What types of attacks can I experience with global variables and how to prevent

Question

What types of attacks can I experience with global variables and how to prevent

Navigation

#1 by (4 votes)
#2 by (2 votes)

10

Thinking about creating a system of login and secure registration, I want to take some measures, as I have been reading, I have verified several errors that I made, especially regarding Global variables:

link

Ex: I always validated my super global variables, but only those of type GET and POST, I did not care so much about COOKIE, SESSION, SERVER .

After completing a question, the amount of errors that he committed was dropped.

Concerned mainly with SQL Injection, I now know that using PDO ( prepare, Bindvalues) this problem is solved.

Another type of attack that was very vulnerable is XSS:

where I have never validated for global variables like SERVER, SESSION, COOKIE , already GET e POST I use strip_tags() a lot. To prevent this type of attack I notice a lot of people by putting the following tags:

strip_tags, addslashes e htmlspecialchars

But I realized that some sites do not use ADDSLASHES , is it necessary or not to prevent XSS?

I know there are several other types of attacks, but as far as super-global variables are concerned, what kind of attacks other than those mentioned above do I have to prevent? and what php functions do I have to use to prevent each attack?

php

asked by anonymous 25.03.2015 / 21:26

2 answers

What is and how does PHP's PHAR function work? Is a compiler allowed to omit a reference member in a class?

score 4 · Answer 1

The best way to avoid this kind of problem is to define the domain of the values you expect for a certain value and validate against those domains. Do this with all the values that come from the user.

For example: A "Name" field for a user: A person's name can contain a-z characters plus accents and perhaps an apostrophe ('). You can use regular expressions to do this type of validation.

If you are using prepared statements, you do not have to worry about SQL injection unless you use variables for table names or anything else that is not "binded." >

The issue of XSS is mainly about not allowing the system to execute code from the user. The most common way is for the user to submit javascript, in which case you can use htmlspecialchars or strip_tags . It is important to remember that in some places of your system you may want the user to register html, so if you use htmlspecialchars in every input that the user makes, it is interesting to have a way to disable this for specific cases.

Another XSS attack vector is in PHP code execution, so be especially careful if you use the eval or preg_replace function. The data passed to these functions can be executed by php or even by the operating system so one must be very careful when limiting the domain of values that comes from the user when using these functions. It's best to avoid using them.

A problem that used to be very common in PHP, but today is rare is the register globals directive that basically caused the $_POST['variavel'] variable to be the same as $variavel . It's good to take a look at the php configuration to make sure this policy is disabled.

CSRF occurs when the user is logged into your site and accesses a malicious site. This site makes "hidden" requests for your site that end up on behalf of the logged in user, such as deleting, altering or stealing data.

The most common method of preventing this is to generate a random token with the page, send it along with any request for access to sensitive data, and check before returning sensitive data or changing / deleting data. Which is what you mentioned about $_SESSION .

Another way to mitigate this type of attack is by asking for confirmation of the user's password on more important operations or by adding a captcha.

score 2 · Answer 2

My dear,

Use a good development framework and have the solution of these and many other common problems at your fingertips.

Even with Framework you may be subject to XSS, in fact strip_tags is enough to solve, you can create a default Behavour that besides formatting dates and money for our default, clean text fields with strip_tags for example.

A hug!