How to secure PHP from piggy backing?

views:

112

answers:

+1 Q:

How to secure PHP from piggy backing?

I just read this article about piggy backing in PHP.

I googled it but not so much information there.

Can anyone tell me more details how to prevent this kind of attack, what kind of code practices are vulnable and what we should do?

Thanks in advance.

+2 A:

That article seems to refer to a vulnerable web application, not anything specific to PHP.

This previous thread provides some useful information regarding writing secure PHP code:

http://stackoverflow.com/questions/1165040/what-security-issues-should-i-look-out-for-in-php

If we take the "They used these vulnerabilities to inject PHP code into the site" part of the article literally, then the developers likely used user input with include/require statements or eval

Inspire 2010-03-07 08:51:24

This is defiantly not eval(). eval() is a very dangerous attack that could be used to modify a page, its also **extremely** difficult to detect on a remote web application and **extremely** obscure. There is absolutely no doubt in my mind that this is xss. XSS is very easy to detect and is very common.

Rook 2010-03-07 18:10:06

@The Rook As I said, if we take the part of the article I quoted literally, injecting PHP code could only be caused by mis-use of eval or include/require statements. XSS has nothing to do with injecting PHP code, so if the attack was caused by XSS then PHP should not have even been mentioned in the BBC article. But yes, it would be just like the media to incorrectly report the technical details :)

Inspire 2010-03-07 21:04:39

You are more lost than the non-programmer that wrote that article.

Rook 2010-03-08 02:01:08

@The Rook Excuse me? But how the heck has XSS got anything to do with PHP and why should PHP have even been mentioned in the article if this was an XSS attack? It's hardly PHP's fault just because the developers can't sanitise their output. And did I say it wasn't caused by an XSS attack? I am well aware of the technical details, but wanted to clear up how "PHP code injection" is caused as they mentioned it in the article and it is a lot more damaging than XSS. Perhaps you should take your attitude problem somewhere else.

Inspire 2010-03-08 09:23:00

I updated my post. You should read "a study in scarlet", you have an overly simplistic view of this topic that I highly disagree with.

Rook 2010-03-08 17:26:25

The article isn't particularly clear, but my guess is that they just used SQL injection and, to try to avoid detection, they inserted a script that didn't actually change the behavior of the site normally unless the visitor came from Google using a relevant search term, and the author is calling the redirection in that situation "piggybacking".

So: escape and validate all user input.

Brock Batsell 2010-03-07 08:52:14

I disagree the bbc article gave enough information. Also this is has nothing to do with sql injection. Its difficult to gain this level of access with sql injection compared to other vulnerabilities like xss. You should know this if you are talking about sqli, but you probably have never exploited sqli so you have no idea what it is.

Rook 2010-03-07 18:14:29

SQL injection absolutely could do this. Would it be easy to do, with even moderately well-written code? No — but let's be honest, a very large portion of PHP code doesn't even meet that standard.Based on the very limited information in the article, and the fact that they were gov't websites, which in my experience don't intend to expose a lot of user-provided data, I guessed that the vector was SQL injection, though it certainly could be done (more easily) using XSS if the code gave them the chance.

Brock Batsell 2010-03-07 19:05:38

I agree, sql injection could do this. However, it is nearly impossible to automate a sql injection attack to do this. Its more common for people to blame sql injection when their site is compromised without fully understanding what goes into a sql injection exploit. I recommend writing an exploit so that you know, this has helped me a lot.

Rook 2010-03-08 17:35:12

First link really on the general subject should give you some overview.

Second link is PHP / SQL - specific and should lead you to enlightenment.

Till 2010-03-07 09:00:45

kind of helpful. If you don't know the answer, shouldn't post.

Rook 2010-03-07 18:11:01

The BBC news article is talking about "persistent xss". Leave it to the news to talk about hacking without mentioning anything about vulnerabilities. But that could be that the bbc.co.uk dosen't know what an xss vulnerability is, because if they did they would patch their own damn site!.

There are many ways to achieve remote code execution against a PHP web application. No one should ever call this "PHP Injection", if they call it this then they don't know what they are talking about. A Study In Scarlet is an excellent paper that details many different methods that an attacker can use to obtain remote code execution against a PHP application. This paper is intended for malicious hackers, not developers.

XSS is by far the easiest and most common method to nefariously palace advertisements on somebody's site.

Rook 2010-03-07 18:06:50

ansaurus

tags:

views:

answers:

How to secure PHP from piggy backing?

related questions