This document will list possible security threats to the Web application, explanation and preventive measures.
- Footprinting
- Scanning
- SQL injection
- File Upload
- Session Hijacking and Session fixation
- Remote file inclusion
- XSS
- eval()
- Cross-Site Request Forgery (CSRF)
- Clickjacking
- Parameter Tempering
Following are free software that will scan and list potential threats to the system as per the software coding standard and server configuration.
- Vega
- OWASP ZAP
- XSSer, BeEF and SQL Map -Test XSS, Script injection, and MySQL injection
-
Disable certain usernames from being used like 'test', 'test123', 'admin', and 'root'
-
Use automated test code (Eg. PHP QuickCheck)
-
Be mindful while creating project structure. Make sure to put upload dir outside of Webroot to prevent public access.
-
Use Package or Library available in packagist.org instead of creating a new one.
-
Maintain user login table (log in date, time, IP).
-
Run the manual test in a certain period of time or after a significant update.
-
Disable unused PHP module (eg.
shell_exec
,system
,passthru
) from php.ini for performance and security. -
Put a .htaccess with the following content in upload directory to prevent the execution of PHP file. Instead, it will download the file.
php_flag engine off
-
Always set uploaded file permission to a minimum or non-executable (0644).
-
Scramble uploaded file names and extensions
PHP hidden scripts such as c99, c99madshell, and r57 for bypassing all authentication and access the server on demand are called PHP Backdoors script. This will give them almost every access like download, upload, control to the server, database, and mail server.
To prevent this follow all preventive measure and search for those script in your server time to time.
grep -iR 'c99' /var/www/html/
grep -iR 'r57' /var/www/html/
find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99
grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/
Follow OWASP secure coding practices and their checklist for testing for any vulnerabilities ( https://www.owasp.org).
PHPSC ( http://phpsec.org/) group of PHP experts dedicated to promoting secure programming practices within the PHP community. Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards.