We wrote about WordPress security on a shared hosting and what to do if you get hacked. Here we will write about general programming practices to include in your web development projects. This is a technical article so good for your development team as well as should be made standard practice in all IT concerns.
Web security is often assumed out of the box and something even the best practices can’t always cover. Its important cover all your bases and be on your toes. Websites are a complex beast and need tending to constantly.
1. Never Trust User Input
The basic rule for securing web application is to always filter input and escape output. Do not trust user data and always make it validate and filter properly. To validate means to verify that the data is valid while filter means to remove unwanted characters from the data. Sometimes we trust user data because we never even know it’s actually user data. For example; consider$_SERVER[‘HTTP_HOST’] which is a PHP global variable and some developers become confused that its server variable and not user data. So they used this variable in form action or site_url like
<form action=”<?= $_SERVER[‘HTTP_HOST’]?>/page”>
Or
$config[‘site_url’] = ‘HTTP://’.$_SERVER[‘HTTP_HOST’];
However a user (attacker) can modify this variable by sending a different host header. So we should avoid using $_SERVER[‘HTTP_HOST’] and use the domain name instead. E.g
$domain_name = 'mydomain.com';
$config['site_url'] = 'HTTP://'. $domain_name;
This type of security vulnerabilities leads to phishing attacks and cache poisoning.
2. Understand Cross site scripting (XSS):
In this type of web security attack, an attacker executes an unwanted malicious JavaScript in the user browser. Let’s say a website contains the following input field<input type="text" value="user" />
So an attacker comes and insert script like this
"<script>alert(‘website hacked’);</script><input type="text" value="
so it becomes
<input type="text" value="" />
<script> alert(‘website hacked’);</script>
<input type="text" value="" />
In this way attacker can execute the script he/she wants to execute and can steal user cookie, spread malwares and perform many other tasks.
Type of cross site scripting are
- Persistent XSS: originates from website database.
- Reflected XSS: originates from victim’s request
- DOM-Based XSS: originates from vulnerabilities in client side code
3. Cross site request forgery (CSRF):
In this type of web security vulnerability, malicious website sends a request to a web application that a user is already authenticated against. The attacker inspects the website and finds the form action and then submit the form from a malicious website to the found action url with the desired values. To prevent this type of security attacks always include an unpredictable token to each request and verify request again that token.4. SQL Injection:
This type of security attack arises because of security weakness which allows attacker to take control of application’s database. Thus the attacker can view, modify, delete records or even drop tables. For example, let’s say we have a website that displays student result based on the student id. Student Id The actual SQL query isSELECT * FROM std_result WHERE std_id=1005
So it will fetch the user result but what if the user type 1005 or 1=1 into the box. The query will become
SELECT * FROM std_result WHERE std_id=1005 or 1=1
In this case the first condition will become false but the second condition will become true and it will fetch all the rows. The attacker can also drop the whole table if he/she types 1005; DROP table std_result; into the box.
This type of attacks can be prevented by using PDO and mysqli with strongly typed parameterized queries.
5. Session Fixation
In this type of security vulnerability an attacker explicitly sets session identifier of a session for a user. It’s typically performed by making a URL likehttp://www.example.com/index.php...?session_name=sessionid. This URL is then passed to the victim. As soon as the victim clicks on the link, the attack is succeeded.
This type of security vulnerability can be prevented by
- Setting session_use_trans_sid = 0 in php.ini file which will tell PHP not to include identifiers in URL as well as not to read URL for identifiers.
- Setting session_use_only_cookies = 1 in php.ini file which will tell PHP to never use URLs with session identifiers.
- Always regenerate session ID when session’s status changes, i.e. user authentication or storing sensitive information in the session
