Website Security

[luvva]

Hey people

I tried making an admin panel for an (unfinished) browser game i wrote, only to find that i had far too many security flaws about the place (such as people being able to view directories etc).

What security errors were/are most common for you when creating a game, and how did you fix them?

[Sunchaser]

Viewing directory: no i didn't had that problem, with a configuration of .htaccess you can fix it

sql-injection: so far i did not have that problem, for fixing it you should check every input the user does. If you google sql-injection you will find lot of article, but i suggest you to check php security forum

reading of database configuration file: this happened to me once, not in a game but in another application.
the php security forum says there is no much to do about it, but i manage _at least_ to move it out
from the webroot.

[JGadrow]

The biggest concerns for security in a web application are:

SQL injection (if using a SQL database as most do) and XSS (cross-site scripting). Fortunately, SQL injection can be combated by using prepared statements and bound parameters. This foils SQL injection by telling the server what query you are planning on running before actually running the query. It does mean that it will take slightly longer to execute your query as it is an extra query (for each one you prepare!); however, nothing else is as strong of a safeguard at this current time.

As far as XSS is concerned... USE KNOWN, VALID DATA. Validate EVERYTHING you receive to be sure you know what it is, where it's from, and who it's from. Kinda vague, I know, however XSS is evil and ever-evolving. If someone is dedicated and patient enough you WILL be hacked. Bank on it. However, security exists to provide enough safeguards to make a hacker look for a softer target instead.

[jannesiera]

The biggest concerns for security in a web application are:

SQL injection (if using a SQL database as most do) and XSS (cross-site scripting). Fortunately, SQL injection can be combated by using prepared statements and bound parameters. This foils SQL injection by telling the server what query you are planning on running before actually running the query. It does mean that it will take slightly longer to execute your query as it is an extra query (for each one you prepare!); however, nothing else is as strong of a safeguard at this current time.

As far as XSS is concerned... USE KNOWN, VALID DATA. Validate EVERYTHING you receive to be sure you know what it is, where it's from, and who it's from. Kinda vague, I know, however XSS is evil and ever-evolving. If someone is dedicated and patient enough you WILL be hacked. Bank on it. However, security exists to provide enough safeguards to make a hacker look for a softer target instead.

Thanks, this is very intresting and clear.   

[Zeggy]

http://www.xssed.com/

Even Google is prone to XSS

[davidjwest]

When I first started coding, I had a bit of a nasty exploit.  I had used includes to get the content for the pages, so I could use the same template all the time without having to reload it each time.

I used $_GET to get the content name and was just using the whole URL for the file, such as index.php?content=http://www.site.com/script.php

Of course, the clever little script kiddies were just using that to run their own mass emailing scripts, they could just enter the URL http://www.site.com/http://www.spammingcrap.org or whatever.

My host soon picked up on it and blocked my site, it was easily fixed by checking the content was valid but now the host wont even allow you to include the full URL so the exploit can't possibly happen, on my host anyway.

I've learned a lot since then, but I bet my scripts are nowhere near 100% secure.

[knuts]

http://www.owasp.org/index.php/Top_10_2007
Good list of the top ten webapp vulnerabilities, with explanations of how to harden against them.
"Cross Site Request Forgery" is an interesting one that has been around forever but is very often overlooked.

My game does not really have enough traffic to attract the h4xors - any PBBG devs have good war stories ?
Is "ban the IP" the standard response ?

[Sunchaser]

well, i am very curious to know if some hackers popped and threatened your game, and how you handled them.

[luvva]

i didnt really 'handle them' so to speak- they got through to a page they shouldnt have been able to get to, and sent out an email to the developers (me and a friend of mine)

so, i just decided to say 'oh well', and turned off the email page

i didnt know anything about website security at the time, not even SQL injection.

[raestlyn]

well, i am very curious to know if some hackers popped and threatened your game, and how you handled them.

I would just tell a few friends and I would not have any problems with them anymore. I know couple "real*" crackers who love to teach script kiddies and wannabe hackers a thing and two about the wonders what you can do with a computer.

*They work for Military security advisors..

[Sunchaser]

lucky you...  i wonder if all hackers that eventually pops up really can do some damage or they just pretend to be hackers...

[Zeggy]

What happens quite often is they just deface your website. This might mean simply replacing your index file or deleting all your files and uploading a new index file. Both have happened to me before, once from an RFI vulnerability (my own fault, I used include($_GET['page'])), and another time from failing to update SMF

I've been fairly lucking in that the defacers aren't the very malicious type. They made a backup of my original index file and uploaded their own, which was just HTML and no scripts. I guess they like to think they're 'teaching' you how to be more secure. They always leave a URL or email address for you to contact, but the ones I saw are all invalid

If your website's file system is compromised, be sure to check they don't upload a particular php script that I've seen come up a few times. I forgot what it's called, but it's just a single page that contains various tools they can use if they visit the page, such as an exec() form, file browser, etc.

[toxin]

I do not have much experience with on the subject. Ever since i started learning php security has been at the top.  I just hop all my research was not in vain once i get my site up.
A link i just found that may help others.
PHP Security

[Tribal]

When i started coding i did not really think to look into the security too much. As i had already learnt a scripting langauge that had almost "bulit-in" security. However, i did start looking into it deeper when i found this site:

http://hackthissite.org

Going on that site helped me to realise how hacker work and how they think.

Since then i have also bought a copy of this book: http://www.amazon.co.uk/Essential-PHP-Security-Chris-Shiflett/dp/059600656X/ref=sr_1_1?ie=UTF8&s=books&qid=1229499524&sr=8-1. I have found it to be really good and am glad that i bought it.

So, hopefully now my web apps will at least give the hacker a little bit of a harder time.

[Helderic]

Anyone know of any good tutorials to help with security for those with no money?

[Hypemaster]

Anyone know of any good tutorials to help with security for those with no money?

Toxic already posted a tutorial.
But never forget about security, make sure you do everything like in that tutorial.

You also have so called php firewalls like Munin wich is free and Firewall script wich cost 120dollar but is easyer to use, munin is less userfriendly but they both do the same. Only downside is they will slowdown your site.

[Helderic]

Woops didn't see that. Sorry =\

Are the firewalls generally worth the trade-off?

[Hypemaster]

If you want to be sure your protected and dont have much knowledge of protecting your pages yourself then they are worth it. They make your site slower but thats because you need to include their code in your pages, your site still wont be as slow as phpnuke for example.

[Sunchaser]

So, I registered in a site where you can train yourself in security by trying to hack some simulated situations/websites.

I did all the basics mission without problems, now i am trying to do some harders missions but i don't think i can make them. (some are too hard for me, some needs to spend a lot of time in decrypting or writing programs)

However, i learned already some very nasty things, like javascript injection or making some forms locally and sending them remotely. With this technique, it's possible for example to manipulate the fields inside a form and sending them to the server. One can use this technique for example to cheat in your game and get resources.<b>So, it seems a good thing to don't store hidden fields with sensible data in forms, but try to get the needed data on the server side</b>

Second, i did not understand why some security experts suggests to avoid displaying user input without sanitizing. Or, i understood it could be a bad thing, because one can insert in a field php code or javascript. Well after having tried a SSI injection and being able to list the content of a directory and view the content of a file on the server i understood it better.<b>So, filter and sanitize always user input</b>

[codestryke]

I've been exploited so many times its not even funny. You name sql injection, xss exploit I've had it done to my sites. I even had one site defaced, I don't take the blame on that one because I was on an NT server and they used an exploit that MS didn't have a patch out yet for 

In each and every case I had it came down to me being lazy or forgetting to check my inputs (except for the defacing). It's so easy to get into programming mode and just forget or tell yourself I'll go back and add that later. Users will, every single time, find that one hole you accidentally left open.

As myself and Zeggy have promoted over and over again, USE ADODB!!!!! Again... USE ADODB!!!! for database access, this alone will significantly help prevent sql injections as it automatically scrubs the parameter data you send with the query. Heck I don't think I could even write a script using raw mysql code anymore I've been using ADODB for that long LOL.

[Sunchaser]

I see... Adodb... will check it out. As for input filtering, the framework has some callback functions where before saving data to the db or redirecting, one can call of sanitization library, so then is applied to every data input.

[JGadrow]

ADODB is a database abstraction layer that utilizes prepared statements

It's good to know how a dba works too. Lets beginning programmers see the value of code abstraction

[Chris]

I think all this security worry is overbloated. I never got any problems and my game is the size it should get hackers attention (it was hacked only once, at the first week when I haven't know what "SQL injection" term means ).

- MAGIC_QUOTES_ON
- mysql_real_escape_string()
- striptags()
- $nonstringvariable=(int)$_GET['variable']
- mysql_query("  var='$var'  ")  // if you are paranoid

Assuming you use english character set (there might be some nasty stuff with other character coding sides and multi byte languages) there is no way a hacker can get through it (except for hacking the machine, but that's not related to programming).


The only serious threat is when you forget to check negative values in html forms and they buy negative stuff which means unlimited money generation.

[Tribal]

Magic quotes is actually deprecated in php v5.3.0. And will be fully removed in php 6.0.0 as it is highly discouraged.

It can also get you in trouble when using mysql_real_escape_string as you end up with: "He has the skill\\\'s!". And if you do stripslashes on that you get: "He has the skill's".

I always turn magic quotes off and make sure you remember to sanitise inputs properly. This also helps to make your code more portable.

[codestryke]

The only serious threat is when you forget to check negative values in html forms and they buy negative stuff which means unlimited money generation.

Oh there is another one that doesn't even need negative values that screws up a game pretty fast as well. Anyone been hit with a negative rollover? This is not an exploit a user can use its the nature of the mysql's unsigned int. If you have a an unsigned int (it can be big, medium or tiny as well) but the important fact is that it has to be unsigned.

An example:
Game has money, player 1 goes to buy stuff, the player account is loaded it's checked that they have the required amount of credits, yes they do so the check passes. At the same type this player is getting attacked for money, the battle code loaded his money on hand at the start.

Since it's an unsigned the money is taken, then the battle takes the money and instead of going to zero or not allowing it to go to negative it rolls over ie...

0 - 1 = 2147483646

And whaalaaa.. You have a ton of money now floating in the game and player's see that and everyone starts attacking that player, transferring assets, moving assets to banks etc.. Basically no way to track it all down and correct the situation in the game itself without doing a db rollback to a hopefully good backup.

This is a known issue with mysql and has been well documented. So to prevent this make all your numerical assets stored in the db as signed integers.