Select Page

OpenComment, AJAX and security

OpenComment, AJAX and security
In OpenComment, the next commenting system for #Joomla based on akocomment, the following functions are NOW running with AJAX.

  • Rating comments up and down,
  • Deleting comments,

And soon, filtering operations and even publishing new comments.

But working in computer science do not also mean: ready for production….because AJAX without taking precautions can be disastrous….This code is facing some strong securities issues I will have to solve:

  • AJAX code is not running in the #Joomla sessions! so I have to re implement some low level operations like accessing the database (while already done in #Joomla)
  • Who protect comment against replaying rating up attack? I will introduce a public key per article which has to be submitted to the server, and a private key store in the session, which will be destruct after the first operation.
  • How to make sure that the asynchronous operation on a comment is originated from a submitted page of my server?
    -> I will introduce a server challenges keys: a cryptographic fields which is highly depending of the following: server name, URL, time, and random part. This ticket will also have a time stamp in it, if you wait more than, lets say 20 minutes, you won’t be able to rate or operate on comment. This is similar with com_hashcash, so nothing really new to me.
  • Avoid that a rating up operation for a comment A get hacked by injecting new parameters for comment B?
    -> Comments will be identified by their UUID (and not a simple ID like in akocomment)
    -> Users would have to know it to make an attack on multiple joomla site at the same time.

If You see something else or know a similar code or algorithm in the open source world, contact me or post your remarks below.

About The Author

Cédric Walter

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.