In this blog post, we will continue explaining the common vulnerabilities within a PHP website and ways to prevent them. As Doug Bierer mentions in our PHP Security training course, the common vulnerabilities you may encounter are: predictable resource location, mishandling file uploads, insufficient authorization, improper access controls, and unplanned information disclosure.
We’ve already covered the first 3 vulnerabilities in a previous blog post, and in this post we will focus on how to protect against insufficient authorization and improper access controls. We will cover unplanned information disclosure in a later post.
The first thing you should do to protect against insufficient authorization is to consider establishing what is referred to as an Access Control List (ACL), which is a matrix of user types and resources that users are allowed access to. For example, in the example Doug uses in the training video (Sweet’s Complete), he defines a three role possibilities: guest, normal, and admin. The guest role would be for someone who is visiting the website that doesn’t have an account – they are given access to home, products, specials, contact, and login. A normal user would be someone who has an account on the system and is logged in. The admin role has access to the same things the as the guest and normal user, plus they have access to the admin page. Doug advises you to build the matrix where the key is the user type or role, and the value is an array of allowed pages.
Another consideration that is addressed is improper authority for low-level accounts, which is especially true for database access. Here, you can apply the principal of least privileges – this means that instead of allowing the database user all rights to the database, you may want to assign them a limited set of rights, such as select, insert, update, and delete.
Improper Access Controls:
There are a number of things you can do to protect against improper access controls. First, you could encrypt passwords using a cryptography extension, such as Hash. Hash is considered a standard extension and should be available in the majority of php installations. It takes a string and produces what is called an md5 Hash. It is useful for passwords because there’s no reason why we need to know the user’s password, we just need to be able to hash the password and compare it with another hashed password.
Aside from Hash, php has a number of hashing and encryption extensions, which include:
- Password hashing – which is a new wrapper for the crypt function
- Mcrypt – been available for quite some time and has a wide variety of algorithms but is not as flexible as Hash
- Crack is used to test the strength of a password
- OpenSSI is used for managing an SSL connection
You can also establish rules regarding the length and mixture of characters that make up a password – but try not to annoy your website users with too many restrictions. Finally, make sure you are aware of the length of time users are allowed to retain their passwords for – this is referred to as password aging.
Watch Doug explain and demonstrate these concepts in the video tutorials below, taken from our PHP Security training course. Stay tuned for our final post that will cover how to protect against unplanned information disclosure.