Friday, February 15, 2013

Security Issues in PHP



Web applications are strongly influenced with the features of php, however in some cases some security issues still remain in the developed applications. Such issues may create blunders for the host of the application if its business is heavily dependent on web applications.
Modern days internet apps are heavily influenced with a variety of development technologies available to developers. These technologies allow programmers to quickly align their development approach according to the requirements of the application. php is one the most popular development and scripting language for web app development because of its simple syntax and programming approach. Various features of php like it's syntax, which does not require variable declaration, makes it a more friendly language over the others in the domain of web applications.
Even after being a programmer-friendly language, a number of issues are there in php which can cause serious security related threats in a web application. The effect of such a security hole can cause blunders to a business, if it is heavily dependent on a web application. Since we all know the advantages of PHP, some of the potential void areas in php development are:
Access Control: If certain confidential or crucial sections of an application are not secured properly, the access control issues arise in the web application. Taking an example, if normal user with non-administrative privilege logs in to the application and re-writes the URL of the web app to the address location of administrator, it's quite possible that the user can by-pass the administrator's log in section and gain the authority of the administrator without authenticating himself. Preventing the sensitive pages from hijacking can be practiced by placing them in a separate directory protected by the .htaccess file.
Session ID protection: Each time a user logs in his account, a session ID is assigned which identifies the user during the session. In a php based web application, hijacking of the session ID is a common problem where if session ID is known to an intruder, he can easily gain access to the user's session. This can be a problem in events like password reset, credit card authentication etc. In such circumstances, revalidating the user's credentials for highly sensitive actions is advised to protect the session from any hacking attempt.
Cross Site Scripting or XSS attempts: Another type of security issue that arises in a php application is the cross site scripting, malicious scripting codes which can modify the behavior of the web page. Crucial session information like session IDs, cookies information are passed to the hijacker, who can use it for unauthorized and unintended purposes and can cause harm to user's confidentiality. To prevent a web app from such type of attacks, the submission of HTML tags like "" should be prohibited.
Problem in error reporting: If the value of the display_error in the php.ini file is not set to "0" results of all the errors conditions, during the execution of the code, will be displayed in the user's browser. A technically sound user can gain advantage of knowing the internal functionality of the application by providing error causing or bad inputs in the application. Further, by knowing the execution procedure of the application, the attacker can find out the entry point in the system and can modify the behavior of the system according to his own choice.
As mentioned in the points discussed above that security issues are there in using php for web application development, however it does not nullify the scope of php as these issues can be tackled effectively by any experienced developer. The main intent of the discussion was to provide a glimpse of the possible threat areas in a php application and in order to check these conditions, an expert developer can make use of his knowledge to develop a secure application.

No comments:

Post a Comment

Popular Posts