[PHP] Thema Sicherheit

[Legithos]

Hallo liebe Community,

ich hätte da noch ein paar Fragen zum Thema Sicherheit.

1. SQL Injection

Reicht es wenn ich mit PDO und prepared statements arbeite, um SQL Injection komplett zu verhindern ?

1. Session Hijacking

Reicht es aus, wenn ich lediglich für den Angreifer irrelevante Informationen wie zb die User ID oder den Username speicher ? Oder sollten selbst diese verschlüsselt werden ?

Dankeschön !

[elmarcia]

 Spoiler

Quote:

Originally Posted by Legithos

Hallo liebe Community,

ich hätte da noch ein paar Fragen zum Thema Sicherheit.

1. SQL Injection

Reicht es wenn ich mit PDO und prepared statements arbeite, um SQL Injection komplett zu verhindern ?

1. Session Hijacking

Reicht es aus, wenn ich lediglich für den Angreifer irrelevante Informationen wie zb die User ID oder den Username speicher ? Oder sollten selbst diese verschlüsselt werden ?

Dankeschön !

Session Hijacking

There are many ways to hijack a session, to list a few:

1. Stealing cookie
2. Guessing session ID
3. Stealing credentials

Stealing cookie
An attacker can steal your session cookie if:

• The site is not protected with SSL: sniffing non secured http request to steal your session.
• Your site is vulnerable to cross-site-scripting: https://en.wikipedia.org/wiki/Cross-site_scripting

[SOLUTION]
-Use SSL
-Sanitize your urls, look for exploits in your own code
-Ask for a login when making something that could cost money.

Guessing cookie
As the name suggests, if your sessionID is not long enough or in the worst case scenario, uses weak RNG, it is likely that an attacker could just generate lots of sessions to check for patterns, then exploit your RNG and guess your next session, or if lazy, just generate a bunch of them and try.

[SOLUTION]
Use strong session ids, generating them manually is a bad idea, use generators that are already there.


Stealing credentials
There is not much you can do about that, people are stupid and will always open shitty emails that could compromise their credentials.
[SOLUTION]
Two factor autentication. If your user is stupid enough to get its credentials stolen, then using two factor autentication will prevent an attacker to login with those credentials. But if the password is the same as the one for the email, well ... Time to find new users
IP check. Your user always loggin from US, but two seconds ago it tried to login from CHINA, then block login and send email with steps to proceed if it was him.


Sorry for not knowing a lot of SQL injection to answer you question, maybe someone else could help.
I don't understand what you mean by storing userID, what type of session are you using, if it is JWT, don't store sensitive data, and make them expire in 1 or 2 days, or less if needed.
You can view the contents of your token in:
But don't worry unless they steal your secret you are okay.


[JWT]
-Steal from localstorage: cross-site script most common method.
-Steal from cookie: Same as explained above
-Steal your private secret: You are screwed, you secret is compromised an attacker could do whatever he want, go quick change your secret and restart your server now!

[iMostLiked]

Quote:

Reicht es wenn ich mit PDO und prepared statements arbeite, um SQL Injection komplett zu verhindern ?

Du solltest prepared statements und parameterized queries nutzen. Ob PDO oder MySQLi ist Wurst.

Beispiel mit PDO:

Code:

$query = $db->prepare('SELECT * FROM user WHERE username = :username');
$query->execute([
    'username' => $username
]);

Beispiel mit MySQLi:

Code:

$query = $db->prepare('SELECT * FROM user WHERE username = ?');
$query->bind_param('s', $username); // [s]tring

$query->execute();

Ich persönlich empfehle MySQLi. (implizierend du nutzt eine MySQL Datenbank)