Vulnerability testing


 administrator    10 Mar 2023
 None    blog

hack_min.jpg

Do we do vulnerability testing?

The short answer is yes, but the real question is, is that enough? After all, you, as a developer, create software with the help of our tool and add your code, so eventually, the absolute safety of the application is a combination of both. PHsPeed has a lot of protection built in. There are several tokens, like CSRF, and there is protection against XSS and SQL injection. We try to keep up with the libraries we use to avoid introducing vulnerabilities.

Automated vulnerability tools of commercial parties can scan your website. Some parties can scan your code, and you pay per line of code. That makes it quite expensive, and it never replaces the work of a real ethical hacker. But there are ways that you can use to verify the created project for vulnerabilities, and I like to show you the results of ZAP, an open source and free tool from the OWASP community. This tool is able to scan your project and I will explain the result of one of our applications here.

Zap2 Min

This is the customer portal that you find on our website. In the next screenshot you see the result of a ZAP scan:

Zap1 Min

If you want to do something similar then download ZAP from the OWASP website, and use localhost:8010/your application to scan. So what does the scan tell us?

Zap3 Min

There are 18 notifications. So let's look into them one by one:

  • The first message complains about the absence of a CSRF token.
    This is a false positive message as PHsPeed does use a CSRF token, but ZAP does not recognize it. You can easily verify this by not touching your application for 10 minutes and then trying to continue. You will get a csrf error message. You will find the code in your main application: NoCSRF::check('main_csrf', $_POST, true, 60*10, false ); // 10 minutes one-time mode 

  • Application error disclosure
    This notification tells us that we display errors when they occur in the code. That is a severe issue when the application is in production. You do not want error messages to appear when the application crashes for any reason. PHsPeed requires you to promote your code so that all debugging info is removed from your production code. But while developing, you want the messages because you need to be able to debug. So this warning is of no meaning here, but is, when you have this in your production environment.

  • CSP wildcard directive
    Content Security Policy (CSP) is an added security layer that helps detect and mitigate certain types of attacks. Including (but not limited to) Cross-Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images, and embeddable objects such as Java applets, ActiveX, audio and video files. This must be configured on the web server, which is not the case in our development environment. But PHsPeed does generate code to force this in the html meta code.

  • Content Security Policy (CSP) Header Not Set (5)
    This is similar to the message above.

  • Hidden File Found (2)
    We have a Xampp environment set up for development, NOT production. The two hidden functions are server-info and server-status, used for debugging. But in your production environment, this should be configured out, as you never should give information about your environment to (potential) hackers.

  • Missing Anti-clickjacking Header (2)
    This message applies to a missing setting in relation to IFrames. PHsPeed does not use IFrames.

  • Missing Anti-clickjacking Header (2)
    This is a message that you should take very seriously, and it refers to outdated libraries. We have upgraded the libraries already, but this is a good showcase of an issue you might find. If you open the item, you will see which library(s) needs updating.

  • Cookie No HttpOnly Flag
    This flag is forced in the generated PHP code (when you have configured that in the project options), but it depends on your installation if this setting applies or not. For development, this is not an issue, but in production, you need to see what your provider can do (as it can be set in php.ini, on the web server, or with the provided code below if the function is enabled).

    if(session_set_cookie_params([
    'path' => '/',
    'domain' => 'localhost',
    'httponly' => true,
    'samesite' => 'Strict',
    'lifetime' => 3600
    ])==false ){
    die('failed to set cookie parameters');
    }

  • Cookie without SameSite Attribute
    See above.

  • Cross-Domain JavaScript Source File Inclusion (2)
    This message refers to a javascript library imported from an external website. In this case, Google. PHsPeed uses internal libraries by default (which is advised by OWASP) and avoids importing them, although you can choose to do so in the preferences. But some libraries cannot be stored locally.

  • Information Disclosure - Debug Error Messages (2)
    This is the same as described under 'Application error disclosure.'

  • Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) (2)
    It should be disabled on the web server level. For our development environment, this is not an issue.

  • Server Leaks Version Information via "Server" HTTP Response Header Field (38)
    It should be disabled on the web server level. For our development environment, this is not an issue.

  • X-Content-Type-Options Header Missing (34)
    For mimed information, you can set a sniffing parameter. It is a low-risk item and not commonly used (yet)

  • Information Disclosure - Suspicious Comments (12)
    This report gives information about static texts in your (javascript) code. It does on every string like: module&&module.exports?module.exports=b(require("jquery")):" where it triggers on 'jquery'. Although it is good to verify all the reported items, it is usually not an issue.

  • Loosely Scoped Cookie (67)
    Cookies can be scoped by domain or path. This check is only concerned with domain scope. The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain, e.g., www.nottrusted.com, or loosely scoped to a parent domain, e.g., nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are standard in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent or any subdomain of the parent.

  • Modern Web Application (2)
    This is an informational alert, so no changes are required. No links have been found while there are scripts, which is an indication that this is a modern web application.
    Good to know that we have created something that is considered to be modern ;-)

  • User Agent Fuzzer (12)
    Check for differences in response based on fuzzed User Agent (e.g. mobile sites, access as a Search Engine Crawler). Compares the response status code and the hashcode of the response body with the original response. Actually not an alert either.

Conclusion. The application we tested has no High-risk items, a few medium risks (due to the fact that the web server used is configured for development and testing and a library with a newer version), and a few low-risk items. Considering the result, updating the libraries fixes all issues here.

The main question is now, is the application safe? Well, to a certain extent. No application is 100% safe, and this is an automated test. It is helpful, but an actual penetration test by an ethical hacker is always advised, especially if you manage critical data. But it is obvious that we do our checks often and are continuously aware of threats. But in the end, you, as a user, are creating applications. Therefore you have your own responsibility to verify the quality of the result. No 2 applications will be the same; therefore, ALWAYS do your own testing! If you have vulnerabilities that you believe are the result of some mishap in our code, report these, and we will do our utmost best to fix them with #1 priority.

Happy coding!


PHsPeed version 3.0 released.


 administrator    27 Jan 2023
 None    Releases

news.jpg

After extensive testing we are proud to release version 3.0

This version contains many improvements, and you can find the details in the Release Notes that you can find on the download page.

If you are a customer, you must download the latest installer to use version 3.0. If you are a user of the pre-release of 3.0, then an upgrade notice will appear automatically.

One significant improvement is that you can run multiple versions of PHsPeed together. We removed the dependencies, and now all PHsPeed software is installed in one folder. If you want to uninstall, you can delete the install folder, and it's gone. We do not store items in the registry; all setup is saved in an ini file that is part of the main install folder. That is also the reason why you don't find an uninstall option in the Windows applications section.

In comparison with the previous release, you will see that we have a new user interface. It now follows the standard application development workflow and is the result of the hard work of our front-end designer. It is different, but our developers got used to it very soon, and we haven't heard anything bad about it from our beta testers.

Other enhancements are that we have released our first document that contains a PHsPeed primer and a PHP primer (for novice developers). And we will release some basic courseware soon. We have released some new videos on our YouTube channel, and there are more on their way. Of course, we have also been improving our manual, which is a continuous process.

So a lot is going on currently. We hope that you will enjoy our new release. We're happy to answer your questions and read your comments.

Oh, before I forget, we also restarted our webinars. If you are new to PHsPeed, they are a great way if you want to be introduced. We also provide instruction on a private level.

Happy coding!


PHsPeed Version 3.0 / PHP 8.2


 administrator    04 Dec 2022
 None    blog

news.jpg

The release of PHP 8.2 is prosponed until half of December, and PHsPeed 3.0 is getting mature for release.

As we already support PHP 8.2, it is not an official PHP release yet. But you can use it for testing purposes, and we recently upgraded our runtime to replace some deprecated functions. The official support for PHP 8.2 within PHsPeed will be PHsPeed version 3.0. This version is currently under test and is planned for release in early 2023. But if you write your application for PHP 8.2, then deploying should not bring issues.

We are working hard on our 3.0 release, which brings a new ribbon-based user interface among some cool new features. In this post, we will mention the most important. With a small disclaimer, it is always possible that we have to skip a feature if our test procedure brings issues. But, so far so good.

To start with the new user interface, look at the next screenshot.

Interface

The new ribbon is context-sensitive and will change depending on the action you select and replaces all (sub) menus. Some items have been relocated, and the double functions removed. Our internal developers are quite enthusiastic as they believe that the user interface is more modern, and clean, and functions are more easily found. We hope that you will have the same experience.

The form reveals one of the new features you can expect, an N:M lookup. In this sample, we have a few tables containing persons, pets, and persons with pets. By defining a master-detail between the persons and persons with pets, you can define a lookup on pets. Here we use a multi-select. PHsPeed will apply the changes to the detail record depending on the checkboxes. In this case, you do not need a dedicated toolbar for the detail, as you can define the component to 'listen' to the master data source. You can do similar things with a double-select box.

Dblselect

The definition is done the same way, this is only a different component.

Another feature that is in high demand is an editable grid. Currently we are still building on this, but we expect to be able to release this feature in version 3.0, but for sure in version 3.1.

Editable

This feature is implemented as a new feature within the database grid. It also allows the user to add several records at the same time. We are excited about these new features as we close the gap(s) that many of our users reported and were the highest in demand. But please inform us what features you miss and would like to see implemented in release 3.1.

Then a small notice about some questions we got from a few potential users. As you can find elsewhere on our website, we do not provide promotions. If we did so, for instance, around black Friday, we would annoy customers who might have bought the product for a higher price. Or prevent customers from buying and waiting for a better bargain. We want to provide the best product for a fair price, and we need the revenues that PHsPeed brings us. No surprises. When you buy PHsPeed, you know what you are buying and how much it costs. For now and in the years to follow. We believe it is not the art of finding new customers but keeping them!