New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Pen test my script please.
Please pen test this script/environment.... Let me know via pms if you find any vulnerabilities.
Comments
I can't see where a vuln can be found, as it generally displeys static data.
I don't think it will ever take user input but I know some people around here are pretty savvy and wanted to make sure this had no vuln's before I added some more dangerous functions to login via ssh to servers and read loads.
This thing already uses the dangerous exec() function because of PHP's SOCKET_RAW downfall. Using an fSockOpen isn't any good either because of php's difference in execution time inflating the ping.
Do your servers run any kind of web server on them? May be safer to have a PHP or whatever script on the nodes run uptime on demand, then have your status script read the URL.
Or use SNMP if it's just for statistical information.
PITA to put that script on all the other nodes if I can make it secure with the one script.
Is this script doing new pings every time I refresh, or does it just update a lot?
New pings, was thinking about doing pings with ajax. Is there a design flaw here?
Let's all constantly hit F5 at the same time...
Don't think it would hurt very much.
If someone wanted to cause trouble they could probably do some sort of mass requests of the page. If you were getting several hundreds of those a second that could maybe affect/put strain on all the servers. This might not be the case, but it may be worth either looking into rate limiting or grabbing the pings independently from someone loading the page.
@Zen I can just set a max amount of requests server side right? Anyone can hurt you on any script by sending millions of requests for the same page.
Depends on how it is designed.
On your place, I'd get some kind of a loop that checks the ping / uptime / status every X minutes and than pull from a database and only displey the results. Actually, I've written myself something like this the past weekend, got to finish some email alerts and will see how it goes.
If you go to http://buyvmstatus.com/live aren't they hitting the server every second?
They may be pinging the BuyVM nodes every second, but it's just being done from one server. If 20 people are viewing that page there aren't going to be 20* the pings.
@Nick so they are updating mysql every second?
Wouldn't it be easier for someone to just use a botnet to send you tons of ICMP packets if they wanted to be malicious?
Also - is it possibly bad to post the hostname?
Then they would have to target x number of servers. If they flood your script then you are DDOSSing all the servers for them.
Wonder if I can emulate 1000's of requests to my script from different sources? Or if someone would be so kind as to do this for me .....
So anyone who loads this page is sending a request to all the servers then.
@zen that site isn't run by buyvm so I'm unsure of how they would have a script running on buyvm server.
@Corey: I dug up the login to an old booter account that I had used a while back for tweaking varnish, and tried attacking your site (HTTP GET). There was no noticeable effect, but I'm not sure how powerful this thing still is.
Now though (~2min after the attack was supposedly stopped), your page suddenly went down. I don't know if I was the cause or if you took it down, but it seems to have came back up. Anyways, this is the best I can do in terms of a load test, I hope it helped in some way!
@zen but then if I go ajax the updater script would be revealed anyway.
@JTR thanks! I probably ran out of ram or something since I haven't set max requests
@Corey I've seen scripts that do stuff, save the stuff to a file and will only run commands when a specific time has elapsed, its a little more code, basically implementing ur own cache file basically, this might help a little bit against abuse
Such as
Ping servers
Store results in file
PHP checks when last the file is updated based on your specified interval time
If interval time not elapsed, display results from file
If elapsed, re run ping, store in file and return results
@risharde that would be the same as sticking it in mysql or something... it's going to cause a lot of DISK IO doing it that way.
@Corey okay, sorry, I didn't realize you didn't want a disk cache... okay, how about PHP Shared Memory option. Haven't used it personally though I intend to try it out. I also saw someone write a script that does basic operations using it, do Google search if interested.
Reference: http://php.net/manual/en/book.shmop.php
EDIT: memcache but I think that takes longer to set up, never tried it, this is another one I would eventually try later on.
@risharde that would also make the application consume tons of memory
Memcache is good but idk if it would be suitable.
Shared memory looks awesome, but the script isn't causing trouble to need to use something like this.
@Corey agreed, memcache would be over kill - only suggested it so other people would know there is also that option if they read the thread, the PHP shared memory wouldn't use much of anything I think, keep me posted if you decide to use it because I want to try it but I don't have the time at the moment
Good luck!
'Tons of disk IO'
Your results are a few kilobytes at the worst case scenario, what are you talking about again?
<_<;
If I updated it every second - especially with the new features I plan on adding....
I decided to update it every minute and I'm going to use an updater script to update mysql every minute and then the client facing page will get data from mysql.