All geek questions in one place

Dynamic Website Security Issues (PHP + MySQL)

I am writing a dynamic site running PHP and MySQL (to run on the WAMP server). My current concerns are about site security, however it does not contain any user input, which is then saved and then output to all users (except admins), so I'm not really worried about XSS. My main concerns are with SQL injection attacks and protecting the admin login portal due to rainbow tables / forced formatting.

1) Does mysql_real_escape_string in combination with sprintf () protect you from SQL injection? eg.

$thing = mysql_real_escape_string($_REQUEST['thing']) $query = sprintf("SELECT * FROM table WHERE thing='%s'", $thing); $result = mysql_query($query);

How safe is it? Of course, no system is absolutely safe, but I know that a prepared statement should be the best way to protect against SQL injection. However, if my code is “safe enough,” I see no reason to change. I read somewhere that mysql_query allows by default a single MySQL query to call for security reasons, right? If so, I don’t see how any injections can be made in my code, but please let me know if there is a flaw in my logic.

2) I am writing an administrative portal for a site so that its owners can easily manipulate the MySQL database on the website (from an HTML file for logging in which is not connected anywhere on the website). My security concern here is the two-page login process. First, collecting user login information:

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <title>Admin Portal</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="robots" content="noindex, nofollow"> <link rel="stylesheet" type="text/css" href="http://www.anotherdomain.com/my.css"> <script type="text/javascript" src="http://www.anotherdomain.com/my.js"></script> </head> <form method="post" action="admin/login.php"> <table align="center"> <tr><th>Admin Login Form</th></tr> <tr><td>Name</td><td><input type="text" name="Name" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)"></td></tr> <tr><td>Password</td><td><input type="password" name="Password" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)"></td></tr> <tr><td></td><td><input type="reset" value="Clear Form"> <input type="submit" value="Login"></td></tr> </table> </form>

Secondly, the actual login script:

 <?php $inputusername = $_POST['Name']; $inputpassword = $_POST['Password']; $username = "a username that is not obvious"; $password = "a password that is at least 10 characters long"; $salt = hash('sha512', "a messed up string with weird characters that I wrote"); $hashword = hash('sha512', $password . $salt); $inputhashword = hash('sha512', $inputpassword . $salt); if($username == $inputusername && $hashword == $inputhashword) { session_start(); $_SESSION['valid'] = 1; header('Location: portal.php'); exit; } else {echo "Invalid username or password";} ?>

And then after the process of entering the page, each page will have the following to ensure that the administrator is registered:

 <?php session_start(); if(!$_SESSION['valid']) {header('Location: ../admin.html');} ?> Portal page goes here

Since there are no new users, there will be only one user for the portal. I'm just wondering how secure this login method is against attacks such as rainbow tables and brute force? I assume that since I made the hash word and the salt is very large, it should be safe from such attacks, even if the username was somehow known.

I am also wondering if it is safe from hijacking a session, as it is a term that I have heard, but I know little about it ... I know that I never throw a session id or something like this, so it seems pretty safe.

3) Any other security issues that I should know / think about?

I really appreciate any help I get from this!

+4
source share
5 answers

Other points to consider:

1. You are vulnerable to bruteforce

A dictionary attribute will crack your password. Since the vast majority of users have an insecure password, this is only a matter of time. Use captcha or invalid entries. Or add a delay when the password is incorrect.

As Colonel Shrapnel said, the rainbow table does not bother you because they are used when someone has a bunch of hashes and they want to crack them. Salt is used to get some protection from the rainbow table, and this is not your case.

2. You send clear text passwords

If someone sniffs your username (for example, wifi), you are doomed. There are some javascript libraries out there that can encrypt anything using public keys. If you do not want to use SSL, encrypt the login / password, send it to the server, decrypt it using the private key, and you will be safer.

3. Consider using prepared MySQL statements

Using prepared statements helps in SQL injection, since it can safely work even with malicious input:

 $dbc = new mysqli("mysql_server_ip", "mysqluser", "mysqlpass", "dbname"); $statement = $db_connection->prepare("SELECT * FROM table WHERE thing='?'"); $statement->bind_param("i", $thing); $statement->execute();

4. Do not allow client side validation

In your login form, you pass the javascript function, preventing the Enter-key function. What if I turn off Javascript? You can use a hidden field (for example, <input type = 'hidden' name = 'FormIsValid' value = '0'>), use your function to prevent key entry and use the onSubmit () function to change FormIsValid to 1 before submitting the form. On your server, check out FormIsValid.

5. You are vulnerable to session hijacking

Your session is saved in the default cookie named PHPSESSID. If an attacker can get this cookie, he can send it to your server and steal your session. To prevent it, you can save the IP address of the user and the user agent in the session and compare the value received from the session with each request. If the values ​​do not match, the user IP address may be changed or the session may be hacked.

6. You may be vulnerable to commit session

As stated above, if someone convinces your administrator to access a certain site, and this site sends a request to your site using PHPSESSID upon request, your site will create a session, process the login / password and indicate that the credentials are incorrect. Not bad so far.

Later, your administrator will log into your portal, the session already exists, the username and password match, and the session is UPDATED. Now the actual variable is 1.

Once the variable is updated, the attacker has full access to your portal, since he knows the PHPSESSID, your site does not prevent session capture or session fixation.

To avoid session fixation and hijacking, see No. 5.

+1
source

1) Does mysql_real_escape_string in combination with sprintf () protect you from SQL injection?

So far 1) you apply this function only to strings and 2) the correct encoding is specified using mysql_set_charset() .
For numbers you can just use %d

I read somewhere that mysql_query allows by default a single MySQL query to call for security reasons, is this correct?

You're right. Not much for security, but more likely by design.

If so, I don’t see how any injections can be made in my code, but please let me know if there is a flaw in my logic here.

You are wrong. SQL injection means injecting SQL code into your query, not just a single "bobby drop tables" query.

I'm just wondering how secure this login method is against attacks such as rainbow tables and force formatting?

Rainbow tables have nothing to do here, while cruel coercion is still a danger.
I do not think this is very important. No more than sending a password in plain text.

I assume that since I made the hash word and the salt is very large, it should be completely safe

An interesting point here. In fact, all that hashing / salting mess here is completely useless. This is no more secure than simply comparing simple passwords.

I am also wondering if this is safe from hijacking a session,

there is always an opportunity. If you are so worried, use an SSL connection, such as Google Mail.

therefore I am not very worried about XSS.

This is a pretty false feeling.
as simple as echo "Requested article: ".$_GET['id']' thing is already vulnerable.

0
source

Others seem to have chosen this separately. But I have one more to add:

Authentication Bypass:

 <?php session_start(); if(!$_SESSION['valid']) {header('Location: ../admin.html');} ?>

When you execute header("location: ...") script is executed, you still need exit or die() . Thus, in fact, with this bit of code, I know that all of your pages can be accessed by unauthorized users .

0
source

Additional improvements:

Check the type of your parameters before that you quote them into something. (Excluding text search. This requires a bit more). A missing value can cause an SQL error in which attackers can learn;)

Put an anti-csrf token on your login page and sleep after a failed login to prevent bruteforce attacks.

Login via https . Via http, you click clear passwords through the network. An ideal person in a medium attack scenario (but it is rather difficult to do).

Check if the encoding is correct. There are some UTF-7 attacks that use Japanese multibyte characters that have one byte as the second byte. (This is possibly breaking mysql_real_escape_string). Veeery is tricky.

Use prepared statements

0
source

just to add to this, you can use a good infrastructure like codeigniter .. even though it is not completely safe .. it helps in solving some problems that you cannot take into account ..: d

0
source

Source: https://habr.com/ru/post/1347938/

More articles:


All Articles