JonBlog
Thoughts on website ideas, PHP and other tech topics, plus going car-free
14.Sep.2014
Insecure programming tutorial reporting tool
Categories: Finished, Ideas

This would make a nice weekend hack project! A website to report (PHP) tutorials that recommend insecure techniques, especially involving SQL injection (I just found another one, and have reported it via the comments). For novelty, render all the sites as labelled divs in a Masonry wall, and bonus points for a cheeky xkcd-style alt-text for each one.

I think it would be quite cool to add Stack Overflow or GitHub auth as the only way to log on, so that the expertise of reporters can be reasonably validated. Even simpler, and arguably just as good: a Github repo to which anyone can submit pull requests. Trusted users could have their own repo added too.

I did think of detecting hash-tags on Twitter, but they may be too short for our purposes, and searching that interface directly for who has reported what may not be ideal. Still, this could be an additional option.

If this project gets some traction, then a website widget to report that it is clean – or even that is has been checked – would be cool too.

Updated 26 Oct 2014

Some ideas to get this working:

  • Reporters maintain their own repo of JSON reports, organised into folders
  • An online JavaScript tool is offered to write reports in the latest format
  • JSON strings contain the report data plus a version number of the JSON format
  • Create a repo containing repos to pull
  • Need a feature to check size of repo before pulling, so massive repos are not pulled
    • This doesn’t seem possible, so another approach is to create an .img filing system of a small size, mount it, and use that to prevent massive repos from being pulled
  • All data added to MySQL database
  • All data available as merged JSON, each record having a last updated timestamp
  • All data is presented on a paginated website
  • Cron is used to pull from the repos
  • A public page is used to keep an eye on the pulls
    • Overall (e.g. space taken up in the filing system, number of reports, number of problems)
    • Per repo (number of reports, number of problems)

Data per JSON report:

  • Format version (1 to start with)
  • URL
  • Fault tags (sql-injection, plaintext-password, weak-password-hashing, other)
  • Description (markdown)
  • Author contacted (yes, no)
  • Author responded (yes, no)
  • Will fix (yes, no)

Updated 14 Jan 2015

Yay, I launched this! I’ve added GitHub OAuth login, and the ability to edit reports online. More improvements to come.

Leave a Reply