Table of Contents Show
PHP Web Application Security is one of the most important task developers has to look up
There are a few ways to secure a web application using PHP. One way is to use the PHP security features provided by the language. PHP also has built-in mechanisms for securing your session data and cookies. You can also create your own customized security functions to secure your application. For example, Encryption and decryption using AES 256-bit algorithm or by using PHP openssl_pkey function
One important point to keep in mind is that securing a web application doesn’t mean that it’s immune to attacks. If you’re using a vulnerable version of PHP, an attacker could still exploit your application to gain access to your data and systems.
The latest versions of PHP and security solutions should be used and the web server should be configured properly.
What’s common between Facebook, Twitter, Wikipedia, and Baidu? Well, all of these sites use PHP technology. According to a recent survey by W3Techs, PHP is a preferred technology by a large number of websites and web applications, as compared to Java or ASP.NET.
There are many reasons which make PHP so popular. Hosting PHP applications is easier and cheaper. The development can be done using open-source software so one does not incur costs in procuring additional software PHP also connects with a variety of databases. While many applications, including eCommerce Social networking sites, education portals or media websites are being developed using PHP, quite a few security issues are also introduced.
In this post, we discuss some common security loopholes and their resolutions.
#1: User data
A PHP developer must take care to validate all the user-entered data must be validated for its type, size and business logic. The data must be sanitized before using it in the application.
Version 5.2 of PHP introduced a function called ‘filter_var’ that makes data validation very easy. filter_var performs data validation as well as data sanitization. In data sanitization, it removes all illegal characters from the data and as part of data validation, it determines if the data is in proper form.
#2: Cross-Site Scripting (XSS)
In this type of attack, the attacker injects HTML(Hyper Text Markup Language) code into website, which is then displayed on the page without further validation – this is referred to as Cross-Site Scripting (XSS). Sometimes XSS is used to get data from databases or passwords of users. This technique can even modify the look and feel of the website by injecting malicious code.
This security loophole can be overcome by validating data that is getting displayed on the web page. The validation needs to ensure that all the data displayed on a web page is safe to view in a browser, email client, or other software. Along with data validation and data sanitization, the application must ‘escape’ the data when presenting it to the user. This prevents the browser from applying any unintended meaning to any characters if found.
#3: SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into the user entry fields. Using this technique, the attacker can get sensitive information from a database or can delete/modify the database entries. For such kind of hacking, attackers take user input and combine it with static parameters to build an SQL query which can be harmful to the website database.
While this requires knowledge of database architecture, obtaining that information is easy if the database is part of open source. Some of the techniques to prevent SQL Injection are:
- Ensure that you do data validation and confirm that the user-given input has the expected data type.
- Use libraries such as PDO or MySQLi to use prepared statements with bound variables.
- Avoid using superuser access to connect to the database – always use customized users with limited privileges.
- Remove all stored procedures which are not in use.
- Use strongly typed parameterized query APIs with placeholder substitution markers.
#4: Cross-Site Request Forgery (CSRF) attacks
CSRF iattack is a type of web application vulnerability where the victims unintentionally run a script in their browser that takes advantage of their logged-in session to a particular site and its attacks can be performed over data coming into a website by user requests. CSRF is one of the top 10 OWASP vulnerabilities.
These attacks exploit the trust that a site has for a particular user and include all attacks that involve the attacker browsing website using hacking techniques to get the sensitive data of another user. Such vulnerability is commonly a result of poor coding and wrong assumptions.
Some of the recommended ways to avoid this vulnerability are:
- The application must check the referral header. Requests coming from other domains can be treated as fake requests and can be blocked. By allowing requests from the same domain, this vulnerability can be avoided. Note that, this method fails in case of HTTPS connection because the referrer is omitted in that case.
- CAPTCHA verification in forms is another way to avoid CSRF because the CAPTCHA is generated on the client side so the attacker cannot guess the pattern. But this puts an additional burden on the user and can compromise the overall web experience.
- The unpredictable Synchronizer Token Pattern is one of the most secure methods for CSRF prevention. In this method, the website generates a random token, associated with the user’s current session, as a hidden value in each form. On form submission, the website can verify that the random token comes via request and it is right.
- One can also use open-source libraries and classes such as Clfsrpm, NoCSRF, anti-CSRF, or CSRF Protection for protecting the website from CSRF vulnerability.
Web application security is a continuous process. There are useful websites such as OWASP, The Open Web Application Security Project, PHP Manual Security Section, The PHP Security Consortium, and CGISecurity. Net which offers very valuable guidance about PHP security.