What do the bad guys do when attacking via user input?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bobthebuilder
Forum Commoner
Posts: 32
Joined: Tue Mar 22, 2011 5:06 pm

What do the bad guys do when attacking via user input?

Post by bobthebuilder »

Or put another way, what do we have to guard against when processing/checking user input?

I am not asking for code here, just general ideas. I have done a few googles on the subject but find it hard separating the wheat from the chaff. Or can anyone provide a link to an update and accurate list?

Thanks in advance.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: What do the bad guys do when attacking via user input?

Post by Weirdan »

Common attack vectors are filename manipulation (remote includes or trying to read local files), sql injection and xss.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: What do the bad guys do when attacking via user input?

Post by Mordred »

Receiving input, by itself, is not dangerous. It becomes dangerous when you do something with it. How and why depends on the context you use it in. The protection measures depend on that as well. In your mind, you should keep a repository of such possible contexts and countermeasures. Here's a couple of examples, but a full list is of course hard to give.

Context: Output to the HTTP response body:
Most common functions: print(), echo
Vulnerabilities: XSS, defacement
Countermeasures: Writing proper HTML, don't use user input in client-side scripting contexts, in the other cases use htmlspecialchars, with ENT_QUOTES and the correct output encoding.

Context: Dynamic MySQL queries
Most common functions: mysql_query, mysqli_query
Vulnerabilities: SQL injection
Countermeasures: Writing proper SQL, typecast on numeric types, mysql_real_escape_string on the rest. (Check the article in my sig)

The details and tricks on each context are sometimes quite complex, in most cases reading the documentation on the function in question will give you correct advice, but staying current on vulnerabilities is always a good idea. Some of these "contexts" are not easily defined. There are maybe half a dozen ways to cause code execution in PHP, and maybe more in HTML, and if you allow user input in a place where you don't realize might be used to execute code, you may be doing quite serious damage without realizing it.
bobthebuilder
Forum Commoner
Posts: 32
Joined: Tue Mar 22, 2011 5:06 pm

Re: What do the bad guys do when attacking via user input?

Post by bobthebuilder »

Thanks for the input, it has got me thinking ....

Can I ask for confirmation on these points please.

1) This is very basic, but worth clarifying nevertheless. There is nothing a hacker can achieve by inserting dummy GETs into a URL for example. The GETs (and POSTs) have to be processed by the user's scripts for them to be enacted upon. (If this were not the case I imagine the internet would be useless!)

2) Any time I process a GET or POST or a form, I should consider what data I am expecting to receive at this point and parse it to ensure it fits the expected format. Only if data isin the correct form should I then process it.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: What do the bad guys do when attacking via user input?

Post by Weirdan »

bobthebuilder wrote: 1) This is very basic, but worth clarifying nevertheless. There is nothing a hacker can achieve by inserting dummy GETs into a URL for example. The GETs (and POSTs) have to be processed by the user's scripts for them to be enacted upon. (If this were not the case I imagine the internet would be useless!)
Generally yes, unless there's a vulnerability in the web server code or PHP runtime itself.
2) Any time I process a GET or POST or a form, I should consider what data I am expecting to receive at this point and parse it to ensure it fits the expected format. Only if data isin the correct form should I then process it.
You should also encode data into the format safe for a given context - that what was Mordred's post about.
bobthebuilder
Forum Commoner
Posts: 32
Joined: Tue Mar 22, 2011 5:06 pm

Re: What do the bad guys do when attacking via user input?

Post by bobthebuilder »

You should also encode data into the format safe for a given context - that what was Mordred's post about.
What do you mean by 'encoding'? I take this to be the translation of one data format into another format, but what would be a specific example of encoding in this context? For example is taking a Username (i.e. 'Bob') provided in a GET to generate a welcome statement (i.e. 'Welcome Bob') that is then supplied to the browser the kind of thing you are describing? Thanks in advance.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: What do the bad guys do when attacking via user input?

Post by Mordred »

Code: Select all

$html_username = htmlspecialchars($_GET['username'], ENT_QUOTES, "utf-8"); //make it safe for tag-level HTML context
echo "Hello, $html_username";
$mysql_username = mysql_real_escape_string($_GET['username']); //make it safe for insertion into mysql queries
mysql_query("INSERT INTO `log` SET username='$mysql_username', when=NOW()");
Note how the two usage contexts require different escaping mechanisms, and how each of those work on the raw input (not one over the other).
Post Reply