Basic XSS and session security

Posted on 04.05.2015 20:41:53 in General, Goodies, PHP, Webcoding 0 Comments

9d214fc83b4ee52ca11cdcfaf2a7b651_security-960

Many of the websites on the internet are still totally easy to attack using Cross-Side-Scripting (XSS) and of using the sessions of other users. This is a very bad thing, especially sinse both are very easy to prevent, at least you can make it much harder for them with just a few lines of code. It’s still far away from perfect, but with this you provide a solid base security.

 

I for myself use this at every site I’m programming, I add this to the config file that gets loaded at the beginning of every page request.

1. Basic XSS Security

With only a few lines of code you can easily provide some basic security against XSS. The downside is that WYSIWYG editors won’t work anymore if they submit html tags and not bbcode. However you can easily add some if-clauses to allow html-tags on some specific post / get datas.

/* XSS Security */
    if(count($_POST)) {
        foreach($_POST as $key => $item) {
            if(!is_array($_POST[$key])) {
                $_POST[$key] = htmlentities(strip_tags($item));
            }
        }
    }
    if(count($_GET)) {
        foreach($_GET as $key => $item) {
            $_GET[$key] = htmlentities(strip_tags($item));
        }
    }

This should give you a basic idea of how to do it. However I would recommend to build a recursive function that also checks of multidimensional arrays. The script basically checks if there is a post or get value and then loops through the whole data, strips html tags and converts all applicable characters to HTML entities.

2. Session Security

On some pages you can easily takeover the session of a different user, especially if the session is added the url. So if someone adds the session id as his own, he has instantly access to all the session data and in most cases also access to the logged in account. But there is a really easy way to prevent also this. With the small snippet the session gets killed if the secure id doesn’t fit to his data.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$fingerprintArray = array($_SERVER['HTTP_USER_AGENT'],substr($_SERVER["REMOTE_ADDR"],0,7));
    $fingerprint = md5(serialize($fingerprintArray)); 
    /* SESSION SECURITY*/
    if (isset($_SESSION['SECID']))
    {
        if ($_SESSION['SECID'] != $fingerprint)
        {
            // kill session
            unset($_SESSION);
        }
    }
    else
    {
        // set session variable
        $_SESSION['SECID'] = $fingerprint;
    }

So what’s happening here? It’s fairly easy, you can also enhance this with additional input. The variable $fingerprint holds user specific data including the user agent and parts of the ip and then creates a md5 string out of the serialized data. This string is different on every user. If the secure id is not set, it just adds the secure id and if the secure id is different than the existing secure id, it kills the whole session to keep the data secure.

3. Additional password security

Just a small hint as there are still people out there using only md5 to store passwords at the database. Some time ago this was definantly enough, but today there are databases called rainbow tables, those have many md5 encrypted passwords saved. With those they can easily hack those basic password encyriptions. There is a really easy way to prevent this by using some salt. :)

1
2
3
define('SALT','38JK+*/a');
$password = md5($_POST['pass'].SALT);

This is just a basic example to show it. The idea is to enhance the password md5 string with a random key. If you want to make it even more secure, store a user specific salt key at the database and check this with the user password at the database request. And to make it even better, don’t use md5, use sha instead! It has at least the same security effect, but is less often used and as mac users know, less usage means also less risk. Hackers concentrate in most cases on often used technologies.

I hope this was helpful at some point.

Best Regards,
Christian Weber

 

No comments yet

Post Comment

Everything? Send!

Spam Protection by WP-SpamFree