What types of attacks can I suffer with global variables and how to prevent

Asked

Viewed 390 times

10

Thinking about creating a secure login and registration system, I want to take some measures, as I’ve been reading, I check several errors I committed, mainly regarding Global variables:

http://php.net/manual/en/language.variables.superglobals.php

Ex: I always validated my super global variables, but only the GET and POST types, I didn’t worry so much about COOKIE, SESSION, SERVER.

After performing a question dropped the amount of errors that made.

Mainly concerned with SQL Injection, now know that using PDO ( prepare, Bindvalues) this problem is solved.

Another type of attack that was very vulnerable is the XSS:

where I’ve never been to global variables like SERVER, SESSION, COOKIE, already GET e POST I use the strip_tags(). To prevent this type of attack I notice many people putting the following tags:

strip_tags, addslashes e htmlspecialchars

But I noticed that some sites do not use the ADDSLASHES, is necessary or not to prevent XSS ?

I know there are several other types of attacks, but when it comes to the super global variables, what kind of attacks besides the ones mentioned above do I have to prevent? and what php functions I have to use to prevent each attack?

php

2 answers

4

The best way to avoid this type of problem is to define well the domain of the values you expect for a certain value and validate against these domains. Do this with all values that comes from the user.

For example: A user’s "Name" field: a person’s name may contain a-z characters plus accents and perhaps an apostrophe('). You can use regular expressions to do this kind of validation.

If you are using Prepared statements, no need to worry about SQL Injection unless you use variables for table names or anything other than "binded".

The XSS issue is mainly about not allowing the system to execute code from the user. The most common way is for the user to send javascript, in which case you can use htmlspecialchars or the strip_tags . It is important to remember that in some places of your system you may want the user to register html, so if you use htmlspecialchars in any input the user makes, it is interesting to have a way to disable this for specific cases.

Another XSS attack vector is in the execution of PHP code, it is good to be especially careful if you use the function eval or preg_replace. The data passed to these functions can be executed by php or even by the operating system so one should be careful to limit the value domain that comes from the user when using these functions. It is better to avoid using them.

A problem that was once quite common in PHP but nowadays is rare is the directive register globals which basically caused the variable to $_POST['variavel'] was the same as $variavel. It is good to take a look at the configuration of php to make sure that this directive is disabled.

CSRF occurs when the user is logged in to your site and accesses a malicious site. This site makes "hidden" requests to your site that end up being in the name of the logged in user, for example delete, change or steal data.

The most common method of preventing this is to generate a random token with the page, send it along with any request that access sensitive data and check before returning sensitive data or changing/erasing data. Which is what you mentioned from $_SESSION.

Another way to mitigate this type of attack is by asking for a confirmation of the user’s password in more important operations or by adding a captcha.

  • In addition to those cited CSRF found, in which we can use a SESSION with a unique identifier, which will be checked on the page that receives the post get method etc... There are other ways to prevent this attack...

2

My dear,

Use a good development framework and have in your hands the solution of these and many other common problems.

Even with Framework you may be subject to XSS, in fact strip_tags are enough to solve, you can create a standard Behavour that in addition to formatting dates and money for our standard, clears text fields with strip_tags for example.

A hug!

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.