How to develop secure PHP applicatons

Want to secure your PHP web applications. But How? We have been developing PHP applications since last 10 years, but what still disappoints us is the way people handle PHP language. We often come across incidents when one or more of online web applications has been hacked or data has been stolen. Since majority of websites is made in PHP on web, this goes on to create an image that PHP applications are not secure which is totally wrong and unacceptable. Because of this, there were times when we faced strict opposition from client saying that they don’t trust PHP apps  rather they prefer java or dot net apps when it comes to security.

What we have realized is that Security of web applications is not exactly a PHP language issue. Its more of a server configuration and coding standards issue.  Once the developer company takes care of few necessary security guidelines, you can rest assured that your applications are secure enough to withstand common hacking attacks.  Lets first start with understanding what exactly is Security?

What Is Security?

  • Security is a measurement, not a characteristic.It is unfortunate that many software projects list security as a simple requirement to be met. Is it secure? This question is as subjective as asking if something is hot.
  • Security must be balanced with expense.It is easy and relatively inexpensive to provide a sufficient level of security for most applications. However, if your security needs are very demanding, because you’re protecting information that is very valuable, then you must achieve a higher level of security at an increased cost. This expense must be included in the budget of the project.
  • Security must be balanced with usability.It is not uncommon that steps taken to increase the security of a web application also decrease the usability. Passwords, session timeouts, and access control all create obstacles for a legitimate user. Sometimes these are necessary to provide adequate security, but there isn’t one solution that is appropriate for every application. It is wise to be mindful of your legitimate users as you implement security measures.
  • Security must be part of the design.If you do not design your application with security in mind, you are doomed to be constantly addressing new security vulnerabilities. Careful programming cannot make up for a poor design.

That being said you can however start securing your php applications by securing you server environment first.

Secure Your PHP Server Settings:

STEP 1:

First step is to check whether these settings has been enabled or not. If not try setting the options as per below guidelines.

Parameter Description
safe_mode = On Enabling safe_mode parameter ensures that PHP scripts are able to access files only when their owner is the owner of the PHP scripts. This is one of the most important security mechanisms built into the PHP. Effectively counteracts unauthorized attempts to access system files (e.g. /etc/paswd) and adds many restrictions that make unauthorized access more difficult.
safe_mode_gid = Off When safe_mode is turned on and safe_mode_gid is turned off, PHP scripts are able to access files not only when UIDs are the same, but also when the group of the owner of the PHP script is the same as the group of the owner of the file.
open_basedir = directory[:…] When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories).
safe_mode_exec_dir = directory[:…] When safe_mode is turned on, system(), exec() and other functions that execute system programs will refuse to start those programs, if they are not placed in the specified directory.
expose_php = Off Turning off the “expose_php” parameter causes that PHP will not disclose information about itself in HTTP headers that are being sent to clients in responses to web requests (e.g., X-Powered-By: PHP/5.3.3)..
register_globals = Off When the register_globals parameter is turned on, all the EGPCS (Environment, GET, POST, Cookie and Server) variables are automatically registered as global variables. Because it can pose a serious security threat, it is strongly recommended to turn this parameter off (starting from the version 4.2.0, this parameter is turned off by default)
display_errors = Off If the display_errors parameter is turned off, PHP errors and warnings are not being displayed. Because such warnings often reveal precious information like path names, SQL queries etc., it is strongly recommended to turn this parameter off on production servers.
log_errors = On When log_errors is turned on, all the warnings and errors are logged into the file that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server.
error_log = filename This parameter specifies the name of the file, which will be used to store information about warnings and errors (attention: this file must be writeable by the user or group apache)

STEP 2:

In addition to the above settings, changing the file extension can be taken into account. Its quite possible for you to change the extension of files to be anything like asp, jsp, aspx. Such a change will make it difficult for any potential intruders to recognize the server-side technology that is being used. In order to change the extensions, all the *.php files should be renamed to *.jsp (for example), and the following line should be changed in /chroot/httpd/usr/local/apache/conf/httpd.conf:

[sourcecode language=”plain”]AddType application/x-httpd-php .php[/sourcecode]

to the new one:

[sourcecode language=”plain”]AddType application/x-httpd-php .jsp[/sourcecode]

Now web users will not see *.php extension in the URL address which is what immediately suggests that the PHP technology is being used at the server side.

STEP 3:

Protection against XSS and SQL Injection attacks

XSS and Sql injection attacks are another form of attacks which needs your attention. This can be secured by implementing the logging of the GET and POST payloads, and implementing protection against Cross-Site-Scripting and SQL Injection attacks. In order to perform that, you should  use the mod_security module, which can be enabled by adding the following line into httpd.conf:

[sourcecode]AddModule mod_security.c[/sourcecode]

To enable logging of the GET and POST requests, it suffices to add the following section to httpd.conf:

[sourcecode]
&<IfModule mod_security.c>
AddHandler application/x-httpd-php .php
SecAuditEngine On
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterEngine On
</IfModule>
[/sourcecode]

The above commands will enable the Audit Engine, which is responsible for logging requests, and the Filtering POST Engine, which will make it possible to log POST requests. In order to protect web application against XSS attacks, the following lines should also be inserted before “</IfModule>”:

[sourcecode]
SecFilterDefaultAction "deny,log,status:500"
SecFilter "<(.|\n)>"
[/sourcecode]

The first line causes that the server to return the “Internal Server Error” message when the request contains the search phrase from any SecFilter variable. The second line sets up the filter to search for HTML tags in the GET and POST requests.

One of the typical signatures of SQL Injection attack is the appearance of an apostrophe (‘) or quotation mark (“) in the GET or POST request. By rejecting all the requests containing those characters, we can make the use of SQL Injection technique very difficult:

[sourcecode]
SecFilter "’"
SecFilter "\""
[/sourcecode]

Note, that although filtering the <, >, ‘, ” characters lets us defend against XSS and SQL Injection attacks, it can lead to the improper functioning of the PHP application. It happens, because regular users cannot use those characters in the HTML forms. To solve that problem, the JavaScript language can be used on the client side, which should replace the prohibited characters with special tags, e.g. &lt; &gt; &quot; etc.

Achieving a high level of a web server’s security using server-side technologies (PHP, ASP, JSP, CFM etc.) is a very difficult task in practice. Improper use of interactions with a web server in any significant way decreases the web server’s security. That is why server-side scripts should only be used where it is absolutely necessary and should be used intelligently.

Of course, this article doesn’t complete the subject of securing the PHP technology. And although applying them can increase the level of security for your application, we cannot forget that the security of the whole environment depends not only on Apache’s or PHP’s configuration, but also and foremost – on the web application itself. Next article in this series will guide you with the best practices that should be done to ensure that your web applications becomes more secure than ever.
Stay Tuned in 🙂

Ashish
Ashish
Ashish is working as CTO at Ajoft Technologies, Involved in conceptualizing and creating new technology oriented software.

5 Comments

  1. Nico says:

    STEP 1:
    safe_mode is long deprecated and removed. Same for register_globals.

    STEP 2:
    Changing the file extensions won’t really help. Especially if you’re not setting expose_php to off. Also, I can see you’re running WordPress without even looking at the source code. And then there’s the X-Pingback header with an .php extension. And then there’s the “Server” header, which not only reveals the server software, but also the exact version, including components (mod_ssl, etc…).

    Oh yeah, and keeping this on the server doesn’t help either:
    http://www.ajoft.com/readme.html

    STEP 3:
    Rejecting data with quotes is not the solution. What if you run a comment box on your site or similar?

    And “To solve that problem, the JavaScript language can be used on the client side, which should replace the prohibited characters”…?

    Noooooo. Relying on JS for security is like ignoring it entirely.

  2. mangastream techscinet says:

    This is interesting post

  3. Johnk214 says:

    Hey very nice blog!! Man .. Beautiful .. Amazing .. I’ll bookmark your website and take the feeds alsoI am happy to find a lot of useful info here in the post, we need work out more techniques in this regard, thanks for sharing. . . . . . fegkcdeeddae

  4. Google says:

    I have read so many articles or reviews about the blogger lovers
    except this article is really a good paragraph, keep it up.

  5. google plus app for ipad says:

    Do you mind if I quote a few of your posts as long as I provide credit
    and sources back to your website? My website is in the exact same area of interest as yours and my users would really benefit from some of the information you provide here.
    Please let me know if this okay with you. Many thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *