PHP Security - Check Bug in PHP Script
After finishing PHP scripts that we have made there are times when the bugs are unwanted fester on the sidelines of the script that was ready to be online. And of course this bug can be fatal so it can be used by the intruder, intruders who try to exploit the system.
And who would have thought the PHP script that has made it safe from vulnerabilities in security issues.
Then, how to prevent the hacker to exploit, even ruin your site, how prevent with certainty and to know the script has been created to have a fatal bug, how to handle it all?.
Before we move forward to the next step is a good idea to identify the most popular exploit bug.
The bug is often found in web-based applications in particular Content Management System and others. Among them:
Then, how to prevent the hacker to exploit, even ruin your site, how prevent with certainty and to know the script has been created to have a fatal bug, how to handle it all?.
Before we move forward to the next step is a good idea to identify the most popular exploit bug.
The bug is often found in web-based applications in particular Content Management System and others. Among them:
- XSS (Cross Site Scripting)
- SQL Injection
- RFI (Remote File Inclusion)
Cross Site ScriptingKnown as XSS. This error occurs because there is no filtering on the html and java script.
But basically defacing (content changes) occur on client side only. The most fatal of this bug is that you can steal cookies and then use it to do something dangerous.
But basically defacing (content changes) occur on client side only. The most fatal of this bug is that you can steal cookies and then use it to do something dangerous.
SQL InjectionSQL Injection is actually happening because an attacker who tried to inject SQL query via the form or via the Internet browser's address bar.
RFI (Remote File Inclusion)
RFI occurred because of programmer made error when write codes, i.e., using a variable in these functions. When users enter the URL of his evil script in the variables used in functions require or include, what happens is evil script can be executed remotely, in other words, the attacker can run a command on your own server to change site content or even destroy it.
RFI occurred because of programmer made error when write codes, i.e., using a variable in these functions. When users enter the URL of his evil script in the variables used in functions require or include, what happens is evil script can be executed remotely, in other words, the attacker can run a command on your own server to change site content or even destroy it.
Checking BUGChecking the bug can be done manually. But... surely this will take a lot of time. There are tools that can be used to quickly and automatically find bugs that slipped in PHP script by accident or deliberately.
Basically to check the bug can be done online or offline. But many programmers suggest that this bug checking done on your localhost (offline) only.
Basically to check the bug can be done online or offline. But many programmers suggest that this bug checking done on your localhost (offline) only.
Check for XSS Bug
Tools to check for XSS on your own php script is a Mozilla Firefox Addons available for free. Install process is quite easy.
Tools can be downloaded here:
http://www.securitycompass.com/exploit_me/xssme/xssme-0.2.1.xpi
Tools to check for XSS on your own php script is a Mozilla Firefox Addons available for free. Install process is quite easy.
Tools can be downloaded here:
http://www.securitycompass.com/exploit_me/xssme/xssme-0.2.1.xpi
Check for SQL Injection Bug
For the current period with SQL Injection classified defacing the most favorite and certainly the most widely used, perhaps because the attacks are carried out fairly easy, just have a basic knowledge of SQL syntax. Again a Mozilla Firefox Addons is powerful enough and easy to use has been provided to check SQL injection bugs.
You can download it here:
http://www.securitycompass.com/exploit_me/sqlime/sqlime-0.2.xpi
For the current period with SQL Injection classified defacing the most favorite and certainly the most widely used, perhaps because the attacks are carried out fairly easy, just have a basic knowledge of SQL syntax. Again a Mozilla Firefox Addons is powerful enough and easy to use has been provided to check SQL injection bugs.
You can download it here:
http://www.securitycompass.com/exploit_me/sqlime/sqlime-0.2.xpi
Check Remote File Inclusion (RFI) Bug
Previously you first download the script here http://www.newhack.org/dl_jump.php?id=4.
After that, please download Active Perl, the interpreter compiler will be used to run the script inclusionscanner.pl.
Previously you first download the script here http://www.newhack.org/dl_jump.php?id=4.
After that, please download Active Perl, the interpreter compiler will be used to run the script inclusionscanner.pl.
And then copy inclusionscanner.pl to the directory c:\perlbin
The next step:
- Enter your script that will scan into a directory in c: perl php. Example : c: perlwp.
- Go to the command prompt, Start - Run – cmd
- After that go into the directory c:\perlbin, cd c:perlbin
- Run the script,
C:\perlbin> perl.exe inclusionscanner.pl
Directory to read? c:\perlwp
Directory to read? c:\perlwp
Then see the results in c:\perlbinresult.html
Remember, do not damage, do not do evil, if you find a bug on other sites as mentioned above, please inform the web admin.
Remember, do not damage, do not do evil, if you find a bug on other sites as mentioned above, please inform the web admin.
0 comments:
Post a Comment