timnboys Posted November 6, 2016 Report Share Posted November 6, 2016 look here: https://cubedata.net/verifydomain this is using Michael Dance's BlestaCMS to handle the html and returning the output from the backend It is also using javascript as well to make the form submit the request to the backend and then return the output using AJAX from jquery all without "refreshing" or "redirecting" the page like it should not do as during development I didn't want it actually redirecting to the backend on submit but instead to return the response from the backend on the same page with the form If anyone asks the Design of the website and logo & etc are all thanks to Michael Dance Aka @Licensecart who helped us build this design, and also donated to us the new logo & other things as well which I am very thankful for him doing that for me. as you see it actually functions as well: Michael and PreMadeKB 2 Quote Link to comment Share on other sites More sharing options...
Michael Posted November 6, 2016 Report Share Posted November 6, 2016 Should call the page Verify domain or something. Quote Link to comment Share on other sites More sharing options...
timnboys Posted November 6, 2016 Author Report Share Posted November 6, 2016 1 hour ago, Licensecart said: Should call the page Verify domain or something. Okay I just did change it to License Verification and changed the description to: This tool allows you to check if a domain is authorized to be running CubeData Software Michael 1 Quote Link to comment Share on other sites More sharing options...
Blesta Addons Posted November 6, 2016 Report Share Posted November 6, 2016 but license check for wish product ?!! because a domain can be licensed to use product A and not product B, the you will receive a lot of false/positive checks . Quote Link to comment Share on other sites More sharing options...
timnboys Posted November 6, 2016 Author Report Share Posted November 6, 2016 23 minutes ago, Blesta Addons said: but license check for wish product ?!! because a domain can be licensed to use product A and not product B, the you will receive a lot of false/positive checks . yes I was working on that but have to get the base aka what is currently done working first before I can go and experiment on trying to return back what licenses are allowed like which they purchased aka product a and b. Quote Link to comment Share on other sites More sharing options...
mrrsm Posted November 7, 2016 Report Share Posted November 7, 2016 I'm not sure how I feel about people just being able to put in my website and see what plugins of yours I am using or if I am using your plugins at all. Other things which I know have similar features are billing systems, forums, etc but with all of those it is hard to tell that I am not using them. For a fraud checker or vultur provisioner (examples) I don't really need anyone to know what plugin I am using for that. How is someone even going to know if the billing system is using X plugin or module behind the scenes? Without that knowledge I am not sure why someone would even bother, or know, to go to your site and check to see if they are using a valid license. On to the analysis of it Quote License Found And Valid! The Domain Queried is using Genuine CubeData Software1 Refresh the Page After Checking one Domain to Check Another You may want to fix that 1 at the end Quote NO License Found that matches that Domain! License is pirated and you should report it to us to check out!1 Looks like it shows up on both positive and negative results. You also may want to make the page look a bit nicer. The main point of the page is the form but there is nothing telling me what to do with it. Not even a placeholder on the input box. The blue bar outshines the rest of the page way too much, only because there isn't anything around the form currently. Finally you may want to lockdown your endpoint at least a little bit as right now just about anyone could hammer on it. I didn't test it too much but I didn't have a hard time sending multiple requests in succession directly to the endpoint. I am going to guess that you are using mysql or a flat file somewhere to manage your license and that is probably being hit every time a lookup is done. This is bad because someone could essentially do a denial of service attack by beating on that one url and it can't be cached so they know it will hammer a resource behind the scenes and they don't have to login or get a CSRF token to do it. You may just want to mitigate that as a firewall rule but there are in-code ways to reduce the attack vector as well that wouldn't hurt. Finally this is listed on your site under products. Is this something you are planning on selling or is it just due to the fact it is validating the license on your products. If it is the latter I would suggest moving it under the "Quick Links" section as to me it makes more sense for it to be there. This is a good proof of concept but still has a way to go before I would think it is production ready. Blesta Addons 1 Quote Link to comment Share on other sites More sharing options...
timnboys Posted November 7, 2016 Author Report Share Posted November 7, 2016 6 hours ago, Blesta Addons said: but license check for wish product ?!! because a domain can be licensed to use product A and not product B, the you will receive a lot of false/positive checks . 3 hours ago, mrrsm said: I'm not sure how I feel about people just being able to put in my website and see what plugins of yours I am using or if I am using your plugins at all. Other things which I know have similar features are billing systems, forums, etc but with all of those it is hard to tell that I am not using them. For a fraud checker or vultur provisioner (examples) I don't really need anyone to know what plugin I am using for that. How is someone even going to know if the billing system is using X plugin or module behind the scenes? Without that knowledge I am not sure why someone would even bother, or know, to go to your site and check to see if they are using a valid license. On to the analysis of it You may want to fix that 1 at the end Looks like it shows up on both positive and negative results. You also may want to make the page look a bit nicer. The main point of the page is the form but there is nothing telling me what to do with it. Not even a placeholder on the input box. The blue bar outshines the rest of the page way too much, only because there isn't anything around the form currently. Finally you may want to lockdown your endpoint at least a little bit as right now just about anyone could hammer on it. I didn't test it too much but I didn't have a hard time sending multiple requests in succession directly to the endpoint. I am going to guess that you are using mysql or a flat file somewhere to manage your license and that is probably being hit every time a lookup is done. This is bad because someone could essentially do a denial of service attack by beating on that one url and it can't be cached so they know it will hammer a resource behind the scenes and they don't have to login or get a CSRF token to do it. You may just want to mitigate that as a firewall rule but there are in-code ways to reduce the attack vector as well that wouldn't hurt. Finally this is listed on your site under products. Is this something you are planning on selling or is it just due to the fact it is validating the license on your products. If it is the latter I would suggest moving it under the "Quick Links" section as to me it makes more sense for it to be there. This is a good proof of concept but still has a way to go before I would think it is production ready. I have made some major improvements thanks to the feedback here: please do tell me mrrsm what "in-code ways" can I use to reduce the attack vector and as I have mod_security and mod_evasive enabled & installed too as the "firewall"? anyway now it should be even better now on selecting the specific product and checking the license for it as raised as a valid point by blesta addons Michael 1 Quote Link to comment Share on other sites More sharing options...
mrrsm Posted November 7, 2016 Report Share Posted November 7, 2016 9 minutes ago, timnboys said: please do tell me mrrsm what "in-code ways" can I use to reduce the attack vector and as I have mod_security and mod_evasive enabled & installed too as the "firewall"? You are more or less protected than if you have good mod_security rules in place. If you look at the forms Blesta creates they add a CSRF token <input type="hidden" name="_csrf_token" value="f366be67543fb4413174a63bf048bd383d65177a65194eaf55d5a37ab185d705"> This will help, among other things, people submitting forms multiple times, submitting a form from somwhere that is not the form, and multiple others things. The wikipedia page has a pretty full description of things tokens can help protect you against. Blesta Addons 1 Quote Link to comment Share on other sites More sharing options...
timnboys Posted November 7, 2016 Author Report Share Posted November 7, 2016 7 minutes ago, mrrsm said: You are more or less protected than if you have good mod_security rules in place. If you look at the forms Blesta creates they add a CSRF token <input type="hidden" name="_csrf_token" value="f366be67543fb4413174a63bf048bd383d65177a65194eaf55d5a37ab185d705"> This will help, among other things, people submitting forms multiple times, submitting a form from somwhere that is not the form, and multiple others things. The wikipedia page has a pretty full description of things tokens can help protect you against. I wish I knew how to generate the token but cannot use php in blestacms I can only do it externally so I cannot actually use csrf tokens like I would want to. it seems blestacms throws a error if it see's non-html content. Quote Link to comment Share on other sites More sharing options...
mrrsm Posted November 7, 2016 Report Share Posted November 7, 2016 I have never used or looked at the blestacms code so I am not much help there. It may be a good feature request to make though as it is a good security measure to have if they can pass the blesta one through to the user. Quote Link to comment Share on other sites More sharing options...
timnboys Posted December 29, 2017 Author Report Share Posted December 29, 2017 I have moved this completely away from blestacms to another cms now so the frontend code to just call the "backend" on blesta which really does all the work behind the scenes is now separate, the frontend isn't tied to blestacms anymore(since it never needed to be anyway) though the backend is still integrated into blesta though. just thought I would update people on this. Quote Link to comment Share on other sites More sharing options...
timnboys Posted March 17, 2018 Author Report Share Posted March 17, 2018 Even more updates has been done on the backend/frontend of this: Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.