Tag Archives: Security

SSL

• Secure Socket Layer (ssl) encryption protects data as it is transmitted between client and server

• SSH (secure shell protocol) encrypts the network connection between the client and the database server

• Augment data encryption as ciphertext using openssl_encrypt() and openssl_decrypt()

• Encrypt data before insertion and decrypt with retrieval

• Store sensitive data as a hashed value

password_hash()

password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

To hash a password, take the password string and pass it into password_hash the function as a parameter along with the algorithm you want to use, then store the returned hash into the database.

Following are the acceptable ways to create a secure password hash in PHP

A. crypt()
B. hash_pbkdf2()
C. password_hash()

Escape Output

• One of two fundamental security rules: (1) filter and validate all input; (2) escape output

• Always escape outside data unless previously filtered

• Typical output formats that require escaping when containing user data: html, json, sql

•  Never rely on client side (javascript) filtering

• Functions used to escape data before outputting within html: htmlspecialchars() htmlentities() strip_tags()

Input Filtering

• Input is everything that comes as part of the http request

• Some data does not seem to be input, but may contain data originating from the user, thus must be considered as input (ex: session data that was originally supplied by the user)

Character Set

• Risk

 attack vectors may employ a non-standard char set (ex: utf-8 encoded) that may be missed by filtering, but executed by the browser

• counter

 Use the same char set for filtering as the target procedure

 convert charsets prior to filtering content-type: text/html; charset=”utf-8″

 use php’s filter extension

 use filters native to the database (ex: db quoting functions)

escapeshellcmd

escapeshellcmd() escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions, or to the backtick operator.

Following characters are preceded by a backslash: &#;`|*?~<>^()[]{}$\, \x0A and \xFF. ‘ and ” are escaped only if they are not paired. In Windows, all these characters plus % and ! are replaced by a space instead.

<?php
 $command = './configure '.$_POST['configure_options'];
 $escaped_command = escapeshellcmd($command);
 system($escaped_command);
 ?>

allow_url_include

The PHP option allow_url_include normally allows a programmer to include() a remote file (as PHP code) using a URL rather than a local file path. For security reasons, this feature should be disabled. If a script claims to require this feature, you should look into alternative software, as the use of this feature indicates serious design flaws.

There are a number of reasons why URL includes should always be avoided:

It’s insecure – if your application can be tricked into including content from a URL outside itself (and there are a number of common ways this can happen), an attacker can force your application to start running code from their own web site.

It’s inefficient – if your PHP script includes content from a URL, then the web server must make HTTP requests to generate the page. This makes your page load much slower than necessary, especially if the site you’re loading content from is responding slowly.

It’s unreliable, for the same reasons – if the web server you are loading content from occasionally fails to respond, your web site also sometimes fails to load properly.

It’s usually unnecessary – in most cases, allow_url_include can be avoided either by including the content directly (if it is being loaded from a domain you host) or by loading and printing the content without evaluating it as PHP.

Remote Code Injection

Remote code injections attempt to run the attacker’s code on a server, often by exploiting the functionality of the include or require functions.

The eval(), exec(), system(), and shell_exec() functions are vulnerable to remote code injections.

Include / Require attacks occur when including and executing files (possible from remote servers and includes remote code execution)

Counter Measures

• Check data against a whitelist

• Remove paths using basename()

• Set allow_url_include = off in php.ini that helps somewhat but not sufficient, as some attack vectors remain open