Checklist of PHP and Web Security Issues
Make sure you have these items sorted out when deploying your application into production environment:- ✔ Cross Site Scripting (XSS)
- ✔ Injections
- ✔ Cross Site Request Forgery (XSRF/CSRF)
- ✔ Public Files
- ✔ Passwords
- ✔ Uploading Files
- ✔ Session Hijacking
- ✔ Remote File Inclusion
- ✔ PHP Configuration
- ✔ Use HTTPS
- ✔ Things Not Listed
Cross Site Scripting (XSS)
XSS attack happens where client side code (usually JavaScript) gets injected into the output of your PHP script.// GET data is sent through URL: http://example.com/search.php?search=<script>alert('test')</script>
$search = $_GET['search'] ?? null;
echo 'Search results for '.$search;
// This can be solved with htmlspecialchars
$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo 'Search results for '.$search;
ENT_QUOTES
is used to escape single and double quotes beside HTML entities- UTF-8 is used for pre PHP 5.4 environments (now it is default). In some browsers
some characters might get pass the
htmlspecialchars()
.
Injections
SQL Injection
When accessing databases from your application, SQL injection attack can happen by injecting malicious SQL parts into your existing SQL statement.- More details available in “What is SQL injection and how to prevent it?” FAQ.
Directory Traversal (Path Injection)
Directory traversal attack is also known as../
(dot, dot, slash) attack. It
happens where user supplies input file names and can traverse to parent directory.
Data can be set as index.php?page=../secret
or /var/www/secret
or something
more catastrophic:$page = $_GET['page'] ?? 'home';
require $page;
// or something like this
echo file_get_contents('../pages/'.$page.'.php');
// Checking if the string contains parent directory
if (strstr($_GET['page'], '../') !== false) {
throw new \Exception("Directory traversal attempt!");
}
// Checking remote file inclusions
if (strstr($_GET['page'], 'file://') !== false) {
throw new \Exception("Remote file inclusion attempt!");
}
// Using whitelists of pages that are allowed to be included in the first place
$allowed = ['home', 'blog', 'gallery', 'catalog'];
$page = (in_array($page, $allowed)) ? $page : 'home';
echo file_get_contents('../pages/'.$page.'.php');
Command Injection
Be careful when dealing with commands executing functions and data you don’t trust.exec('rm -rf '.$GET['path']);
Code Injection
Code injection happens when malicious code can be injected ineval()
function,
so sanitize your data when using it:eval('include '.$_GET['path']);
Cross Site Request Forgery (XSRF/CSRF)
Cross site request forgery or one click attack or session riding is an exploit where user executes unwanted actions on web applications.Public Files
Make sure to move all your application files, configuration files and similar parts of your web application in a folder that is not publicly accessible when you visit URL of web application. Some file types (for example,.yml
files)
might not be processed by your web server and user can view them online.Example of good folder structure:
app/
config/
parameters.yml
src/
public/
index.php
style.css
javascript.js
logo.png
public
folder instead of your application
root folder. Public folder contains the front controller (index.php
). In case
web server gets misconfigured and fails to serve PHP files properly only source
code of index.php
will be visible to public.- More details is available in the dedicated FAQ: How to Use Configuration in PHP Applications?
Passwords
When working with user’s passwords hash them properly withpassword_hash()
function.- More details is available in “How to work with users’ passwords and how to securely hash passwords in PHP?” FAQ.
Uploading Files
A lot of security breaches happen where users can upload a file on server. Make sure you go through all the vulnerabilities of uploading files such as renaming uploaded file, moving it to publicly unaccessible folder, checking file type and similar. Since there are a lot of issues to check here, more information is located in the separate FAQ:Session Hijacking
Session hijacking is an attack where attacker steals session ID of a user. Session ID is sent to server where$_SESSION
array gets populated based on it. Session
hijacking is possible through an XSS attack or if someone gains access to folder
on server where session data is stored.Remote File Inclusion
Remote file inclusion attack (RFI) means that attacker can include custom scripts:$page = $_GET['page'] ?? 'home'
require $page . '.php';
$_GET
can be set to a remote file http://yourdomain.tld/index.php?page=http://example.com/evilscript
Make sure you disable this in your
php.ini
unless you know what you’re doing:; Disable including remote files
allow_url_fopen = off
; Disable opening remote files for include(), require() and include_once() functions.
; If above allow_url_fopen is disabled, allow_url_include is also disabled.
allow_url_include = off
PHP Configuration
Always keep installed PHP version updated. You can use versionscan to check for possible vulnerabilities of your PHP version. Update open source libraries and applications and maintain web server.Here are some of the important settings from
php.ini
that you should check out.
You can also use iniscan to scan your
php.ini
files for best security practices.Error Reporting
In your production environment you must always turn off displaying errors to screen. If errors occur in your application and they are visible to the outside world, attacker can get valuable data for attacking your application.display_errors
and log_errors
directives in php.ini
file:; Disable displaying errors to screen
display_errors = off
; Enable writing errors to server logs
log_errors = on
- More information in the How to show errors in PHP FAQ.
Exposing PHP Version
PHP version is visible in HTML headers. You might want to consider hiding PHP version by turning offexpose_php
directive and prevent web server to send
back header X-Powered-By
:expose_php = off
Remote Files
In most cases it is important to disable access to remote files:; disabled opening remote files for fopen, fsockopen, file_get_contents and similar functions
allow_url_fopen = 0
; disabled including remote files for require, include ans similar functions
allow_url_include = 0
open_basedir
This settings defines one or more directories (subdirectories included) where PHP has access to read and write files. This includes file handling (fopen
,
file_get_contents
) and also including files (include
, require
):open_basedir = "/var/www/test/uploads"
Session Settings
-
session.use_cookies and session.use_only_cookies
PHP is by default configured to store session data on the server and a tracking cookie on client side (usually calledPHPSESSID
) with unique ID for the session.
; in most cases you'll want to enable cookies for storing session
session.use_cookies = 1
; disabled changing session id through PHPSESSID parameter (e.g foo.php?PHPSESSID=<session id>)
session.use_only_cookies = 1
session.use_trans_sid = 0
; rejects any session ID from user that doesn't match current one and creates new one
session.use_strict_mode = 0
-
session.cookie_httponly
If the attacker somehow manages to inject Javascript code for stealing user’s current cookies (the document.cookie string), theHttpOnly
cookie you’ve set won’t show up in the list.
session.cookie_httponly = 1
-
session.cookie_domain
This sets the domain for which cookies apply. For wildcard domains you can use.example.com
or set this to the domain it should be applied. By default it is not enabled, so it is highly recommended for you to enable it:
session.cookie_domain = example.com
-
session.cookie_secure
For HTTPS sites this accepts only cookies sent over HTTPS. If you’re still not using HTTPS, you should consider it.
session.cookie_secure = 1
Use HTTPS
HTTPS is a protocol for secure communication over network. It is highly recommended that you enable it on all sites. Read more about HTTPS in the dedicated FAQ: How to Install SSL Certificate and Enable HTTPS.What is Next?
Above we’ve introduced many security issues. Security, attacks and vulnerabilities are continuously evolving. Take time and check some good resources to learn more about security and turn this check list into a habit:- General:
- Awesome AppSec - A curated list of resources for learning about application security.
- OWASP - The Open Web Application Security Project, organization focused on improving security of software.
- Security Guide for Developers
- The Basics of Web Application Security, by Martin Fowler.
- PHP focused:
- PHP Manual - A must read security chapter in official documentation.
- Codecourse videos - Demos and advice on the most common PHP security areas.
- DVWA, Damn Vulnerable Web Application - Example of unsecure web application to test your skills and tools.
- OWASP PHP Security Cheat Sheet - Basic PHP security tips for developers and administrators.
- Securing PHP - Website and books with basic topics and specific cases in authentication/authorization and exploit prevention.
- SensioLabs Security - SensioLabs Security Advisories Checker for checking your PHP project for known security issues
- The most forgotten web vulnerabilities - Recommended PDF article.
- websec.io - Dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information.
- Tools:
- iniscan - A php.ini scanner for best security practices.
- Kali Linux - Penetration testing Linux distribution.
- Observatory by Mozilla - Online security checker.
- versionscan - PHP version scanner for reporting possible vulnerabilities.
- Roave Security Advisories - This package ensures that your application doesn’t have installed dependencies with known security vulnerabilities.
- WebSecTools - List of useful web security related tools.
- OWASP Zed Attack Proxy - Free security tool, available also on GitHub.
2 comments
#Thank
For the more recent and updated version just follow the original here:
https://wwphp-fb.github.io/faq/security/php-security-issues/
Write Comment...
EmoticonEmoticon