Jump to content
timnboys

My License Verification Portal Built off Blesta is Finally Live And Working!

Recommended Posts

look here:

https://cubedata.net/verifydomain

this is using Michael Dance's BlestaCMS to handle the html and returning the output from the backend

It is also using javascript as well to make the form submit the request to the backend and then return the output using AJAX from jquery all without "refreshing" or "redirecting" the page like it should not do as during development I didn't want it actually redirecting to the backend on submit but instead to return the response from the backend on the same page with the form

kXbQJD.jpg

If anyone asks the Design of the website and logo & etc are all thanks to Michael Dance Aka @Licensecart who helped us build this design, and also donated to us the new logo & other things as well which I am very thankful for him doing that for me.

as you see it actually functions as well:

s2zS0j.jpg

Mbrlp5.jpg

 

Share this post


Link to post
Share on other sites
23 minutes ago, Blesta Addons said:

but license check for wish product ?!!

because a domain can be licensed to use product A and not product B, the you will receive a lot of false/positive checks .

 

 

yes I was working on that but have to get the base aka what is currently done working first before I can go and experiment on trying to return back what licenses are allowed like which they purchased aka product a and b. 

Share this post


Link to post
Share on other sites

I'm not sure how I feel about people just being able to put in my website and see what plugins of yours I am using or if I am using your plugins at all.  Other things which I know have similar features are billing systems, forums, etc but with all of those it is hard to tell that I am not using them.  For a fraud checker or vultur provisioner (examples) I don't really need anyone to know what plugin I am using for that.

How is someone even going to know if the billing system is using X plugin or module behind the scenes?  Without that knowledge I am not sure why someone would even bother, or know, to go to your site and check to see if they are using a valid license.

On to the analysis of it

Quote
License Found And Valid! The Domain Queried is using Genuine CubeData Software1
Refresh the Page After Checking one Domain to Check Another

You may want to fix that 1 at the end

Quote

NO License Found that matches that Domain! License is pirated and you should report it to us to check out!1

Looks like it shows up on both positive and negative results.

You also may want to make the page look a bit nicer.  The main point of the page is the form but there is nothing telling me what to do with it.  Not even a placeholder on the input box.  The blue bar outshines the rest of the page way too much, only because there isn't anything around the form currently.

Finally you may want to lockdown your endpoint at least a little bit as right now just about anyone could hammer on it.  I didn't test it too much but I didn't have a hard time sending multiple requests in succession directly to the endpoint.  I am going to guess that you are using mysql or a flat file somewhere to manage your license and that is probably being hit every time a lookup is done.  This is bad because someone could essentially do a denial of service attack by beating on that one url and it can't be cached so they know it will hammer a resource behind the scenes and they don't have to login or get a CSRF token to do it.  You may just want to mitigate that as a firewall rule but there are in-code ways to reduce the attack vector as well that wouldn't hurt.

Finally this is listed on your site under products.  Is this something you are planning on selling or is it just due to the fact it is validating the license on your products.  If it is the latter I would suggest moving it under the "Quick Links" section as to me it makes more sense for it to be there.

This is a good proof of concept but still has a way to go before I would think it is production ready.

Share this post


Link to post
Share on other sites
6 hours ago, Blesta Addons said:

but license check for wish product ?!!

because a domain can be licensed to use product A and not product B, the you will receive a lot of false/positive checks .

 

 

 

3 hours ago, mrrsm said:

I'm not sure how I feel about people just being able to put in my website and see what plugins of yours I am using or if I am using your plugins at all.  Other things which I know have similar features are billing systems, forums, etc but with all of those it is hard to tell that I am not using them.  For a fraud checker or vultur provisioner (examples) I don't really need anyone to know what plugin I am using for that.

How is someone even going to know if the billing system is using X plugin or module behind the scenes?  Without that knowledge I am not sure why someone would even bother, or know, to go to your site and check to see if they are using a valid license.

On to the analysis of it

You may want to fix that 1 at the end

Looks like it shows up on both positive and negative results.

You also may want to make the page look a bit nicer.  The main point of the page is the form but there is nothing telling me what to do with it.  Not even a placeholder on the input box.  The blue bar outshines the rest of the page way too much, only because there isn't anything around the form currently.

Finally you may want to lockdown your endpoint at least a little bit as right now just about anyone could hammer on it.  I didn't test it too much but I didn't have a hard time sending multiple requests in succession directly to the endpoint.  I am going to guess that you are using mysql or a flat file somewhere to manage your license and that is probably being hit every time a lookup is done.  This is bad because someone could essentially do a denial of service attack by beating on that one url and it can't be cached so they know it will hammer a resource behind the scenes and they don't have to login or get a CSRF token to do it.  You may just want to mitigate that as a firewall rule but there are in-code ways to reduce the attack vector as well that wouldn't hurt.

Finally this is listed on your site under products.  Is this something you are planning on selling or is it just due to the fact it is validating the license on your products.  If it is the latter I would suggest moving it under the "Quick Links" section as to me it makes more sense for it to be there.

This is a good proof of concept but still has a way to go before I would think it is production ready.

I have made some major improvements thanks to the feedback here:

RCPb1q.jpg

JB1GqT.jpg

R5oYGK.jpg

please do tell me mrrsm what "in-code ways" can I use to reduce the attack vector and as I have mod_security and mod_evasive enabled & installed too as the "firewall"?

anyway now it should be even better now on selecting the specific product and checking the license for it as raised as a valid point by blesta addons

 

Share this post


Link to post
Share on other sites
9 minutes ago, timnboys said:

please do tell me mrrsm what "in-code ways" can I use to reduce the attack vector and as I have mod_security and mod_evasive enabled & installed too as the "firewall"?

You are more or less protected than if you have good mod_security rules in place.

If you look at the forms Blesta creates they add a CSRF token

<input type="hidden" name="_csrf_token" value="f366be67543fb4413174a63bf048bd383d65177a65194eaf55d5a37ab185d705">

This will help, among other things, people submitting forms multiple times, submitting a form from somwhere that is not the form, and multiple others things.  The wikipedia page has a pretty full description of things tokens can help protect you against.

Share this post


Link to post
Share on other sites
7 minutes ago, mrrsm said:

You are more or less protected than if you have good mod_security rules in place.

If you look at the forms Blesta creates they add a CSRF token


<input type="hidden" name="_csrf_token" value="f366be67543fb4413174a63bf048bd383d65177a65194eaf55d5a37ab185d705">

This will help, among other things, people submitting forms multiple times, submitting a form from somwhere that is not the form, and multiple others things.  The wikipedia page has a pretty full description of things tokens can help protect you against.

I wish I knew how to generate the token but cannot use php in blestacms I can only do it externally so I cannot actually use csrf tokens like I would want to.

it seems blestacms throws a error if it see's non-html content.

Share this post


Link to post
Share on other sites

I have never used or looked at the blestacms code so I am not much help there.

It may be a good feature request to make though as it is a good security measure to have if they can pass the blesta one through to the user.

Share this post


Link to post
Share on other sites

I have moved this completely away from blestacms to another cms now so the frontend code to just call the "backend" on blesta which really does all the work behind the scenes is now separate, the frontend isn't tied to blestacms anymore(since it never needed to be anyway) though the backend is still integrated into blesta though.

just thought I would update people on this. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×