/php-security-guide

Common security threats and standard best practice for php application development

Primary LanguagePHP

Web Application Security

Introduction

This document will list possible security threats to the Web application, explanation and preventive measures.

  1. Footprinting
  2. Scanning
  3. SQL injection
  4. File Upload
  5. Session Hijacking and Session fixation
  6. Remote file inclusion
  7. XSS
  8. eval()
  9. Cross-Site Request Forgery (CSRF)
  10. Clickjacking
  11. Parameter Tempering

How to know if a site is Vulnerable?

Following are free software that will scan and list potential threats to the system as per the software coding standard and server configuration.

  1. Vega
  2. OWASP ZAP
  3. XSSer, BeEF and SQL Map -Test XSS, Script injection, and MySQL injection

Best Practices for Web Application Security

  • Disable certain usernames from being used like 'test', 'test123', 'admin', and 'root'

  • Use automated test code (Eg. PHP QuickCheck)

  • Be mindful while creating project structure. Make sure to put upload dir outside of Webroot to prevent public access.

  • Use Package or Library available in packagist.org instead of creating a new one.

  • Maintain user login table (log in date, time, IP).

  • Run the manual test in a certain period of time or after a significant update.

  • Disable unused PHP module (eg. shell_exec, system, passthru ) from php.ini for performance and security.

  • Put a .htaccess with the following content in upload directory to prevent the execution of PHP file. Instead, it will download the file.

    php_flag engine off
  • Always set uploaded file permission to a minimum or non-executable (0644).

  • Scramble uploaded file names and extensions

PHP Backdoors

PHP hidden scripts such as c99, c99madshell, and r57 for bypassing all authentication and access the server on demand are called PHP Backdoors script. This will give them almost every access like download, upload, control to the server, database, and mail server.

To prevent this follow all preventive measure and search for those script in your server time to time.

 grep -iR 'c99' /var/www/html/
 grep -iR 'r57' /var/www/html/
 find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99
 grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/

Resources

OWASP
Follow OWASP secure coding practices and their checklist for testing for any vulnerabilities ( https://www.owasp.org).



PHP Security Consortium
PHPSC ( http://phpsec.org/) group of PHP experts dedicated to promoting secure programming practices within the PHP community. Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards.