PHP, a popular programming language among web developers for producing dynamic and interactive websites, suffers from numerous security vulnerabilities. Being equipped with certain features friendly to the beginning programmers, it tends to entice a programmer into leaving a number lacunas that may compromise the security of a web application. However, sound knowledge of these security loopholes can render this language as secure as any other present in the programming ecosystem. As the title would suggest, in this series of articles we’ll endeavor to underscore some of the basic concepts pertinent to security vulnerabilities prevalent in PHP.
According to Open Web Application Security Project (OWASP), Cross Site Scripting and Injection Attacks are the most common security threats for web applications. These two complement each other since XSS are dependent on successful injection attacks. In fact, speaking in a broader sense, injection attacks is an entire category of attacks of which Cross Site Scripting (XSS), SQL Injection and others are a small subset. These attacks rely on introduction of malicious content into a web application that may trigger an undesired execution or interpretation of malicious data. Let’s have a brief overview of the attacks that fall within the ambit of injection attacks.
Cross Site Scripting (XSS)
Let’s consider a couple of examples in order to get a better understanding of how XSS attacks can be perpetrated.
In our first example, the attacker crafts a URL as follows and sends it to the victim:
When the victim loads the above URL into the browser, an alert box is displayed which says “attacked”. Even though in this example, no real harm has been caused, other than the annoying “attacked” pop-up, yet it is evident how an attacker can use this method to carry out several damaging things.
Now let’s have a look at another example. Here, the attacker tries to change the “Target URL” of the link “Click to Download”. Instead of the link going to “xssattackexamples.com” website, the attacker can redirect it to “not-real-xssattackexamples.com” by crafting the URL as shown below:
What really is happening is that we called the function to execute on “window.onload”. Since the website (i.e index.php) first echoes the given name and then only it draws the tag, so if we write directly like the one shown below, it will not work, because those statements will get executed before the tag is echoed.
Now the victim may not know what it is, because directly he/she cannot understand that the URL has been crafted and it is more probable that he/she can visit the URL.
Although extremely common yet vicious, SQL Injection attacks normally come to be associated with web applications that tend to interact with databases. These kind of attacks take advantage of the unavailability of any data validation protocols thereby allowing an attacker to send special SQL queries to the database to bring about unintended modifications or deletions in it. The data quite often comes from untrusted input such as search box, web forms etc.
For example the user inputs following credentials:
Then query will simply search the table users where username is “admin” and password is “admin123” and if such data exists in database, access will be granted. Now what can the hacker actually do to get access to user “admin” account? He will use following username and password to get access.
Now what this query will do? Let us put these values in the query.
This Query will search the username ‘admin’ in the name column and instead of searching query x’=’x in the password field, it will see the Query as ‘x’=’x’
This is a true statement and database server will return Boolean TRUE and thus access will be granted.
As is commonly said that security is not a product but a process so the developers must resort to security applications and testing software to render their web applications robust and free of any loopholes.