Sunday, 11 September 2016

Ways to Secure PHP Web Applications and Prevent Attacks

PHP is one of the most popular programming languages for the web and it is easy language to learn, and many people without any sort of background in programming learn it as a way to add interactivity to their web sites.Here are a few of the more common security problems and how to avoid them.

PHP Security

Cross Site Scripting (XSS): XSS attack means when hacker inject the javascript code in your html.

// GET data is sent through URL:<script>alert('test')</script>
$search = $_GET['search'] ?? null;
echo 'Search results for '.$search;

// This can be solved with htmlspecialchars
$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo 'Search results for '.$search;

ENT_QUOTES is used to escape single and double quotes beside HTML entities.

SQL Injections : SQL injection happens when you interpolate some content into a SQL query string, and the result modifies the syntax of your query in ways you didn't intend.SQL injection attack can happen by injecting malicious SQL parts into your existing SQL statement.

$password = $_POST['password'];
$id = $_POST['id'];
$sql = "UPDATE Accounts SET PASSWORD = '$password' WHERE account_id = $id";

#Now suppose the attacker sets the POST request parameters to "password=xyzzy" and "id=account_id" resulting in the following SQL:

UPDATE Accounts SET PASSWORD = 'xyzzy' WHERE account_id = account_id

Although I expected $id to be an integer, the attacker chose a string that is the name of the column. Of course now the condition is true on every row, so the attacker has just set the password for every account. Now the attacker can log in to anyone's account -- including privileged users.

To prevent the application from the sql injection.

Filter Input: use a data type coercion like the intval() function. 
Escape Output: Escapes literal quote characters and any other characters that may be string boundaries(such as mysql_real_escape_string() in PHP).

Session Hijacking: Session hijacking occurs when a session token is sent to a client browser from the Web server following the successful authentication of a client logon.Session hijacking is an attack where attacker steals session ID of a user. 

Remote File Inclusion: Remote file inclusion attack (RFI) means that attacker can include custom scripts.

$page = $_GET['page'] ?? 'home'
require $page . '.php';

In the above code $_GET can be set to a remote file http://yourwebsite.tld/index.php?page=

You have to disable this in your configuration.
; Disable including remote files
allow_url_fopen = off
; Disable opening remote files for include(), require() and include_once() functions.
; If above allow_url_fopen is disabled, allow_url_include is also disabled.
allow_url_include = off

Error Reporting: Always turn off error reporting on your production environment. If error reporting is on then any error occur will show to users and attackers can get information based on errors.

; Disable displaying errors to screen
display_errors = off
; Enable writing errors to server logs
log_errors = on

//Remote Files: Disable the remote files.
; disabled opening remote files for fopen, fsockopen, file_get_contents and similar functions
allow_url_fopen =  0
; disabled including remote files for require, include ans similar functions
allow_url_include = 0

Session: PHP is by default configured to store session data on the server and a tracking cookie on client side (usually called PHPSESSID) with unique ID for the session.

; in most cases you'll want to enable cookies for storing session
session.use_cookies = 1
; disabled changing session id through PHPSESSID parameter (e.g foo.php?PHPSESSID=<session id>)
session.use_only_cookies = 1
session.use_trans_sid = 0
; rejects any session ID from user that doesn't match current one and creates new one
session.use_strict_mode = 0

If some attacker want to inject javascript code for stealing user current cookie .you can use HttpOnly to disallow.
session.cookie_httponly = 1

For your domains specific you can use or set this to the domain it should be applied.
session.cookie_domain =

For HTTPS sites this accepts only cookies sent over HTTPS. If you’re still not using HTTPS, you should consider it.
session.cookie_secure = 1

Featured post

How to create dynamic schema in mongodb

Sometime what we need in our application is to create mongodb schema for collection and some of our collection schema are same but names are...

Popular Posts