2

Let's say I have a website where

  • PHP 5.3 is installed
  • every output is htmlspecialchars()ed.
  • PDO and prepared statements are the only way to interact with the database
  • error_reporting() is off
  • every request is passed to index.php (front controller) and no direct file access is allowed except for index.php via .htaccess
  • every input is properly escaped (why should I? i use Prepared statements, how could an user input mess up with my code?)
  • there's no use of evil()

Is it considered safe? What other things could be fixed to improve security? How could you attack it? Hack it? PHP/Server side is possible to improve security?

Shoe
  • 74,840
  • 36
  • 166
  • 272
  • You don't mention anything to prevent session hijacking/fixation or CSRF. - Or by "hack it" do you mean getting access to the machine / database, rather than simply escalating privileges or unauthorised access to user accounts? – Leigh Feb 13 '12 at 13:44
  • @Leigh, with "Hacking it" I mean everything bad that could happen because of how I wrote my application. – Shoe Feb 13 '12 at 16:07

7 Answers7

5

Check this page : PHP Security Guide. Most attacks are documented. If after implementing these security checks, you're still hacked, there are high chances that the problem doesn't come from your PHP application.

By the way, as @Jacco stated, there is some wrong stuff on the article I linked to.

  1. Use prepared statements instead of mysql_real_escape_string(), but you already did that.
  2. About salting, follow this answer instead : https://stackoverflow.com/a/401684/851498
  3. Finally, checking ['type'] (for file upload) is unsafe since a malicious user can change this value. Instead, see the suggested solution of this link : http://www.acunetix.com/websitesecurity/upload-forms-threat.htm
Community
  • 1
  • 1
Florian Margaine
  • 58,730
  • 15
  • 91
  • 116
  • 1
    Then there's the [OWASP dev guide](http://code.google.com/p/owasp-development-guide/wiki/Introduction) - Full of good ideas, but ridiculously hard to implement them all. – Leigh Feb 13 '12 at 13:50
  • Outch. I don't think I'm ever going to work with this :) (well, except if I work on highly sensitive datas) – Florian Margaine Feb 13 '12 at 13:53
  • @FlorianMargaine That’s the problem with security: Most developers are not aware how important security actually is until something happens. – Gumbo Feb 13 '12 at 14:06
  • 2
    I took the time to read the advice listed in the guide you link. The risks listed are real, they deserve attention. The solutions proposed to prevent the risks are, however, marginal at best. (bad advice examples: 'validating' upload mimetype vs client provided `['type']` value, recommending `mysql_real_escape_string()`, but not mentioning prepared statements, recommending salting user hashes, but providing an example with a keyed hashes instead.) – Jacco Feb 13 '12 at 14:10
  • @Gumbo : What I meant was that if most guidelines are followed, except for a professional hacker, you won't have any problem with the PHP application itself. – Florian Margaine Feb 13 '12 at 14:17
  • @Jacco : Heh, I only went quickly on this link, it seemed to have everything on it :). But indeed... it somehow lacks stuff. – Florian Margaine Feb 13 '12 at 14:18
  • So basically, you did some quick googling and rushed to get some quick rep, instead of providing an answer? – Jacco Feb 13 '12 at 14:21
  • Nope, I saw this article with lots of correct information :) Every common attack is listed with some workaround. I didn't read the entire page *precisely* though. – Florian Margaine Feb 13 '12 at 14:22
  • Sure, think whatever you want :) – Florian Margaine Feb 13 '12 at 14:25
2

I remember when I started web developing, I read allot about sanitizing data, creating numerous mysql users with a subset of permissions for specific queries, etc.

It gets you in the mindset of treating security with code, not with the operating system.

What use is all of this if you connect to your console with telnet, or use ftp with authentication?

I guess I should cut to the point. I think modern open source technologies such as php mysql etc have build up allot of security features, which gave me a false sense of security.

The damage you can do through these technologies is negligible compared to hacking into console with a brute force attack. If I were you I would worry much more about geting a proper firewal and only allowing port 80 or the bare minimum of ports you need. If you enable console access I would only allow your desktop IP... etc.

and make sure if you ever send a password, that it is encrypted through ssl

Roderick Obrist
  • 3,688
  • 1
  • 16
  • 17
1

There is no absolute security guarantee, you can add the following to the answers above:

  • If you allow file uploads, make sure you do mime checking;
  • Make sure the public cannot upload an unlimited amount of files to overload and eventually kill your server;
  • If you own the server make sure there are no other weak gates to your site, you can spend millions making your site bulletproof to any type of attack, but if someone gains access to it through another website hosted on the same server, you're out of luck;
  • Use a vulnerability scanner like acunetix, skipfish;
  • If you own the server make sure you stay up to date with the versions of the software running on your server (PHP/Apache/MySQL). Subscribe to get updates from the vendors;
  • If the budget allows it, you could offer a bounty to someone to find a security hole in a DEV release of your code;
  • Use a product like the following: https://www.cloudflare.com/features-security
alxbrd
  • 1,675
  • 1
  • 15
  • 16
0

It is important to note that "safe" is a context-based term. It highly depends on your needs, and there are companies out there (I'm looking at you Google) who will not even consider installing PHP at all.

If you are working at a big company, I would recommend hiring the services of professionals.I heard from a friend that this company does sec checkups for all the big companies, which seems likely since they are the people that distribute Kali Linux.

https://www.offensive-security.com/offensive-security-solutions/penetration-testing-services/

Eli Rotenberg
  • 41
  • 8
0

There can be multiple other issues as well, such as session problems, sensitive information enumeration, authorization and authentication issues, and lot more. Issues like business logic bypass can not be resolved by traditional secure coding guidelines. However, looking at PHP Security Cheat Sheet and OWASP PHP Security Project would be a great help to understand the big picture of security issues.

s4n7h0
  • 123
  • 2
  • 7
0

You can learn more about exploiting PHP security issues and related attack techniques by solving the PHP security challenges by RIPSTech (https://www.ripstech.com/php-security-calendar-2017/) or by reading their writeups of real-world vulnerabilities found in popular PHP apps (https://www.ripstech.com/security-vulnerability-database/)

Johannes
  • 11
  • 2
0

security is a major concern for any product and it can not be achieved by some finger count policies but they are important so everywhere in the code think the negative possibilities and work against them to prevent them.

other thing you have to do

  1. store sensitive data in encrypted formate in db
  2. clean XSS every user input data
Dau
  • 8,578
  • 4
  • 23
  • 48