PHP Security Issues 1

Sharing is caring!

PHP is an acronym for Hypertext Preprocessor. It is the world’s most popular server-side programming language for websites. Being used by the number of web apps in the likes of Yahoo, Facebook, and more, PHP security is crucial for shielding them against malicious actors. Bad coding habits and lack of PHP security awareness among developers result in most vulnerabilities in the wild. The most common mistake they make is trusting the user input that leads to security issues like SQL Injection, cross-site scripting, remote code execution among others. Here I will explain the top five PHP security issues and their impact on the security of your website.

1) SQL Injection in PHP

An SQL injection is the most dangerous web application vulnerability that has been consistently ranked as number one by OWASP. If the user can insert into the unsanitized and/or unvalidated input field, it can lead to SQLi. The user can manipulate the SQL queries to expose sensitive information that can lead to data breaches. Here is the example of a vulnerable SQL query in PHP:
$id = $_GET['item']; $query="SELECT * FROM item WHERE id='$id'";
A malicious actor can craft the following query to get information about the database:
1'+union+select+1,database(),2'
The query becomes:
$query="SELECT * FROM item WHERE id='1'+union+select+1,database(),2' '";
Queries similar to the above code can be requested by the attacker to enumerate the content of the database and get hold of sensitive information. The solution to solve this problem is to use Prepared Statements (Parameterized Queries). This helps in differentiating between the query and the user input by sending them as two separate requests. Both PHP Data Objects (PDO) and MySQLi are capable of building prepared statements.

2) Cross-Site Scripting

Cross-site scripting vulnerability arises in the web applications when the attacker can execute the malicious code in the victim’s browser. The impact of XSS attack varies as it can be used from redirecting to the malicious website to session hijacking. It exploits the lack of escaping of special characters. Here is the code snippet vulnerable to XSS:
$text = $_GET['text']; echo $text;
If the attacker inputs JavaScript code (such as </script>alert(‘XSS’)</script>) instead of text, the script gets executed as soon as the page is rendered. One way of doing this is to escape/encode the special characters by using PHP functions like htmlspecialchars() and htmlentities(). The PHP function htmlspecialchars() converts special characters like ‘, “, &, >, < into ‘,”, &, gt;, < respectively while htmlentities() converts all applicable characters that have HTML entity equivalent. An example showing the use of htmlspecialchars().
$text = $_GET['text']; echo htmlspecialchars($text, ENT_QUOTES , 'UTF-8');
Apart from using the built-in PHP function, there are open-source libraries available from Google and others that are regularly updated with new protection techniques.

3) Code Execution

Code execution is the type of attack which consist of injecting the code that is then executed by the application. In case of PHP, scripts containing the system calls are exploited by the attackers to read or execute malicious code on the remote server. This type of attack occurs due to poor handling of user input. The following snippet has the code execution vulnerability as there is no input validation.
$var = "varname"; $x = $_GET['arg']; eval("\$var = \$x;");
The attacker can pass multiple commands like http://www.testsite.com/index.php?arg=1; phpinfo(). It will display the phpinfo() file. The best way to deal with this is to use PHP functions escapeshellcmd() and escapeshellarg() that can help harden the system calls such as exec(), eval() and more.

4) Session Hijacking

Session hijacking attacks are commonly applied to web applications and browser sessions. It is an attack in which the attacker needs to know the victim’s session ID to take over their active session in his own browser. Session hijacking can lead to identity theft, account takeover, transferring money without the victim’s knowledge, and more. Companies that provide single-sign-on (SSO) feature can be seriously impacted by this attack as the attacker can use the same session ID for accessing multiple web applications. XSS is the most common method used for session hijacking. Others are session side jacking, brute force, and more.
Here are some methods in PHP to prevent it. Always generate new session IDs with each new session. More importantly, they should be random and generated using Cryptographical Secure Pseudo-Random Generator. Here is an example to generate a cryptographically secure session ID.

sessionId = SecureHashingAlgorithm(username + ipAddress + salt )
Also invalidating cookies after session termination can provide additional shielding against such attacks.

5) PHP Configuration

Poor PHP configuration is directly responsible for the severity of attacks. They maximize the attackers’ advantage and the damage they can cause to poorly configured system. Since the majority of developers do not have an understanding of the security features of PHP, they leave the default configuration settings. Although there is no consensus about the secure PHP configuration here is the list of secure configurations from OWASP:
  • register_globals (off by default in modern PHP, should be off)
  • allow_url_fopen (enabled by default, should be off)
  • magic_quotes_gpc (on by default in modern PHP, should be off)
  • magic_quotes_runtime (off by default in modern PHP, should be off)
  • safe_mode and open_basedir (disabled by default, should be enabled and correctly configured)
  • display_errors ( on by default, should be off)

Security Tips

Here are a few tips that can help in securing your web applications against vulnerabilities:
  • Ensure that PHP software is updated regularly.
  • Never trust user input. Always sanitize/validate it by using a combination of client/server-side validation to protect against malicious JavaScript and SQL queries.
  • Always ensure that there is strong password enforcement in place.
  • Keeping logs of critical applications is recommended so that it can be used to analyze what, when and why happened and identify malicious activities.
  • Enforcing the limit to a number of users that can be logged in within a time window will help against the brute force attacks.

Conclusion

Since there are many security issues with web applications developed with PHP so it’s better to follow security best practices protecting your application. Web application firewall and website security auditing also play a vital role in resolving the PHP security issues. The WAF act as an inspector to the packets passing to the web application from the internet, blocking the malicious traffic. Automatic tools like PHP Malware Scanner by Astra Security can help in detecting the malware and backdoors on your website. Lastly, dealing with the security issues as soon as possible will help you in securing your site rather than being naïve towards it.