript (like uploadify, or your own script) or if you don't use javascript (just a simple FORM in html), YOU HAVE to check the data in the server side script. So no matter if you are using uploadify or not for your security. Don't forget that it's easy to buid HTTP request and send it to the server. So the security of a web application not depends of the client
Thanks for your attention
GUIGUI
That is indeed a security issue, path traversal. You should email them and ask them to fix it.
You are free to put file anywhere using your server side script and your config. I never use their javascript config for such things.
I know this is a bit old topic, but here's a note from plugin developer:
Given the wide variety of scripting languages, server side validation is up to the users to code. We are developing the plugin to allow those who know what they are doing to use what ever language they want for the front end and back end. And creating new scripts to retrieve information makes it that little bit harder for other users to implement, for example those using aspx, java, codeigniter etc.. would need to rewrite major portions of the plugin.
You can read it full here.
Remember, server validdation is a must! You cannot ignore it, ever. This is what I've learnt reading SO and PHP manual.