Best way to prevent and handle all type of security issues is ‘not to trust user’s input data’ and handle it smartly.
a. Register Globals
1. With register_globals enabled, this page can be requested with ?authorized=1 in the query string to bypass the intended access controls. Without it, ordinary global variables (such as $authorized in the example) are not affected by data submitted by the client.
2. With register_globals enabled, this page can be requested with virtual address of a page and if allow_url_fopen is enabled (which it is by default) then this will include the output as a common local file, user can save the file on his / her desktop.A best practice is to initialize all variables and to develop with error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development.
b. Data Filtering
This is independent of programming language or platform. It involves the mechanism by which you determine the validity of data that is entering and exiting the application, and a good software design can help developers to:Options to ensure that data filtering can not be bypassed vary but one general approaches are given here.1. The Dispatch MethodTo have a single PHP script available directly from the web. Based on the information received, one can make conditional use of include file.for ex., if query string has a variable named about us then include aboutus.php and if it has value contactus then use contactus. Another ex., Each form that is submitted is expected to have a form variable named form that uniquely identifies it, and security.inc has a separate case to handle the data filtering for that particular formThis type of conditional include is not possible in ASP.
c. Session ID Protection
Session ID hijacking can be a problem with PHP Websites. The PHP session tracking component uses a unique ID for each user's session, but if this ID is known to another user, that person can hijack the user's session and see information that should be confidential. Session ID hijacking cannot completely be prevented; you should know the risks so you can mitigate them.A user who creates a new session by logging in should be assigned a fresh session ID using the session_regenerate_id function. A hijacking user will try to set his session ID prior to login; this can be prevented if you regenerate the ID at login.
d. Better inbuilt encryption functions
To encrypt any info is some times a crucial necessity in web page. PHP had MD5 as one of the standard encryption function. The benefit of this function is, it’s encrypted value can not easily be decrypted to original text. So chances for any hijacking of encryption’s originals text is very low.
e. Cross Site Scripting (XSS) Flaws
Cross site scripting, or XSS, flaws are a subset of user validation where a malicious user embeds scripting commands -- usually JavaScript -- in data that is displayed and therefore executed by another user.This can be prevented by using htmlspecialchars.
f. SQL Injection Vulnerabilities
SQL injection vulnerabilities are yet another class of input validation flaws.SELECT * FROM users WHERE name='$username' AND pass='$password';
However, if the user who's logging in is devious, he may enter the following as his password:
' OR '1'='1
This results in the query being sent to the database as:
SELECT * FROM users WHERE name='known_user' AND pass='' OR '1'='1';
This will return the username without validating the password -- the malicious user has gained entry to your application as a user of his choice. To alleviate this problem, you need to escape dangerous characters from the user-submitted values, most particularly the single quotes ('). The simplest way to do this is to use PHP's addslashes() function.If you're developing software that may be installed on shared servers where you might not be able to change the php.ini file, use code to check that status of magic_quotes_gpc and, if it is turned on, pass all input values through PHP's stripslashes() function. You can then apply addslashes() to any values destined for use in database queries as you would normally.
if (get_magic_quotes_gpc()){
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}The best habit is to make a reusable type of function for each input variable which can addslashes (if magic quotes are disabled) and also check max length and truncate all the characters after that length.
g. safe_mode
The safe mode setting can be very useful to prevent unauthorized access to local system files. It works by only allowing the reading of files that are owned by the user account that owns the executing PHP script. If your application opens local files often, consider enabling this setting.
h. disable_functions
This setting can only be set in your php.ini file, not at runtime. It can be set to a list of functions that you would like disabled in your PHP installation. It can help prevent the possible execution of harmful PHP code. Some functions that are useful to disable if you do not use them are system and exec, which allow the execution of external programs.
No comments:
Post a Comment