Is there a prefered way to prevent internet hackers from accessing the vxml source code other than limiting IP and Port addresses via a firewall. If so, what is it?
Also, if we wish to use the IP and Port route, is the PLUM hosting facility on a fixed / reliable IP range that we can set in the firewall? If so, what is that range?
Lastly, can we select which ports that the vxml/hosting servers use to access our vxml? ie: http://www.somedomain.com:4567/ivr/main_ivr.vxml
Or is there some other way we need to specify the port?
We've Moved! Please visit our new and improved forum over at our new portal: https://portal.plumvoice.com/hc/en-us/community/topics
vxml source code security
-
always24x7
- Posts: 30
- Joined: Tue Apr 18, 2006 3:05 pm
- Location: Bedford, TX
restrict access with IP address block that allows IVR access
Hello,
Opening up access to your VoiceXML should not really pose a major security threat, it has the same security risks that any normal web page might have. Please contact Support for the information. Thank you. That will allow our IVR platform to access your site. Port access is defined by the URLs you are providing, if you are only using HTTP/HTTPS then you will need to open port 80 and/or port 443. You can specify alternate ports in the standard HTTP URL format and open those up as well:
Regards,
Plum Support
Opening up access to your VoiceXML should not really pose a major security threat, it has the same security risks that any normal web page might have. Please contact Support for the information. Thank you. That will allow our IVR platform to access your site. Port access is defined by the URLs you are providing, if you are only using HTTP/HTTPS then you will need to open port 80 and/or port 443. You can specify alternate ports in the standard HTTP URL format and open those up as well:
Code: Select all
http://host:port/absolute_pathPlum Support
Last edited by support on Tue Jan 05, 2010 2:48 pm, edited 1 time in total.
-
always24x7
- Posts: 30
- Joined: Tue Apr 18, 2006 3:05 pm
- Location: Bedford, TX
The issue has to do with the Dynamic (<data> tag) side of things.
The concern is that the IVR system needs to collect Account and security info and request personal info from another web server. If the code is open, the url and info provided to that server is visable to anyone who knows the url of the vxml script. This opens up an opportunity for hackers to bang on the data server.
When we develop via PHP, JSP, etc., we are able to put sensitive code in non-web accessable areas that can only be accessessed by the application. This allows the application to scramble, or encrypt sensitive data, verification keys, etc., with an algorithm that the source code can not be seen from the web.
Is there anything equivalent that can be done with vxml?
The concern is that the IVR system needs to collect Account and security info and request personal info from another web server. If the code is open, the url and info provided to that server is visable to anyone who knows the url of the vxml script. This opens up an opportunity for hackers to bang on the data server.
When we develop via PHP, JSP, etc., we are able to put sensitive code in non-web accessable areas that can only be accessessed by the application. This allows the application to scramble, or encrypt sensitive data, verification keys, etc., with an algorithm that the source code can not be seen from the web.
Is there anything equivalent that can be done with vxml?
IVR example needed from user
Hello,
Can you provide an IVR example of how you are accomplishing this with HTML? The general rule is that anything you can do in HTML should be possible in VoiceXML unless you are using some form of embeded Java or Flash on your web page. VoiceXML uses standard HTTP GET and POST to exchange information with the IVR application server. You can define local variables as encrypted data that get submitted back to the IVR application server by populating a <var> tag when the page is dynamically generated.
Regards,
Plum Support
Can you provide an IVR example of how you are accomplishing this with HTML? The general rule is that anything you can do in HTML should be possible in VoiceXML unless you are using some form of embeded Java or Flash on your web page. VoiceXML uses standard HTTP GET and POST to exchange information with the IVR application server. You can define local variables as encrypted data that get submitted back to the IVR application server by populating a <var> tag when the page is dynamically generated.
Regards,
Plum Support
Last edited by support on Thu Feb 25, 2010 1:57 pm, edited 2 times in total.
-
always24x7
- Posts: 30
- Joined: Tue Apr 18, 2006 3:05 pm
- Location: Bedford, TX
I'm don't know if you can even do it with plain HTML.
We do it with PHP.
example:
<?php
// Require a utility file from a directory not accessable to web
// that contains scramble and unscramble functions
require_once ("/var/www/include/utility.php");
// Scramble the userId and password before sending it to
// the data server
$scrambled = utilScramble( $userId . "|" . $password );
// Data server has the unscramble utility and can get back
// the userId and password
$output = file_get_contents( "https://www.somedomain.com/getUserData. ... $scrambled" );
print( $output );
// Neither program exposed the scramble/unscramble algorithm
// to the public.
?>
Since the required code can not be accessed from the web. A hacker can not determine how the data is scrambled and therefore can not spoof the data server into giving out results.
This is of course a very simple example, and in practice would be significantly more sophisticated. Like embedding time and a key from another non-web accessable file in the data so it would have a very short life.
PHP, like any CGI, is executed by the server, so the source is not exposed to the browser, so the method of calling and the type of data passed can't even be seen. The server only returns the result of calling the page.
PHP can also be compiled down into gibberish, so even the code above would be nothing but random looking alpha characters.
Actually, that might be the solution! Put all of the vxml in a non-web accessable file template and serve it up with a CGI, or just generate it directly from the CGI. Require a specific variable to be passed on the url that if missing the CGI produces nothing, or just enough vxml to report the error. Since that variable would only be on the url registered as the active url in your hosting servers, it would never be seen by the public. Not perfect, but a lot better than wide open.
We do it with PHP.
example:
<?php
// Require a utility file from a directory not accessable to web
// that contains scramble and unscramble functions
require_once ("/var/www/include/utility.php");
// Scramble the userId and password before sending it to
// the data server
$scrambled = utilScramble( $userId . "|" . $password );
// Data server has the unscramble utility and can get back
// the userId and password
$output = file_get_contents( "https://www.somedomain.com/getUserData. ... $scrambled" );
print( $output );
// Neither program exposed the scramble/unscramble algorithm
// to the public.
?>
Since the required code can not be accessed from the web. A hacker can not determine how the data is scrambled and therefore can not spoof the data server into giving out results.
This is of course a very simple example, and in practice would be significantly more sophisticated. Like embedding time and a key from another non-web accessable file in the data so it would have a very short life.
PHP, like any CGI, is executed by the server, so the source is not exposed to the browser, so the method of calling and the type of data passed can't even be seen. The server only returns the result of calling the page.
PHP can also be compiled down into gibberish, so even the code above would be nothing but random looking alpha characters.
Actually, that might be the solution! Put all of the vxml in a non-web accessable file template and serve it up with a CGI, or just generate it directly from the CGI. Require a specific variable to be passed on the url that if missing the CGI produces nothing, or just enough vxml to report the error. Since that variable would only be on the url registered as the active url in your hosting servers, it would never be seen by the public. Not perfect, but a lot better than wide open.
security model for HTML and IVR are identical
Hello,
The IVR question was not how you do it in plain html so much as it was how do you protect your current web applications that output html. Your answer/conclusion was what the point of the question. The method you using to serve HTML in a secure manor can be reused to serve VoiceXML. The security model is identical (since they are both HTTP based) the presentation format is the only difference.
Regards,
Plum Support
The IVR question was not how you do it in plain html so much as it was how do you protect your current web applications that output html. Your answer/conclusion was what the point of the question. The method you using to serve HTML in a secure manor can be reused to serve VoiceXML. The security model is identical (since they are both HTTP based) the presentation format is the only difference.
Regards,
Plum Support