Welcome Guest, Not a member yet? Register   Sign In
Looking for security / performance experts
#1
Star 
(This post was last modified: 11-28-2016, 09:52 AM by nemeris.)

Hello,

I 'm writing an application with CodeIgniter, I have read many security & performance articles.

But I still find myself in situations that I'm not sure what to do or how to do something to be the best approach (in case of security and performance)

I'd like to have advice of security and performance experts (not free of course) to answer my questions and help me achieve a solution when I'm stuck (I won't bother you much, just some questions that I can't find a trusted answer online)

I was thinking of a (small) thank you gift of $50 per questions and assistants (that might take up to 1 hour) or $20 gift if it's 1-3 simple questions that can be answered in some minutes. if it takes more, then I would of course pay more (and yes I know it's not enough for "Real" experts, but that's what I can afford at the moment)

So please if you are an expert in security / performance and have some spare time let me know so we can discuss this and payment methods and then start.

---------------------------------

Some examples of what kind of questions I mean exactly:

1. Hard question:
  • How to surely prevent Double form submitions or Racing attacks (and don't affect performance when the website is under pressure) if we can't trust CSRF in CodeIgniter: Example Situation
    what I have tried is inserting a unique value to database table (with Unique Key) and form is valid if: $this->db->affected_rows() > 1

2. Simple question:

If we have a lot of visitors (but also a dedicated server with SSD and 32 GB Ram), how to set the following CodeIgniter configs to have the best Security/Performance (I don't have enough experience to be sure, a little explanation would be appreciated as well):

PHP Code:
$config['encryption_key'] = hex2bin('2737hdba7b7146bhh4b22af11ak5it33'); // generated with bin2hex($this->encryption->create_key(16))

$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'u2irkyu66gj3n';
$config['sess_expiration'] = 1800;
$config['sess_save_path'] = 'r74ge_sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_time_to_update'] = 120;
$config['sess_regenerate_destroy'] = FALSE;

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'ghi5j3h7lh7';
$config['csrf_cookie_name'] = 'bnj4flg4hjd';
$config['csrf_expire'] = 1200;
$config['csrf_regenerate'] = TRUE


Of course these are examples.
#2

(This post was last modified: 11-28-2016, 12:59 PM by PaulD.)

Why do you not try a real question here and now. You may get an answer that others might also find useful. Or try stackoverflow or security.stackexchange.com/ etc.

The point is that many hundreds or even thousands of people might read the answer and benefit. Also, how could you be confident if expert A says do this, how can you know if that is right, up to date, or of any alternatives? Communities can help you here, because your question might spark a conversation exploring the topic from many angles.

A single more focussed question is better than multiple questions all thrown in at once. Ask your best, most trying question, the one that will benefit you most first, and lets see how we do with that one first.
#3

(This post was last modified: 11-28-2016, 01:24 PM by nemeris.)

(11-28-2016, 12:57 PM)PaulD Wrote: Why do you not try a real question here and now. You may get an answer that others might also find useful. Or try stackoverflow or security.stackexchange.com/ etc.

The point is that many hundreds or even thousands of people might read the answer and benefit. Also, how could you be confident if expert A says do this, how can you know if that is right, up to date, or of any alternatives? Communities can help you here, because your question might spark a conversation exploring the topic from many angles.

A single more focussed question is better than multiple questions all thrown in at once. Ask your best, most trying question, the one that will benefit you most first, and lets see how we do with that one first.

Hello Paul,

Stackoverflow only answers very easy questions fast, some of my questions never get an answer even after days, so I have to wait 48 hours to start a bounty and then possibly get a valid answer in 4-5 "days" which an expert can answer in a few minutes.

And here, the senior community (trustable sources) doesn't have enough time, they are busy with other CI stuff or their own life.

And I can only thank them, how can I expect more? because they are doing all of this for free.

Example of some of my questions and the answer
http://forum.codeigniter.com/thread-6674...#pid338823

Can I object? No, because they are doing all the hard work and then share it without asking anything from me.

But when I pay, I can at least object and Expect a good answer in a short time.
I'm a little tired of not getting answers or getting half understandable answers. I wanna learn, and this (not getting good/trustable answers in reasonable time) slows it too much that sometimes I just give up.

So I hoped maybe I can find a trustable developer this way who can help me learn faster.

If you know of any other method, websites or trustable resources that I can pay and be sure their answer is valid please let me know.

(the reason I say trustable is because for example I found 2 different articles on the same topic, that say exactly the opposite thing, one said you SHOULD do this, the other said NEVER do this and I don't know which one to trust).
#4

Hello,


To solve issue number 1 what you need is to lock the csrf and ignore any subsequent request, maybe use a database transaction.
Atomicity and ACID.

I notice someone proposed to use javascript to block the user input while the request fulfills.
This is only good to make the ui user friendly, eg prevent someone to accidentally click twice and get a nasty error, thus downgrading user experience.

The front end is always unreliable and you must think that if you don't handle issues like this in the backend, the user will find your exploit and use it against you.

For number 2, im not a codeigniter developer but i believe that in order to have a secure codeigniter app, all you need to do is follow their guidelines: Codeigniter Guidelines

On a sidenote, i can give you these tips:
For security:
1.-I dont know if codeigniter deals with user registration / login for you. Just make sure you do not store user passwords in clear text. Always use a key derivation function (PKCS5) such as scrypt or bcrypt
2.-Use a firewall on your server and router, and close unnecessary open ports
3.-Always use https, you can get free certificates signed by Let's Encrypt
4.-Do not allow root login remotely
5.-Use an ssh-rsa key for login
6.-Protect your certificates

For performance:
1.-Cache static content (you can also use a CDN to offload your server)


Sorry i don't know CI, hope i helped a little
#5

(This post was last modified: 11-28-2016, 05:38 PM by PaulD.)

:-)

Ok, I see your point. Fair enough. You want exact and authoritative answers to difficult security questions applicable to your situation and your app.

The only suggestion I would make is to build your app as best you can. Filter input, sanitize output, use a trusted auth library, use CI CSRF protection, do not trust any data, clean it and validate it in your models, your controllers and your views, use SSL, adopt all the best practices you can apply. Your app will be pretty tight and secure at that point. Be vigilant but don't over obsess about it (depending of course on the nature of your app). Have a database back up in place and keep back ups of your code, and when your app start to deliver either a user base or some financial return, you could then pay for a security overhaul, a test if you like, to see what holes, if any you have left, or missed, or overlooked.

You can start with very cheap automated test suites, or offer a fixed sum on people per hour or similar freelance websites, choosing your employee carefully from previous references and specialisms etc. You can then start to mature your security as your income or user base increases.

For me, and admittedly there is a lot of bad advice on the internet, it is about trust in the source of information, and the date of the information. Clearly articles that are two years old can be out of date. A Bob Smith blog might not carry as much weight as an online journal dedicated to security issues etc.

As for global xss_clean, it is a resource intensive process that to run on every piece of output makes no sense. For instance your output might just be a view you have loaded as a string for some reason and coded with no user generated content, why xss_clean that? However, there is a great answer on special chars and entities here http://stackoverflow.com/questions/46483...ecialchars. Which you use depends on the nature of your data at that time.

But, I understand your comment, and yes we would all like specialist individual input. But unfortunately it does come down to capital investment when going beyond your own abilities. The sums you talk about will not get that unfortunately. So as long as you do the best you can with security, following all the easily accessible advice on securing your app, and not doing anything daft, that probably would be enough in most cases. If you are developing an online currency, then unfortunately your budget will never allow you to achieve the level of security you would need to have any chance of success. That is just the world as it is, and we have to lump it, even if we do not like it.

The other alternative is to open source your app and allow the community to use it, fork it, develop it and mature it over time. Not a guaranteed passport to success but one route certainly. Another is to crowd source your idea to raise the funds to pay for the level of security you are seeking. But remember, even the US Navy gets hacked sometimes. Any project with any prominence is always going to become a target and virtually every web app has a weakness of one sort or another.

Best wishes,

Paul.

PS Many people have spent their entire lives dedicated to security issues. They will still argue and debate over best practices and approaches. That is unfortunately the nature of the beast. A continually changing ocean of ideas, opinions, attacks and weaknesses. The only thing you can do is be aware, try your best, be informed and repair and improve as you go. Good luck with your app BTW.
#6

(This post was last modified: 11-28-2016, 06:01 PM by nemeris.)

(11-28-2016, 05:27 PM)PaulD Wrote: ...

Paul.


Thank you for the kind advice Paul, I really appreciate the time you put into it.

My conclusion is:
  • I will do as you said about code, clean output and validate input, best practices I find online.
  • Then I hide the server behind CloudFlare, use anonymous SMTP servers to hide server IP in outgoing emails sources. (they can't attack the server directly if they have no idea what is the IP address and the DNS/Website is protected by cloudflare)
  • And finally use CloudFlare WAF to help protect sensitive pages.

But in the meanwhile I also found this website:
https://www.codementor.io/php-experts

They are asking for $10-$30 for a 15 minute session, will try them a few times if I really get stuck.

Thanks again.
#7

(This post was last modified: 11-28-2016, 06:01 PM by nemeris.)

(11-28-2016, 03:56 PM)j11 Wrote: ...

Thank you very much for that j11,

I will try to find how to lock CSRF now, had no idea we can lock it, but as the database transaction part I think that's perfect if everything is happening in the server itself (no API call to foreign websites)

As for security part, I will try to do all of them, had no idea about part 5 tho, ssh-rsa , thanks for teaching me that (I just knew about changing SSH port)
#8

I tried a bunch of different solutions for form double submissions - this jquery solution was the best i found - requires that you load the jquery library

Code:
      <script>
           jQuery.fn.preventDoubleSubmission = function () {
               $(this).on('submit', function (e) {
                   var $form = $(this);

                   if ($form.data('submitted') === true) {
                       e.preventDefault();
                   } else {
                       $form.data('submitted', true);
                   }
               });

               return this;
           };

           $('form').preventDoubleSubmission();

          $('form :submit').click(function () {
               $(this).prop("disabled", true).closest('form').append($('<input/>', {
                   type: 'hidden',
                   name: this.name,
                   value: this.value
               })).submit();
           });

</script>
#9

Best performance tip - Codeigniter Caching is amazing. Even if your content changes every 10 minutes , you just put this one line in the method that is calling the views:
PHP Code:
$this->output->cache(10); 

and now any simultaneous viewers of the page - are all hitting the cached version which comes back instantly. your database is completely untouched and its resources saved for the more critical tasks.
#10

(This post was last modified: 11-28-2016, 09:05 PM by nemeris.)

(11-28-2016, 08:53 PM)cartalot Wrote: I tried a bunch of different solutions for form double submissions - this jquery solution was the best i found - requires that you load the jquery library

Code:
      <script>
           jQuery.fn.preventDoubleSubmission = function () {
               $(this).on('submit', function (e) {
                   var $form = $(this);

                   if ($form.data('submitted') === true) {
                       e.preventDefault();
                   } else {
                       $form.data('submitted', true);
                   }
               });

               return this;
           };

           $('form').preventDoubleSubmission();

          $('form :submit').click(function () {
               $(this).prop("disabled", true).closest('form').append($('<input/>', {
                   type: 'hidden',
                   name: this.name,
                   value: this.value
               })).submit();
           });

</script>

Thank you, this will stop accidental double submitions by innocent users, but I was thinking about server side prevention to stop attackers, racing attacks etc (e.g. making sure an external API call doesn't get executed twice because of double submition or racing attacks)


(11-28-2016, 08:53 PM)cartalot Wrote: Best performance tip - Codeigniter Caching is amazing. Even if your content changes every 10 minutes , you just put this one line in the method that is calling the views:
PHP Code:
$this->output->cache(10); 

and now any simultaneous viewers of the page - are all hitting the cached version which comes back instantly. your database is completely untouched and its resources saved for the more critical tasks.

This performance tip was awesome thank you sir Heart basically even setting this to 1 will reduce the pressure on the database by a lot




Theme © iAndrew 2016 - Forum software by © MyBB