PHP Security

************

In a Small Scale Application traffic and no of request are very less this will never create a intrest for a hacker to perform

any attack on your application.

but on Enterprise Application(s)

Billing: 5 Lakh

No days: 20 days

hacker :

Now Consider a banking Application which process the miliions

of request per/second in that case that site is very very prone to hackers

if your application has millions of request per second or per minutes congrats you are in the vision of hacker.

Your Application must be prevented by Common Attacks.

1. Common Skill set

1. xss Attack

2. csrf Attack

3. SQL Injection

4. de-hashing :: Decrypting the hash

hash: alpha numeric bit for any data

and this hash unique.

5. Brute-force Attack

6. session-hijacking

7. click-jacking

2. Foriensic Tool [Paid Tools] (Owasp)

XSS Attack:: Hacker will inject some piece of code

like html,javascript,php script,python generally scripting

langauge and it will start executing the script such attack

can be used to manupulate the behaviour of Application

XSS Filtering or Prevention::

can be done by santizing the Input fields

Wap a program to make sanitise function

IN normal Coding

post($arg){

return sanitise($arg);

}

//sanitisation
function sanitise($arg){
$arg = strip_tags($arg);
$arg = htmlentities($arg);
$arg = htmlspecialchars($arg);
$arg = trim($arg);
return $arg;
}

session-hijacking::

in this attack hacker will try to steal the session of a user

and pretend to be real user.

session- hijacking is called session fixation(fixing)

Prevention

session_regenerateid()

New session will be created.

In Get Request session Id will remain

as soon as some post request fired

try to regenerate the session

1. dashboard :: sess_qwerty1u2i34o56p789 [stolen by hacker]

2. login :: sess_qwerty1u2i34o56p789 [stolen by hacker]

3. product :: sess_qwerty1u2i34o56p789 [stolen by hacker]

4. view-order :: sess_qwerty1u2i34o56p789 [stolen by hacker]

3. change Password :: sess_qwerty1u2i34o56p789 [stolen by hacker]

session_regenerateid() Logout

5. payment ::

session_regenerateid()

6. transaction ::

session_regenerateid()

3. Brute-force Attack::

***********************

Consider a Login Form :

-------------

Enter the Login :________________

Ente the Password :______________

Enter the Captcha :_____________

[submit]

Response Invalid user name and Password

Server Request Handling Capacity

form Handle

$email = $_POST['email'];

$pass = $_POST['pass'];

$sql = "select * from tbl_login where email = $email and password = $pass";

Problem :: if captcha is not used hacker can use a script (or Bot) which can duplicate the tabs for example 100 tabs

and submit the same username and password (or different)

at a single request in case server cannot respond to each request

request 100/second

response 1/second

Hence server will collapse

Prevention:: use the captcha

what will happen :: it will generate new captcha for each request which need to solved and then form is submitted.

Captcha Full form::

**********************

completely Automated public Turing Test to tell computers and Humans Apart

Types of Captcha

1. text captcha :

Disadvantage

--------------

loop Hole :: Text Captcha can be Copied and pasted

Logical Ability Zero

Advantage

----------

Numbers and Aplha-Numeric

2. Maths Captcha :

Advantage

------------

Text cannot be Copied Bot can solve

the simple expression

Logical Ability is High

Disadvantage

-------------

Only Numbers can used

3. Image Captcha :

4. Puzzle Captcha :: Google Recaptcha V2,V3

Captcha can be easy to very complex

we can be made by Increasing Font,Mixing different Colors,shades and Jumbeled

words

It is recommended to go for Alpha Numeric string set

For Alpha Numeric String we have to make a predefined Use

for Example:

fd45Sx

Write a Function to give Alpha Numeric character string for captcha

****************************

Steps to Make Image Captcha

****************************

1. Download the Captcha Font

and make sure the font is of .ttf extension(true type font)

2. place the font in the same directory where captcha is

load

3. Make a File Called captcha.php

Note:: Images in php are generated using GD Library

Graphic Driver Library and is pre-installed in PHP Package

How to check

*************

open php_info

or open Command Prompt

php -m

gd Library May be Unistalled or May not be on

so Make sure you uncomment the GD Library Extension in php.ini

;extension = gd2 #remove the semicolon

Now We need of Computer Graphics of Vector form and Roster

form

Refer to Following Diagram

PHP Security

PHP Security

Post a Comment

0 Comments

PHP Security

PHP Security

You may like these posts

Post a Comment

0 Comments