Select Page

OpenComment security: I need Your feedback

I’ve tried to improve the security of OpenComment, and I want it to present it here, so You can give it  look and have the chance to provide me feedback:

First I’ve create an Oracle with is creating highly depending oracleKeys (class OpenCommentSecurities)

Each oracleKeys  create by the Oracle has the following properties:

  • oracleKeys  returned are always MD5 encrypted
  • oracleKeys  are depending of current date and time, server and user browser agent
  • oracleKeys  can timeout

Here is the algorithm:

$key = session_id();
if(!$key){
     $key = $_SERVER[‘REMOTE_ADDR’];
 }
$value = $key .
   $GLOBALS[‘mosConfig_absolute_path’] .
   $_SERVER[‘HTTP_USER_AGENT’] .
    date("F j, Y, g a");
 return md5($value);

Security 1
All AJAX enable functions will test the oracleKey submitted by the browser, (can timeout!), so nobody should be able to make mass attack on OpenComment across multiple server  All comments will be identified by a hidden field, I name them commentChallengeKeys, they have the following properties:

  • commentChallengeKeys in page are always MD5 encrypted
  • commentChallengeKeys have a common base with the oracle, a oracleKey for each comment
  • commentChallengeKeys are made of the a Universally Unique IDentifier, version 4 (UUID), Yes Ive get rid of the id, the sql key entropy is higher and UUID should never colllide in a reasonable amount of time when You merge data across databases

Here is the algorithm:

return md5($oracleKeys.$commentUUID) ;

Security 2
All AJAX enable functions will test the oracleKey submitted by the browser AND the commentChallengeKeys, so nobody should be able to replay the same RateUp/Down attack on multiple server.

Security 3
All parameters pass to AJAX will be sanitized on the server to avoid XSS attacks   $commentTitle = mysql_real_escape_string(strip_tags($title));

Open items

  • Avoiding user to Rate comments too often is still not solve…
  • I will welcome any code review or help…

Nest steps…

  • Migration scripts…
  • Administrator panel has to be brng up to date…
  • Testing, testing…
  • Code reviews…

Do You see something more? comments are welcomed 😉
 

About The Author

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories