I am trying to build a web CMS application using php and SQL. I haven't fully learned Laravel yet and I may need more time to complete my course. My question is, does Laravel come in with built-in extra security or is it the same as coding in our php. No one told me this, I have a feeling, I would have to do a lot of manual coding to secure my app using pure php.
Please fill me in with your expert suggestions.
Moen
Using a framework does not secure your code magically. You still have to protect it.
you can see your web app as a house with many doors. with pure PHP, you will have to build your doors before using them. On the other side, Laravel (or any framework) comes with built-in doors but if you don't use them, your app will not be secured.
Example of protections simplified with Laravel
CSRF protection https://laravel.com/docs/5.3/csrf
SQL injections using Eloquent https://laravel.com/docs/5.3/eloquent
Form validation https://laravel.com/docs/5.3/validation
All protections listed above can be done with pure PHP but you will have to write a lot of code.
I know this is several years too late but figured I would add in, locking down your laravel project once in production does not take too much effort. If you utilize #csrf and form validation as stated above that will cover your "doors" there. On top of using something like fail2ban on the server and pointing everything to the public folder within your laravel application will reduce Brute forcing and deter a lot of the common PHP web scans that come in daily from malicious IP addresses. On my servers I typically see certain IP addresses scanning for common php, phpmyadmin, and mysql.php files that do not turn up any 200 http responses. In addition, having the final product/compiled version of the site in it's own directory and implementing all your 3rd party creds within the .env (which is required to link your laravel project to a db) file, make it hard for malicious actors to find system files and credentials.
In addition, the authentication out of the box does all the hashing for you "secure Bcrypt and Argon2 hashing". In addition to hashing, it has been noted that the Hash::make function creates and uses a 22-length random string as a salt to generate the password, from question Where are laravel password salts stored?. Which references a Wordpress article on laravel hashing and salting Laravel Hash::make() explained. Hopefully that helps anyone reading this.
If you are deploying a laravel site to a VPS or whatever, then I would highly recommend daily or at least every two days coming the access logs and deny ##IP address##; anything that is trying to access URIs they are not suppose to access (since you built it you will know what they should and shouldn't be accessing), and implementing fail2ban to greatly reduce ssh brute force. If anyone needs more info or has more questions about maintaining a laravel website in the wild/linux server, I am always here. Coming from someone in the Cyber Sec industry , that freelances web development
Related
Long time reader first time asker, if my question is silly or missing info or miss titled lemme know and I'll fix it.
Okay, so I'm working at a community center for the next 8 weeks as a tech help assistant, I'm also a CS student.
They have a web application that is quite old running locally on an iis server (version 7). It's for keeping track of their members, events and registration It's written in asp.net and is using and Access database. They also have a wordpress website (php, mysql, apache) for advertising events and sharing information about what's going on in the community.
What they would like is to link their wordpress to the local application. I've been racking my brain about if this is even possible or not. I'm leaning towards not possible because the local application and shouldn't be outward facing as it has sensitive data on it and was not designed to be secure in the face of would-be hackers.
The only solution that I could think of is create a "walled off" section of the computer hosting the local application. Also an outward facing port that accepts incoming data from the wordpress site that is then passed onto the access database as an update (increasing a counter for the amount of people registered to a program). It needs to be possible for a file to have some kind of global (from the web) executable permissions and have all the other files on the localhost computer locked down from this global permission.
We would also need to be able to get 2 boolean values from the local app for the wordpress site. This is for if the program/camp/whatever is full and if the update was unsuccessful in the event of something going wrong. I'm just not sure if something like that is even possible and where to start with that. The most important thing is that it's secure.
If a secure API could work I have time to create something like that.
I don't have enough time to upgrade their local system to make it safe enough to be online because I have to run tech help sessions. I know that is the most realistic option.
Thanks very much
What they would like is to link their wordpress to the local
application. I've been racking my brain about if this is even possible
or not. I'm leaning towards not possible because the local application
and shouldn't be outward facing as it has sensitive data on it and was
not designed to be secure in the face of would-be hackers.
I think you've hit the nail on the head right there. It looks like you have a decent understanding of the situation but not of their internal app. The fact is that it's hard to scope something like this without getting in and getting details. Step 1 would be to see if you can talk to whoever it is that built the thing and get their feedback. It might be secure enough to expose some sort of connection.
Really there's not enough information here to determine a good answer, and you should be wary of anyone that says it's secure. There are a ton of factors that go into web security.
You might be able to throw together a basic RESTful API with authentication to send only to the wordpress site's IP. But if it's sharing the IP that information can be consumed by third parties so you'll have to decide if that is an okay risk.
I wouldn't try and expose everything and partition with apache. A basic RESTful API with authentication would be best at first glance IMO. That way you only show consumable data and limit what can be used.
Right now we have a Ionic project that is almost finished that comes with a php backend. To make the backend a little bit more secure against influences from outsite we would like to make the backend only accessible from within the ionic project (native app). I tried to restrict it by domain but since a native app doesn't have a domain that's not gonna work.
I can't show any code because i'm absolutely clueless on how to approach this.
Thanks in advance
we would like to make the backend only accessible from within the ionic project (native app).
Given the existence of reverse engineering and the futility of DRM, what you're asking for is, strictly speaking, not possible in absolute terms. Anyone can take your app, analyze its code/behavior (usually with freely available tools), and write their own app that communicates with your server.
To make the backend a little bit more secure against influences from outsite
Given that the above is impossible, what is your threat model? What attacks are you trying to protect against? You should assume that clients are malicious and validate all input on the server side. If you do that, then you don't need to worry about whether or not someone used your native app to communicate with the server.
Consider the workflow in this article, Building Secure Web Applications in PHP.
I'm in the final stages of implementing a CodeIgniter site which requires a really simple login system. One user, and one password to protect the admin area. I think I will be using one of the many CodeIgniter authentication libraries, which should allow me to ensure that people can't read from the database without being logged in as admin (hopefully).
Are there any glaring holes in a setup like this?
Should I take further measures beyond using a library like this to
ensure the security of the data in the MySQL database?
It will be hosted on a shared server; meaning little, or no server config will be possible.
There is a long discussion about the authentication systems available here: How should I choose an authentication library for CodeIgniter?
The latest version of Redux seems to be the favorite.
http://code.google.com/p/reduxauth/
I have used in the past (with excellent results) DX Auth 1.0.6.
You can find it at http://codeigniter.com/forums/viewthread/98465/
I would create simple form-based authentication and use a strong password.
HTTP authentication has too many problems IMHO:
Easier to brute force hack.
Anyone who sniffs the request can determine the username and password being used, but they don't even need to; they can just use an identical HTTP themselves.
Once that dialog pops up, it's difficult to dismiss, which can be irritating.
Many browsers will ask twice for a password before letting you in.
It's difficult to log out or change users, you usually have to quit the browser.
Easy to forget that you've let the browser save your credentials, which is another potential security risk.
If it is on an apache server, then I would consider just setting up an htpasswd protected directory. Read more about it here.
I am about to deliver an Adobe AIR app to a customer.
But it's my first delivery of any sort, I.e. I have
no experience whatsoever with licensing etc.
Users of this app may or may not be online, so
can't count on that. In fact it's 99% sure that
they will be offline.
Nor do I expect them to very tech-savvy, who will
spend enough time scouting for ways to "crack" it.
So, is there an okeish type of way to protect this
app. That is, I don't want people to simply copy
the installation folder, take it to another machine
and run it. It should be slightly harder than this.
Oh, and I am also using PHP and MySql, with which
this AIR app communicates. So anything you guys could
help me with is very very welcome.
protect the php api and not the frontend app. have a license key which is bound to an ip address and authenticate the request (which contains the key) is coming from the correct ip.
If you want to protect your Flex app you can use irrObfuscator. There is a 30 days free demo.
If you wish to obfuscate your PHP code I would suggest ioncube. There is an online obfuscator that you can pay per à-la-carte. Pretty usefull. Tho you need ioncube loaders which is a set of PHP extension that you will find into the products section. Not sure but I think you can install loaders without playing with PHP config so it's shared-hosting friendly.
You can not protect anything that's webbased or javascript based, purely because there is complete sourcecode.
Anyone who knows how to use 'right click' could copy your files. You can obfuscate your code, but you cannot protect it. If you think that this shouldn't be possible, write a desktop app in a 'real' programming language.
When the app installs, I would do the following:
Create a file in "app-storage" that basically indicates the app has been installed.
Fire off a service call and make a record of the install
Change a file in the app directory to indicate the app has been installed
On subsequent startups, check for the presence of the file as long as the file in the app directory indicates the app has been installed. If you see the customer keeps installing their app over and over, this could be flagged in their account and appropriate action taken. If you want to get fancy, the file in "app-storage" could a one-way hash of some information from the file in the app directory (install date?) plus some value baked into the AIR application.
In general, I think the key here is to trust your users and not make the assumption they are trying to steal. You want to make the system as painless as possible. It does not build a good relationship with customers when you treat them like criminals, so creating an "ironclad" approach probably isn't even the best idea.
I think pretty much the only good way to do this is to require activation after installing (online activation, with a phone backup).
From what you're saying, it seems like the backend is installed on-site and would not be able to provide adequate copy protection.
What is the best way to secure an intranet website developed using PHP from outside attacks?
That's a stunningly thought-provoking question, and I'm surprised that you haven't received better answers.
Summary
Everything you would do for an external-facing application, and then some.
Thought Process
If I'm understanding you correctly, then you are asking a question which very few developers are asking themselves. Most companies have poor defence in depth, and once an attacker is in, he's in. Clearly you want to take it up a level.
So, what kind of attack are we thinking about?
If I'm the attacker and I'm attacking your intranet application, then I must have got access to your network somehow. This may not be as difficult as it sounds - I might try spearphishing (targetting email to individuals in your organisation, containing either malware attachements or links to sites which install malware) to get a trojan installed on an internal machine.
Once I've done this (and got control of an internal PC), I'll try all the same attacks I would try against any internet application.
However, that's not the end of the story. I've got more options: if I've got one of your user's PCs, then I might well be able to use a keylogger to gather usernames and passwords, as well as watching all your email for names and phone numbers.
Armed with these, I may be able to log into your application directly. I may even learn an admin username/password. Even if I don't, a list of names and phone numbers along with a feel for company lingo gives me a decent shot at socially engineering my way into wider access within your company.
Recommendations
First and foremost, before all technical solutions: TRAIN YOUR USERS IN SECURITY
The common answers to securing a web app:
Use multi-factor authentication
e.g. username/password and some kind of pseudo-random number gadget.
Sanitise all your input.
to protect against cross-site scripting and SQL injection.
Use SSL (otherwise known as HTTPS).
this is a pain to set up (EDIT: actually that's improving), but it makes for much better security.
Adhere to the principals of "Segregation of Duties" and "Least Priviledge"
In other words, by ensuring that all users have only the permissions they need to do their jobs (and nobody else's jobs) you make sure they have the absolute minimum ability to do damage.
If it is on an internal network, why is it even possible to get to the app from the outside? Firewall rules should be in place at the very least.
The best way? Disable direct external access!
If employees need to use it (like an extranet-style site), you should make them VPN in. Through VPN you have a lot more authentication options and most of them are a great deal more secure than leaving your intranet server accessible from the internet.
Another option, and this only works if the data is public-safe, is scheduling your intranet server to push the data to another server that is externally accessible. I say push because you really don't want this server to have access to your network. Let your network server do the work.
The best way to secure it? Don't connect it to a network. Make your users physically enter a guarded room with a single console, running Mosaic.
Oh, you want it to be easy to use?
Always verify every single input that can come from an untrusted source.
Don't trust any data sources.
When storing passwords, ALWAYS store an encrypted hash of the password.
When storing passwords, NEVER store passwords directly.
Never collect or store any data that you don't actually need.
Never allow yourself to be tempted into adding additional bells & whistles.
Read everything that Bruce Schneier has written on security and encryption.
If you forget these simple rules, you could find your application starring on the front pages of newspapers everywhere, just like Yahoo mail.
I would echo #Oli and favour the VPN method if possible. However, if for any reason you need more arbitrary access than this, you should use SSL to secure any authentication. And in addition to password authentication / IP address authentication it would be well worth looking at using SSL with client side certificates.
You could only allow access from internal IPs from the php app itself. Also dont ignore the usual security and best practices. Input validation and output encoding(whitelisting only), user accounts with hashed passwords etc.