XBB

92URL Update

Overview:

It’s been a long time since last release. I will try to finish Custom Domain during Spring Break, but no promises.  This update mainly focuses on the underlying structure, especially database interactions. PDO is replacing the legacy MYSQL APIs in order to prevent SQL injections. As I mentioned below, Regex could be less annoying, but won’t disappear, this is because XSS still needs to be stopped.

 Abuses:

Abuse of the system did not stop, actions will be taken. Including session tokens, IP frequency limit, CloudFlare Challenge and hostname evaluation.

Session token is generated for every form, and each token can be used only once.

IP Frequency Limit limits IP requests that exceed certain limit.

 

Hostname evaluation includes:

a) Is the hostname already in the database ? Yes -> Step b, N -> Allow

b) Check hostname (Alexa Report, Domain Age etc..)? Good -> Allow, otherwise -> Define a evaluation score and go to step c

c) Is (are) the old record(s) ever been accessed? Yes -> Score = Score + x, No -> Score = Score + x1

d) Is (are) the old record(s) considered dangerous or been reported? Yes -> Score = Score + y, No -> Score = Score + y1

e) Number of the records?  Score = Score + z

f) Number of the records generated in the past N hours?  Score = Score + z1

g) Check full URL and Title of the URL for Category of the website? Score = Score + CataScore

If Score > Danger_Limit -> Drop Request Else: Allow

 

1. As some of you may have noticed, I have added two more short domain names. And even more to come 🙂

2. This website is based on Phurl, which was created ages ago. I am working to rewrite most of the code that works under the hood.

a. Most of the MYSQL queries have been replaced by PDO (The rest are controllable, meaning values can only be numbers, no impact to security. With this being said, I am still going to replace them :))

b. Because of this update, Regex could be less annoying in the near future.

3. I am still working on the migration to PHP 7.x.

4. Local (Browser based) encryption & decryption is still being evaluated.

5. No more reCAPTCHA if the website has already been analyzed within last N hours/days.

6. Other improvements.

For security reasons, N varies from different short URLs.

 

Zibin Chen