Cpanel API Digest

Hello every one! Let’s eat some tricks…

 

Cpanel Security token

“Security token” URLs were added in cPanel & WHM 11.25 as a security measure, and they were enabled by default in version 11.28. They help combat a common type of attack called a Cross-Site Request Forgery (XSRF).

So, what does a “security token” look like? Take, for example, this URL:

https://example.com:2087/i/love/cpanel

With security tokens enabled, this would become:

https://example.com:2087/cpsessYYYYYYY/i/love/cpanel

The token is available in the environment variable ‘cp_security_token’.

my $APIurl = "http://127.0.0.1:2087$ENV{'cp_security_token'}/xml-api/$url";

Find more information click here.

========================

 

 

 

PHP Security Tools Digest

Here I’ll List good tools about PHP security…

======================

PhpSecInfo

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

http://phpsec.org/projects/phpsecinfo/

======================

PHP Security Sources

Founded in January 2005, the PHP Security Consortium (PHPSC) is an international group of PHP experts dedicated to promoting secure programming practices within the PHP community. Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards.

Website Adress:

http://phpsec.org/projects/guide

 

To be continued…

 

XSS Cross Site Scripting

Table of contents

  • What is cross site scripting
  • What is cross site request forgery
  • Who is to blame
  • How can users protect themselves
    • How do you know what type of login a site is using
  • How can Web sites protect themselves
    • Cross site scripting
      • Escaping data
      • Never trust URLs you are given
      • Being careful with scripts
      • Using HTTP-only cookies
      • Using HTTP authentication
      • Storing safer cookies
      • Allowing only certain HTML input
      • Using BB code
      • Embedding content from other sites
    • Cross site request forgery
      • Encode a session ID in the URL
      • Check referrers
      • Prompting for passwords
      • Pass unique IDs in form submission
    • Secure sites

What is cross site scripting

Cross site scripting (XSS) is where one site manages to run a script on another site, with the privileges of you, the user.

In many pages, this would be completely harmless. But now imagine that you have logged into site A, and that site has used a session cookie to store your identity. If site B manages to make you load a page on site A containing a script they have injected into it, that script could take the cookie for site A, and send it to site B. The person running site B can now use your cookie in their own browser, and can now use site A, making it think they are you.

In the case of site A being a blog or forum, they could erase or alter your posts, add new abusive posts, or erase your account. In the case of Web mail systems, they could send abusive email to your colleagues, delete any emails, or read all the passwords you have been sent in your email, which may give them access to even more systems. In the case of it being a banking site, they could make large cash transactions using your bank account. In the case of banking or shopping sites, they could obtain your banking details, and use them to make their own purchases.

XSS can also be a problem from users on shared sites, such as forums or blog comments, where users may find a way to inject scripts into page content, where the exploit can survive much longer than just a single page load.

Cookies are not the only target of cross site scripting, but they are a very easy way to exploit a simple mistake made by the site author. In some cases, it may be possible to inject a script onto the login form of the site, and convince you to fill it in, and then they can make it send them your password. Or they could simply make it load another page on the site, submitting form data to it, or using other means to perform actions on your behalf.

Unlike phishing scams where a site tries to trick users into thinking it is another site, XSS is the real site, not a fake. It has just allowed another site to run a script on it, in the context of one of its users.

Continue reading “XSS Cross Site Scripting”