2
I’m having a problem with a recent work, where I was asked about the security of a site in PHP developed. The same suffered several attacks of brute force this last week, and the responsible for the project questioned me if I used includes, and if yes, that this should be exchanged for autoloaders, because via includes, it is possible to break proxy flows (?) and discover the directories of several files, making the application vulnerable.
As I am totally uneducated on some of the more advanced security issues, I would like to know to what extent this is happening. I use autoloaders for loading classes and dependencies, but for my templates/views (headers, footers, common content between pages), I always used includes and requires, and I never had problems of this magnitude. If this gap really proceeds, how to use autoloader in my example below? For me, it makes no sense.
An example:
<!DOCTYPE html>
<html class="no-js" lang="pt-br">
<head>
<?php include_once("referencias.php"); ?>
<title>Site</title>
</head>
<body id="home" itemscope itemtype="http://schema.org/WebPage">
<?php include_once("header.php"); ?>
<main>
...
</main>
<?php include_once("footer.php"); ?>
<?php include_once("referencias-footer.php"); ?>
</body>
</html>
I don’t see how a scan attack can be made. This type of attack only works if the programmer does something like
include_once($_GET['file']);.On the other hand there are many reports of breaches in autoloaders– Augusto Vasques
Now you have to review the security settings on the HTTP server. If you are experiencing repeated attacks it may be because they found something.
– Augusto Vasques
Yes, I am reviewing several things like sanitization, validations, csrf, ips blocking, crowlers, etc. But this particular point caught my attention because I had never heard anything about it
– Maykel Esser