Vulnerabilities

When we do coding then we should use some rules for coding, if we donot follow the standard rule then our site can be hack by hackers.
so beware of some Vulnerabilities.
(i) Cross Site Request Forgery(CSRF)
(ii) Cross Site Scripting(XSS)
(iii) Sql Injection
(iv) Password Management
(v) Session Management

Cross Site Request Forgery or CSRF is an attack that forces a malicious action to an innocent website.

A cross-site request forgery (CSRF) vulnerability occurs when:
1. A Web application uses session cookies.
2. The application acts on an HTTP request without verifying that the request was made with the user’s consent.

Imagine a Web application
that allows administrators to create new accounts by submitting this form:
[php]
<form method="POST" action="/new_user.php" name="usr_form">
Name of new user:
<input type="text" name=”username”>
Password for new user:
<input type="password" name="user_passwd">
<input type="submit" name="action" value="Create User">
</form>
[/php]

An attacker might set up a Web site with the following:

[php]
<form method="POST" action="http://www.example.com/new_user.php" name="usr_form">
<input type="hidden" name="username" value="hacker">
<input type="hidden" name="user_passwd" value="hacked">
</form>
<script>
document.usr_form.submit();
</script>
[/php]

If an administrator for example.com visits the malicious page while she has an active session on the site, she will unwittingly create an account for the attacker.This is a CSRF attack.

Recommendations:
Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance of the request.
Firstly create random value and put into session
$_SESSION[‘token’]=md5(uniqid(mt_rand(), true));
[php]
<form method="POST" action="/new_user.php" name="usr_form">
Name of new user:
<input type="text" name="username">
Password for new user:
<input type="password" name="user_passwd">
<input type="hidden" name="csrf" id="csrf" value="<?php echo $_SESSION[‘token’];?>" />
<input type="submit" name="action" value="Create User">
</form>
[/php]
Now newuser.php
[php]
if (isset($_POST[‘action’]) && $_REQUEST[‘csrf’] == $_SESSION[‘token’]) {
//put add user code here
}
[/php]

Sending unvalidated data to a web browser can result in the browser executing malicious code.

Cross site scripting (XSS) vulnerabilities occur when:

1. Data enters a web application through an untrusted source. In the case of Persistent (also known as Stored) XSS, the untrusted source is typically a database or other back-end datastore, while in the case of Reflected XSS it is typically a web request.

2. The data is included in dynamic content that is sent to a web user without being validated.

Recommendations:
When malicious data store in the database then we use htmlentities() or htmlspecialchars()
eg:-
[php]
$getSql = "select coursetypeId,coursetypeName from coursetype where deleteFlag=0 Order By coursetypeOrder";
$getSql_sth = $dbh -> prepare($getSql);
$getSql_sth -> execute();
while ($results = $getSql_sth -> fetch(PDO::FETCH_ASSOC, PDO::FETCH_ORI_NEXT)) {
echo htmlentities($results[‘coursetypeId’]);
}
[/php]

SQL injection errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to dynamically construct a SQL query.

Example 1: The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where the owner matches the user name of the currently-authenticated user.
[php]
$userName = $_POST[‘userName’];
$itemName = $_POST[‘itemName’];
$query = "SELECT * FROM items WHERE owner = ‘$userName’ AND itemname = ‘$itemName’;";
$result = mysql_query($query);
[/php]

If an attacker with the user name enters the string “name’ OR 1=1 for itemName, then the query becomes the following:
SELECT * FROM items WHERE owner = ‘John’ AND itemname = ‘name’ OR 1=1;
The addition of the OR 1=1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:
SELECT * FROM items;

Example 2. If an attacker with the user name wiley enters the string “name’; DELETE FROM items; –” for itemName, then the query becomes the following two queries:
SELECT * FROM items WHERE owner = ‘John’ AND itemname = ‘name’; DELETE FROM items;

Recommendations:
(1) use mysql_real_escape_string function when we get the value from form.
eg. [php]
$username= mysql_real_escape_string($_POST[‘userName’]);
$itemName= mysql_real_escape_string($_POST[‘itemName’]);
[/php]

(2) use sql pdo query not simple query
[php]
$query = "SELECT * FROM items WHERE owner = ? AND itemname = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param($username,$itemName);
$stmt->execute();
[/php]

there are some rules for password management
(1) Autocomplete allows the browser to predict the value. When a user starts to type in a field, the browser should display options to fill in the field, based on earlier typed values.
so we should use autocomplete=”off”
eg:- <input type=”password” name=”pass” autocomplete=”off” />

(2) Password value must be md5 with salted.
[php]
<?php $_SESSION[‘salt’]=uniqid(mt_rand(), true);
md5( $_SESSION[‘salt’] . password );
?>
[/php]

Session ID must be different to all pages.

Ques:- How to create session ID different to all pages.
Ans:-session ID is create different through session_regenerate_id(true) function.

eg:- in login.php
[php]
session_start();
session_regenerate_id(true);
$_SESSION[‘user_id’] =$results[‘uId’];
$_SESSION[‘uName’] = $results[‘uName’];
[/php]

write the code to all pages
[php]
session_start();
$sess_uid=$_SESSION[‘user_id’];
$sess_uname=$_SESSION[‘uName’];
unset($_SESSION[‘user_id’]);
unset($_SESSION[‘uName’]);
session_regenerate_id(true);
$_SESSION[‘user_id’]=$sess_uid;
$_SESSION[‘uName’]=$sess_uname;
[/php]