Welcome to Grande Puffo !


Grande Puffo wants to demo the given possibility to defend web resources from the server round trip until the user client side, with an eventual sha256 client check, with a suggestable one more defence given by a same element instance counter.

You can grab the lab code from https://github.com/par7133/GrandePuffo.

Here follows a brief documentation about the ideas behind it. 

[init.inc]

require("config.inc");

[config.inc]

  'RES_ROUTER_PREFIX' => [
     0 => [1000000, 1199999],
     1 => [1200000, 1399999],
     2 => [1400000, 1599999],
     3 => ...
   ];

  'RES_ROUTER' => [ 
     0 => "idxpage1img.php",
     1 => "idxpage1html.php",
     2 => "idxpage1js.php",
     3 => "..."
   ];

  'RES_PASSWORD' => [
     0 => "res_password1",
     1 => "res_password2",
     2 => "res_password3",
     3 => "res_password4",
     4 => "res_password5",
     5 => "..."
  ];

  'RES_SALT' => [
     0 => "res_salt1",
     1 => "res_salt2",
     2 => "res_salt3",
     3 => "res_salt4",
     4 => "res_salt5",
     5 => "..."
  ];

  'RES_TYPE' => [
     0 => "image",
     1 => "image",
     2 => "image",
     3 => "script",
     4 => "image",
     5 => "..."
  ];

  'RES' => [
     0 => "/res/topbanner1.png",
     1 => "/res/logo.png",
     2 => "/res/sidebanner3.png",
     3 => "/res/scriplet1.js",
     4 => "/res/pix5.png"
  ],

  'RES_DISPLAIED_SHA' => [
     0 => "bdb4538753314562a8eb520e446d568cbdb4538753314562a8eb520e446d568c",
     1 => "ba78c55eae177c8e6749fa6aded78757ccfb10c85121cb4fbbb76b9ce3ef4db2",
     2 => "6a3c96e2c94f49f3a59b672768716e866a3c96e2c94f49f3a59b672768716e86",
     3 => "c91de3449c1c46eaa8dd2eef025a2eb2c91de3449c1c46eaa8dd2eef025a2eb2",
     4 => "82f3c59ab4db488f867cd0db9b143cbd82f3c59ab4db488f867cd0db9b143cbd",
     5 => "..."
  ];

  'RES_SHA' => [
     0 => "67d67dc36f87471194e7cf94d30a571367d67dc36f87471194e7cf94d30a5713",
     1 => "ba78c55eae177c8e6749fa6aded78757ccfb10c85121cb4fbbb76b9ce3ef4db2",
     2 => "b27d6e61f49746fb9df0c1102900a029b27d6e61f49746fb9df0c1102900a029",
     3 => "7db5663f808a4acf94c82ac314f84bf87db5663f808a4acf94c82ac314f84bf8",
     4 => "ada5fcd9a2a343e2af3b555d7dae6fabada5fcd9a2a343e2af3b555d7dae6fab",
     5 => "..."
  ];

  'WEBPAGE_ELEMENT' => [
     0 => "funnyctrl1",
     1 => "funnyctrl2",
     2 => "funnyctrl3",
     3 => "funnyctrl4",
     4 => "funnyctrl5",
     5 => "..."
 ];


[page.php]

$myPrefix = mt_rand(1000000, 1199999);
$myImageSha = "ba78c55eae177c8e6749fa6aded78757ccfb10c85121cb4fbbb76b9ce3ef4db2";

<html>
<head>
<link src="style1.css" type="text/css" rel="stylesheet">
</head>
<body>
<img src='/<?PHP echo($myPrefix.$myImageSha);?>'>
<img src='/<?PHP echo($myPrefix.$myImageSha);?>'>
<img src='/<?PHP echo($myPrefix.$myImageSha);?>'>
<img src='/<?PHP echo($myPrefix.$myImageSha);?>'>
<img src='/<?PHP echo($myPrefix.$myImageSha);?>'>
</body>
</html>


[mainrouter, /mrouter.php]

require("init.inc");

$url=filter_input(INPUT_GET, "url")??"";

$myRndPrefix = substr($url, 0, 6);

$myResRouter = getResRouter($myRndPrefix):

function getResRouter(string $myPrefix):  string
{
    global $ROUTING;
 
    $i=0;
    foreach($ROUTING['RES_ROUTER_PREFIX'] as $prefix) {
      if ($prefix[0]>=$myPrefix && $myPrefix<=$prefix[1]) {
        return $ROUTING['RES_ROUTER'][$i];
      }
      $i++;
    }
}

require("/$myResRouter?url=" . substr($url,7));


[resrouter, /idxpage1img.php]

$url=filter_input(INPUT_GET, "url")??"";
$myDisplaiedSha = substr($url,7);
$myres=getRes($myDisplaiedSha):

function getRes(string $displaiedSha): int
{
    global $ROUTING;

    $tot = count($ROUTING['RES_PASSWORD'])-1;
    $i=0;
    while ($i<=$tot) {
      if (hash("sha256", $ROUTING['RES_PASSWORD'][i].$ROUTING['RES_SALT'][i]) === $displaiedSha);
        return $i; 
      }
      $i++;
    } 
}

$mySha = $ROUTING['RES_SHA'][$myres];

[[ $myShaCounter = Cookie::get($mySha, 0); ]]

$myPageElementID = $ROUTING['WEBPAGE_ELEMENT'][$myres]; // Replace $myres with $myShaCounter to get an element instance based algothytm
$myResType = $ROUTING['RES_TYPE'][$myres]; // Replace $myres with $myShaCounter to get an element instance based algothytm

if ($myResType==="image") {
  $myTmpResRoot = APP_PATH . DIRECTORY_SEPARATOR . "tmpres";
} else {  
  $myTmpResRoot = APP_PATH . DIRECTORY_SEPARATOR . "tmpjs";
}

$myTmpResPath = getNewTmpFileName($myTmpResRoot):

function getNewTmpFileName(string $tempResRoot): string
{
    chdir($tempResRoot);
    $tmpFileName = "tmp". mt_rand(1000000000, 9999999999) . ".$ext";
    while (isReadable($tmpFileName)) {
      $tmpFileName = "tmp". mt_rand(1000000000, 9999999999) . ".$ext";
    }
    return $tempResRoot . DIRECTORY_SEPARATOR . $tmpFileName;
}



[...]


//clientxmlreq;
//doclientshacheck();

genTmpRes($myRes, $myTmpResPath):

function genTmpRes(string $myRes, string $myTmpResPath): string
{
  if (is_readable($myRes)) {
    cp($myRes,$myTmpResPath);
    chmod($myTmpResPath, 0755);  
  }
}


parent.document.getElementByID(<?PHP echo($myPageElementID); ?>).innerHTML = "<img src='<?PHP echo($myTmpResPath);?>'>";

or

header("Content-Type: image/png");
echo(file_get_contents($myTmpResPath));


[[

Finally for an element instance based algothytm:

setCookieCounter():

// Increment element instance counter..
function setCookieCounter() {

    // set iteraction counter..    

   global $ROUTING;
   global $myShaCounter;
   global $mySha;

   while(true) {
      $myShaCounter++;    

      if (!defined("ROUTING_RES".$myShaCounter)) {
         Cookie::set($mySha, 0, Cookie::EXPIRE_ONEDAY, "/", APP_HOST);  
         break;
      }  
                                                         
      if ($ROUTING['RES_TYPE'][$myShaCounter]==="image") {
          Cookie::set($mySha, $myShaCounter, Cookie::EXPIRE_ONEDAY, "/", APP_HOST);
          break;
      }
  }
}

]]