Web Technology Experts Notes

Showing posts with label PHP security. Show all posts

Thursday 4 October 2012

Session Hijacking in PHP

Session Hijacking is term where attackers hold of a session identifier and is able to send requests as if they were that user.
In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server.
It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).

How to prevent your data from Session Hijacking
1) In php.ini set session.hash_function = sha256 or session.hash_function = sha512.
2) In php.ini set session.hash_bits_per_character = 5
3) Add "user agent" (browser) in session & check each subsequent request.
4) Add IP Address in session & check each subsequent request.
5) Change the name of the session from the default PHPSESSID
6) In secure pages ask for reenter the password.

Thursday 12 July 2012

Cross Site Request Forgery

Cross Site Request Forgery ( CSRF ) is a type of website exploit carried out by issuing unauthorized commands from a trusted website user. CSRF exploits a website’s trust for a particular user's browser, as opposed to cross-site scripting, which exploits the user’s trust for a website.

A CSRF usually uses a browser's "GET" command as the exploit point. CSR forgers use HTML tags such as "IMG" to inject commands into a specific website. A particular user of that website is then used as a host and an unwitting accomplice. Often the website does not know that it is under attack, since a legitimate user is sending the commands. The attacker might issue a request to transfer funds to another account.
e.g
amanvera send some html having below img. unforunately at that time both user (poonm & amanvera) are login to their bank(i.e yourbank). whenever poonam execute the html code send by amanverma. following img src will execute self, and tranfer money from poonam to amanverma account.
<img src="http://www.yourbank.com/transfer?from=poonam&to=amanverma&amount=1000000">

A CSRF attack is hard to execute because a number of things have to happen in order for it to succeed:

The attacker must target either a website that does not check the referrer header (HTTP_REFERER) or a user/victim with a browser or plug-in bug that allows referrer spoofing (which is rare).
The attacker must locate a form submission at the target website, which must be capable of something like changing the victim's email address login credentials or doing money transfers.
The attacker must determine the correct values for all of the form's or URL's inputs. If any of them are required to be secret values or IDs that the attacker cannot accurately guess, the attack will fail.
The attacker must lure the user/victim to a Web page with malicious code while the victim is logged in to the target site.

For example, suppose that Person A is browsing his bank account while also in a chat room. There is an attacker (Person B) in the chat room who learns that Person A is also logged in to bank.com. Person B lures Person A to click on a link for a funny image. The "IMG" tag contains values for bank.com’s form inputs, which will effectively transfer a certain amount from Person A’s account into Person B’s account. If bank.com does not have secondary authentication for Person A before the funds are transferred, the attack will be successful.

Tuesday 10 July 2012

SQL Injection Attack - PHP & MySQL

In this attack, a hacker is able to execute SQL queries in your website's database. This attack is usually performed by entering text into a form field which causes a subsequent SQL query, generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL. The effects of this attack range from the harmless (simply using SELECT to pull another data set) to the devastating (DELETE, for instance).

It is a basically a trick to inject SQL command or query as a input mainly in the form of the POST or GET method in the web pages. Most of the websites takes parameter from the form and make SQL query to the database.
For a example, in a product detail page of php, it basically takes a parameter product_id from a GET method and get the product detail from database using SQL query. With SQL injection attack, a intruder can send a crafted SQL query from the URL of the product detail page and that could possibly do lots of damage to the database. And even in worse scenario, it could even drop the database table as well.

For Example
you have login page and ask user to login via putting username & password into form.
suppose that a intruder called user injected x’ OR ‘x’='x in the username field and x’ OR ‘x’='x in the password field. Then the final query will become like this.

SELECT * FROM users WHERE username=’x’ OR ‘x’='x’ AND password=’x’ OR ‘x’='x’;

Now what happen, it will return the first record of table users

user who is not authorize, will be able to login in website.

use mysql_real_escape_string function to avoid the problem.

http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

How can I prevent SQL-injection in PHP?
1. USe PDO

$stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$stmt->execute(array('name' => $name));
foreach ($stmt as $row) {
    /* Do your Action **/

    /* Do your Action **/
}

2. USe MySqlI instead of MySQL. MySQLI is far better than MySql

$stmt = $dbConnection->prepare('SELECT * FROM users WHERE name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    /* Do your Action **/

    /* Do your Action **/
}

3. Use framework and execute the query with framework like zend, cakephp and magento etc. But for this you must install the framework.

Cross-Site Scripting - cross site scripting examples

Cross Site Scripting, OR XSS, is a way for hackers to gather your website’s user data by using malicious markup or JavaScript code to trick a user, or their browser, to follow a bad link or present their login details to a fake login screen that instead of logging them in, steals their personal information. The best way to defend against XSS is following...

Strip html tags like h1, <script>, for this use php strip_tags function

escape the data before showing on website, for this use htmlentities function.

An Example:
A basic example of XSS is when a malicious user injects a script in a legitimate shopping site URL which in turn redirects a user to a fake but identical page. The malicious page would run a script to capture the cookie of the user browsing the shopping site, and that cookie gets sent to the malicious user who can now hijack the legitimate user’s session. Although no real hack has been performed against the shopping site, XSS has still exploited a scripting weakness in the page to snare a user and take command of his session. A trick which often is used to make malicious URLs less obvious is to have the XSS part of the URL encoded in HEX (or other encoding methods). This will look harmless to the user who recognizes the URL he is familiar with, and simply disregards and following ‘tricked’ code which would be encoded and therefore inconspicuous.

PHP INI settings

open_basedir, disable_classess, disable_functions and safe_mode are the directive used to improve the security while on shared hosting environment.

When you are using shared server always set open_basedir to your root directory in php.ini.
This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode. This directive must be set in php.ini
This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_ functions is not affected by Safe Mode. This directive must be set in php.ini.
safe_mode should be off.
display_errors should be off, so that end user can see guess the code, when error come in website
log_errors should be on, so that you can check, if some one try to access your site or any page to whom not authorization.
allow_url_fopen include should be off. allow_url_fopen enables the URL-aware fopen wrappers that enable accessing the files from remote server. allow_url_include allows the use of URL-aware fopen wrappers with the following functions: include, include_once, require, require_once (remote add files).
magic quotes (magic_quotes_gpc, magic_quotes_runtime) should be off. It will avoid to add the extra slahes (avoid to call addslashes function).
register_globals must be off. Take for example this URL, http://yoursite.com/index.php?var=1, which includes a query string. The register_globals statement allows us to access the value with $var instead of $_GET['var'] automatically.
system(), passthru() and exec() functions must be disable all of which allow a string to be run as a command on the operating system shell.