.:INTRO
With the popularity of web applications coded in php growing, the issue of security has to get more attention.
A lot of these applications are coded by what I would call amateurs that have learnt some basic PHP and then started coding small projects like a simple community for themselves or a friend.
Now what many of the spare-time coders do not pick up during their learning process is the very important question; how to create secure php code.
Now some of you may think that there is no such thing as secure code, it’s impossible as long as someone is using the code.
I won’t argue with you as I know that you people get what I mean with that statement.
A large number of hacks made on web applications were made possible by insecure code simply bad code or the lack of those extra couple of lines that would have prevented that disaster to happen!
This is mainly caused by the lack of knowledge about the topic or just pure laziness, both equally dangerous.
The problem today is that those hacks still pop up on a constant bases as new php coders enters the scene, the mistakes are done over and over again and so are the hacks.
Seeing this I’ve decided to write this small paper on the subject of php security to at least get some of you aware of what can and most certainly will happen if these steps aren’t taken.
But even if these steps are taken there is no guarantee that you won’t be hacked anyway but it’s still a good step in the right direction.
“So how do I prevent hackers from causing damage to my site then?” you may ask, well honestly there is no such way, but there are ways of making it a hell of a lot harder for them.
Ways that I will discuss in this paper. I won’t discuss anything in detail this is purely me discussing ways used and how to prevent this from happening. If you do not know what I’m talking about then I’m sorry to say this, but you are in a way too early stage to even put your code out there on the net not to mention code web applications for others!
.: No information to gather equals harder to hack.
This step is a very easy but at the same time a good and powerful way to prevent “hackers”.
Now this might not concern PHP security in general, but nevertheless it’s important thus I decided to put it in this paper (It was meant for another paper at first).
If you want to be able to produce secure code you must be aware of the techniques and ways hackers use.
Now if I would want to hack a site I just found I would first go on an information gathering quest, trying to find out as much as I possible can about the target.
What PHP version is running, what recent exploits are there for the vulnerabilities that if I’m lucky the admin of the server hasn’t patched for yet.
This includes not only PHP itself, remember you have the server and the OS and a bunch of other services running that can lead to a hack way before your badly written code is discovered!
So if you’re smart you’ll not give away this information, just to make it harder for the possible attacker.
To prevent what I mentioned above regarding the php part I simply choose to not reveal whether I’m using PHP, ASP or something else by simple associating PHP with a different file ending, e.g. If your site is called Billy The Butcher you could change the file endings from *.php to *.btb
Now if I can’t find out that the server is running php and can’t see any .php file endings this makes it harder for me to gather information about the target.
This also means setting up the web-server in such a way that it itself doesn’t reveal what you are running.
Another important thing is to never allow errors generated to be shown to the public, this will reveal what you are using in most cases, but also gives away necessary information that a hacker need to take his attack to another level.
Instead you should be aware of where errors could occur in your code and implement a custom error message system that is shown for the public and save the error in a error database or something similar that only admins may view.
.: Never trust anyone; see each and every visitor as a potential hacker.
A lot of people are evil, and the chance that some of them will visit your site is great.
You cannot assume that no one will try to hack a “cute puppies” site and therefore not care about writing extra code to secure and check input etc.
I’m against that thinking as it can quickly turn into a nasty habit, if you are about to do something do it good and take your time, as with all other things in life this will make it last a lot longer!
Also note that a lot of the people hacking sites today are so called script-kiddies that pretty much want to deface and hack anything out there just so they can brag about it in front of their other script-kiddie-friends. It’s those script-kiddies that, I would say, stand for most of the defacements and unnecessary pain. But that’s their retarded nature, and I won’t discuss them any further.
Where I was going with this was the simple fact that you should not ease up on the checking and security for specific user groups as it’s most likely that a possible attacker might find himself in that group.
Seen this on various places and I strongly recommend you not to practice this.
Instead practice safe coding and also prepare for the worst scenario, better to be paranoid and safe then later devastated and sorry!
To not make this into a monster post I’ll be splitting it up into parts, so more will come!
Leave a Reply