Free Online Courses for Software Developers - MrBool
× Please, log in to give us a feedback. Click here to login
×

You must be logged to download. Click here to login

×

MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation

×

MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation

How web application security can be done with PHP

The article aims to cover the aspects of Web Application security for the websites that are developed in PHP programming language.

The most important thing to uncover while designing any Web application is the Web application security. It is nothing but a branch of Information security that concerns basically with the security of websites, web applications and web services.

On a most high level, web application security is based on the principles of application security however it applies them usually to Internet and Web systems. Majority of the web applications make use of the programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.

With the passage of time and emergence of Web and increase of sharing the vital information via social networking sites, websites can be attacked more often than the not. Nowadays every business is on the web and this makes the websites vulnerable to the hackers. This call for an increased attention to the security of the web applications In addition to the maintenance of the other computer networks and operating systems, industry these days are paying a good amount of money towards the security of their web applications as well.

We will see here how we can secure the web application that is being developed in PHP programming language.

PHP Security

As a part of our tutorial we will cover the following topics related to web application security using PHP.

  • Register Globals
  • Session Management
  • Session Hijacking
  • Checking Input
  • Validating Numbers
  • Validating Strings

Register Globals

The most common root of security concern in PHP applications is as below.

?userId=55

becomes...

$userId=55

This is not correct since there is no way we can determine the input source. With the help of user input, uninitialized variables can be injected. Each and every input parameter is translated to variables. Furthermore, other than being a security hazard, this is just an option that may not be available on all servers. There is a need to make use of the best practices:

$_GET['userid']

or

$_POST['userid']

Session Management

There is no way we can prevent the session attacks by filtering input and escaping output. Let us see the best possible way to tackle the same.

Session Fixation

Session Fixation is an attack approach so as to force a user's session ID to an explicit value. There are lot many methods or techniques present in order to “fix” the session ID value and depend on the functionality of the intended website. Talking about these techniques, it ranges from Cross-Site Scripting (XSS) exploits to peppering the web site with previously made HTTP requests.

Once the user's session ID has been resolved, the attacker will wait for them to login. After the user logs in, the attacker makes use of the predefined session ID value to presume their online identity.

How to prevent Session Fixation?

  1. One should never accept session identifiers from GET/POST variables:
  2. Session identifiers in URL (query string, GET variables) or POST variables are not suggested for the reason that it makes the task of the attack easy. It is easy to make links on forms which set GET/POST variables.

  3. Regenerate the Session ID on each request:
  4. One should always make use of session_regenerate_id() in PHP. It becomes obligatory to regenerate the session identifier every time a user's access level is changed. Now what does this mean? This signifies that though an attacker may trick a user into accepting a known SID, it will turn out to be invalid at the time when the attacker will attempt to re-use the SID. Let us see the same by example:

    Listing 1: regenerate_session.php

    // If the user login is successful, regenerate the session ID
    if (authenticate())
    {
       session_regenerate_id();
    }
  5. You should only accept server generated Session ID:
  6. In order to improve the security of the web application, do not accept session identifiers that were not generated by the server.

    Listing 2: server_generated_SID.php

    if(!isset($_SESSION['SERVER_GENERATED_SID'])) {
       //destroy all data in session
       session_destroy();
    }
    // generate a new session identifier
    session_regenerate_id( );
    $_SESSION['SERVER_GENERATED_SID']=true;
    

    Session Hijacking

    A generic term that is utilized to define any way with the help of which an attacker obtains a user's valid session identifier instead of giving one of his own is known as Session hijacking.

    Let us illustrate the concept of session hijacking with the help of an example. Assume the user logs in. If the session identifier is regenerated, they obtain a new session ID. And now think of the situation if an attacker gets to know about this new ID and tries to make use of it so as to obtain the access via that user's session? There will be a need to utilize another method to identify the user.

    One of the means to identify the user in addition to the session ID is to verify several request headers that have been sent by the client. User-Agent header is one of the helpful request headers that do not change between requests. It is very uncommon that a valid user will change from one browser to another when he is using the same session. For this reason, one can make use of User-Agent to verify if a probable session hijacking effort is being made.

    $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];

    After this, whenever a new page loads, verify to be certain that the User-Agent has not changed. In case the user has changed, this is a potential security threat then and one should make the user log in again.

    if ($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT'])
    {
       // Force user to log in again
       exit;
    }

    Verifying Input

    Validating Numbers

    If we are anticipating a variable to always consist of a numeric value, a very simple way to obtain this validation is to make use of casting.

    //integer validation
    if (!empty($_GET['id']))
        $id = (int)$_GET['id'];
    else
        $id = 0;
    
    //float validation
    if (!empty($_GET['price']))
        $price = (float)$_GET['price'];
    else
        $price = 0;

    Validating Strings

    PHP comes with a ctype extension that provides the developers a very easy and speedy approach to validate the string input. Some of the examples are as follows:

    if (!ctype_alnum($_GET['login'])) {
        echo "Only A-Za-z0-9 are allowed.";
    }
    
    if (!ctype_alpha($_GET['captcha'])){
        echo "Only A-Za-z are allowed.";
    }
    
    if (!ctype_xdigit($_GET['color'])){
        echo "Only hexadecimal values are allowed.";
    }

    Conclusion

    The article defined some of the best techniques for PHP application which if followed will be a boon to the web application security.

    I Hope you liked, see you nextime.



I am a software developer from India with hands on experience on java, html for over 5 years.

What did you think of this post?
Services
[Close]
To have full access to this post (or download the associated files) you must have MrBool Credits.

  See the prices for this post in Mr.Bool Credits System below:

Individually – in this case the price for this post is US$ 0,00 (Buy it now)
in this case you will buy only this video by paying the full price with no discount.

Package of 10 credits - in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download few videos. In this plan you will receive a discount of 50% in each video. Subscribe for this package!

Package of 50 credits – in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download several videos. In this plan you will receive a discount of 83% in each video. Subscribe for this package!


> More info about MrBool Credits
[Close]
You must be logged to download.

Click here to login