This document will list possible security threats to the Web application, explanation and preventive measures. Nội dung chính
How to know if a site is Vulnerable?Following are free software that will scan and list potential threats to the system as per the software coding standard and server configuration.
Best Practices for Web Application Security
PHP BackdoorsPHP hidden scripts such as c99, c99madshell, and r57 for bypassing all authentication and access the server on demand are called PHP Backdoors script. This will give them almost every access like download, upload, control to the server, database, and mail server. To prevent this follow all preventive measure and search for those script in your server time to time. grep -iR 'c99' /var/www/html/ grep -iR 'r57' /var/www/html/ find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99 grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/ Resources PHPSC ( http://phpsec.org/) group of PHP experts dedicated to promoting secure programming practices within the PHP community. Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards. While developing a PHP web application, a web developer should also be concerned with security best practices. An insecure web application gives hackers the chance to steal valuable information, such as user data or credit card information. In addition, a data breach may have a drastic impact on the credibility and future operations of your organization. To strengthen your defense mechanisms, this article lists 10 important security best practices for PHP applications. Let’s get started! 1. Update your PHP version regularlyAs of July 9, 2020, the stable release for PHP is version 7.4.8. It’s important to regularly update your PHP version because newer versions often contain patches for known security issues. If you don’t update your PHP version to the latest stable release, hackers can exploit those known security vulnerabilities with older releases. Furthermore, PHP lets you try out a preview release. Currently, this release is 8.0.0 Beta 2. However, security advisors discourage companies from engaging in testing preview releases because they can still contain unknown security flaws. 2. Beware of XSS attacks (Cross-site scripting)An XSS attack, also known as cross-site scripting, refers to the unintended execution of remote code by your web application. For example, an XSS attack can occur when your web application accepts user input and prints it directly to the web page. Whenever a malicious user includes HTML, JavaScript, or even CSS, your web application will execute the remote code. The example below includes a form that accepts user input. <form action="form.php" method="post"> <input type="text" name="message" value=""> <input type="submit" name="submit" value="Submit message"> </form> Next, we print the inputted data directly to the web page. <?php echo $_POST["message"]; Now, a malicious user can insert JavaScript like this. For example, the user can include a script tag with an alert function that your web application will execute. <script>alert("Hacker was here")</script> The above script tag will generate a simple alert message in the browser. This might not seem harmful. But a malicious user could easily steal sensitive user data or a user’s cookie. What’s the Solution? To prevent a cross-site scripting attack, make sure to escape any user input to avoid the remote execution of code. Want to learn more? Read this blog about reflected XSS attacks and how they affect your web application. 3. Use prepared SQL statementsA common mistake is to directly insert user input into an SQL statement. This leaves room for SQL injection attacks where the user can break the intended SQL query and execute any query they wish. For example, the query below directly uses unsanitized user input inside the SQL query. $users = mysql_query("SELECT * FROM `users` WHERE `id`='$_GET[id]'"); This gives a hacker the chance to break the statement and try to query for other information, such as all users’ data. With a prepared statement, the inputted values are escaped, leaving no room for an SQL injection attack. Let’s take a look at the example below, which uses a prepared statement. $stmt = $conn->prepare("INSERT INTO users (firstname, lastname) VALUES (?, ?)"); $stmt->bind_param("ss", $firstname, $lastname); Note the first parameter of the 4. Don’t upload all framework files to your serverMany PHP frameworks consist of the Model-View-Controller file structure. This means that they come with a large file structure. For example, the PHP Slim Framework generates the following file structure. public_html/ .htaccess index.php styles/ images/ scripts/ app/ routes/ session.php member.php admin.php vendor/ lib/ data/ It’s important that you don’t upload all of those files to your web server. Only
upload the necessary web files that reside in the Uploading all files to your server means that malicious users can access your files and inspect your business logic. This allows them to gain a deeper understanding of the application and possibly find security loopholes or bugs that they can exploit. 5. Always validate user inputWhen you always validate user input when you accept inputs through an input field, this ensures that every piece of data has the correct type and format. Commonly, developers use regular expressions (regex) to validate data formats such as date of birth or phone number. Let’s read the example below, which validates if the date of birth is in format $date="2012-09-12"; if (preg_match("/^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$/", $date)) { return true; } else { return false; } 6. Limit directory accessThe In case a malicious user gains access to your server via PHP and tries to access sensitive files such as 7. Verify your SSL configurationEvery server should have an SSL certificate to securely transfer files via HTTPS. However, regularly check your server for outdated SSL certificates or weak ciphers. Often, sysadmins forget to update SSL certificates when they expire. However, an SSL certificate helps your website to better defend against XSS attacks. 8. Use URL encodingPHP gives developers the Imagine that user input is used for generating a URL. In that case, you can use the urlencode function to generate a safe URL. <?php echo '<a href="mylink?user=', urlencode($userID), '">'; ?> 9. Avoid remote file inclusionNever accept user input for requiring a file. The example below shows a <?php $page = $_GET['location'] require($page . ".php"); ?> In this case, a user can input a malicious path such as Furthermore, use best practice number 6 to limit directory access with the For example, if the input matches <?php $page = $_POST['page']; if ($page == "home") { require("./pages/home.php"); } elseif ($page == "contact") { require("./pages/contact.php"); } else { require("./pages/error.php"); } ?> 10. Remember, documentation mattersLastly, don’t forget to document your actions. Whenever you make changes to your server, update the version of your SSL certificate, or change a password, make sure to record those changes. Other developers might find this information useful whenever they want to make changes to the server. It allows them to quickly check what happened recently. This way, you won’t come across unexpected surprises, such as a deprecated password for your MySQL server. Furthermore, documentation is an ideal means of transferring knowledge. In case a developer leaves your company or gets sick, no knowledge is lost. That’s the primary purpose of documentation—transferring knowledge. Summarizing PHP securityIn the end, as a PHP developer, you’re responsible not only for implementing the required business logic but also for ensuring the security of it and of the code you’ve developed. The key lesson from this article is to validate user input. Unvalidated user input often forms the basis of a security issue. Take a look at security issues such as remote file inclusion, URL encoding, or an XSS attack. All of them happen through invalidated user input. Want to learn more about PHP security best practices? Make sure to check the PHP security manual and Sqreen’s PHP security checklist. —- This post was written by Michiel Mulders. Michiel is a passionate blockchain developer who loves writing technical content. Besides that, he loves learning about marketing, UX psychology, and entrepreneurship. When he’s not writing, he’s probably enjoying a Belgian beer! Is PHP good for security?PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security. What are secure coding best practices?8 Secure Coding Best Practices. Security by Design.. Password Management.. Access Control.. Error Handling and Logging.. System Configuration.. Threat Modeling.. Cryptographic Practices.. Input Validation and Output Encoding.. Which method is secure for securing data in PHP?SQL Injection By using scripts similar to the above code, attackers can get access to all data tables and sensitive information. The solution to this is to use parameterized SQL queries and PHP Data Objects (PDO). Using parameterized queries will let the database differentiate between the data and query parts. What is PHP application security?Since PHP is so popular, PHP security is essential and the number of vulnerable PHP applications is large. Most PHP web applications share parts of code or scripts with other web applications. If the shared piece of code is found to be vulnerable, all the applications that are using it are also vulnerable. |