Last Updated on April 6, 2021 by monk
PHP remains one of the most used programming languages in the world. In fact, according to W3Techs’ report, almost 80% of all websites have PHP as their primary server-side programming language. Not only this, top CMS(s) like — WordPress, Drupal, and Magneto, are also running on PHP. PHP is also the building block for popular sites: Facebook and Wikipedia.
However, this doesn’t stop PHP from being vulnerable. The spike in cyber-attacks has exposed PHP’s security and integrity. So much so that, today it has become the second most vulnerable server-side language all over the globe.
Despite starting bug bounty programs and recommending the best security practices to users, PHP security issues still remain a growing concern for users.
In this article, I shall dive deep into the six major security issues found across PHP and how we can prevent them.
Here we go.
Top 6 PHP security issues
PHP websites suffer a wide range of cyberattacks. The ones that we see repeatedly on PHP websites are:
1) Cross-site scripting
XSS (Cross-site scripting) is the most common form of hacking technique practiced across PHP websites. An XSS security issue allows hackers to execute malicious JavaScript intended to perform detrimental actions on the targeted website.
Generally, what hackers do is — they inject a client-side scripting code, wisely mixed with some related content. So, when an unsuspecting user attempts to visit the website, the code automatically gets downloaded into the browser. The code gets saved into the browser’s database, tricking the browser to perceive it as legitimate content. The user may even get redirected to third party websites for further ransacks, as a consequence of the XSS flaw.
Attainment of site session cookies and credentials information about the browser is the most vicious outcome of an (XSS) cross-site scripting.
However, You can detect this attack with the help of htmlspecialchars.
$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo 'Search results for '.$search;
Prevention
- Validating user input
- Sanitizing user input
- Use Escaping
- Use a WAF (Web Application Firewall)
2) Cross-site request forgery
Despite having a similar name as cross-site scripting, CSRF differs a lot from XSS. CSRF attacks let a hacker easily perform malicious action on the authenticated websites. CSRF attacks are generally coupled with social engineering and phishing attacks and are often targeted to authenticated users/admins. Hackers steal session information and transfer a set of malicious commands to the server to execute any action they want.
In most cases, the requested data is altered within an HTML tag so that the end-user does not get notified about the unwanted web requests. CSRF attacks are so powerful that it can trick the user into performing state-changing requests like transferring funds, changing their email addresses, deleting their account, and so forth.
For example, the below URL illustrates how GET requests are used to send money to another account.
GET http://bank.com/transfer.do?acct=TIM&amount=100 HTTP/1.1
Therefore, if someone wishes to exploit the web application he/she shall alter the URL with the desired name and amount they like
http://bank.com/transfer.do?acct=Sandy&amount=100000
Now, this URL can be easily bound up with a text file or an image. So, if a user clicks the file, he/she instantly ends up sending a huge amount of money.
Prevention
- Use anti-CSRF token
- Use same-site cookies
- Have a proper security audit and VAPT–Vulnerability Assessment and Penetration Testing
3) Buffer Overflows
Buffer overflow is generally structured programming error that is majorly found in programming languages like C and C++. Every programming segment is given a fixed size of allocated memory, this error occurs when the code is written beyond the allocated memory which is also called a buffer.
This means that if an attacker manages to tamper the buffer section. Then they can easily rewrite/overwrite that extra space and point that section of memory to some malicious payload.
However, the PHP codes are not as vulnerable as the C codes. Therefore, the C code becomes one of the prominent reasons to escalate buffer overflow security flaws in PHP codes.
Prevention
- Try to write secure codes, by minimizing the use of risky functions, group models.
- By using compiler tools to detect overflow and altered memory allocation.
- Use PHP extensions like Suhosin that can alter the way PHP memory is allocated.
4) SQL injection
SQL injection is the most common tactic used by hackers to exploit your web server. This attack is usually vulnerable to those sites, having large junk of codes written by its developers.
Basically, the hacker here wants to alter the data that the developer is trying to conduct through SQL queries. This attack allows the hacker to procure access to databases affiliated with the PHP websites. Hackers may play around with your info by modifying or even deleting your database. That’s the reason why it is more lethal than other PHP based attacks.
Examples
$query = "SELECT * FROM students WHERE empname='David'";
The above query can be exploited as:
$query = "SELECT * FROM students WHERE empname='' or '1'";
Prevention
- Try to avoid using a dynamic SQL.
- Never construct queries with user input.
- Abide by giving administrative privileges to non-authorized users.
- Consider using a web application firewall.
5) Session And Cookie Hijacking
Cookies are very important log files that are responsible to store user credentials and corresponding to that session is a mediator that helps to communicate with the web servers via cookies for certain time intervals. That means if a hacker manages to steal your cookies then they can easily log in to your account without knowing your actual credentials.
Handling PHP sessions, the website tends to store session data on the webserver. However, the data may be retrieved when the browser sends a session identifier to the browser as a cookie.
Prevention:
- Use the session_regenerate_id() function to change session IDs frequently.
- Revalidations of the user sensitive information like a password can minimize the risk of hacking.
- Make sure you see an SSL padlock on the payment gateways.
- If possible, avoid using session identifiers and other cookies. They may be used to inject malicious JAVAScript into the web pages. The examples shown below are of cookies that don’t acquire Session ID.
For cookies you can set the cookie like this:
setcookie('mycookie', 'some value', 0 ,"/", "", false , true);
For sessions you can set the session cookie parameters like this:
session_set_cookie_params (600 [, '/' , '' , false, true);
Also, set the session.cookie_httponly option in php.ini:
session.cookie_httponly = On
6) Secure Files Uploads
More often users are not aware whether the uploaded file is an XSS attack or not. It is because hackers try to camouflage it with just a regular file.
However, you can prevent this issue by listing the property
encrypt+ “multipart/form-data” in <form> tag.
You may opt for a POST request for this scenario.
Adding validation rules:
$finfo = new finfo(FILEINFO_MIME_TYPE);
$fileContents = file_get_contents($_FILES['any_name']['temp_name']);
$mimeType = $finfo->buffer($fileContents);
Adding encryption code:
<form method="post" enctype="multipart/form-data" action="upload.php">
File: <input type="file" name="pictures[]" multiple="true">
<input type="submit">
</form>
Conclusion
The above-mentioned PHP security issues are major concerns for all PHP websites. More so for small businesses and organizations running on PHP. It’s not impossible to mitigate or even remove these threats with proper handling.
If you are really pressed for time, you can always hire a security service or get a security tool to get the job done for you.
I can personally vouch for Astra Security which is a suite of security tools that offer — firewall, malware scanner, security audit, and so on. Astra can protect your website 24*7 and keeps hackers at bay so give them a trial.
You can also check out my super extensive WordPress security tutorial.