is the session in PHP safe?
PHP development So long, and really did not really pay attention to the issue of security, each time is to complete the project-based, recently saw an article on the Internet on security, after reading only to notice that their previous projects there are a large security loopholes, so picked a project to test, found that it is easy to recruit children. Here I'll share an example of a test I've written to illustrate how the session in PHP is unsafe and how to enhance its security in the project.
For the principle mechanism of the session, there are a lot of good articles on the Internet to introduce, we can consult on their own. Here is an example of a direct sharing test. The example of this test is mainly a login page, after the successful login can change the password, just such a simple function. The interface starts with the session using the function Session_Start () at the entry point. When the client initiates the request, it generates an identity, which is SessionID. Cookies are stored on the client side, and each communication on the client and the server is identified by this sessionid. After successful login, the user ID, user name will be stored in SESSION $_session[' userid '] = user id$_session[' uname ') = user name after all operations are judged $_session[' userid '] exists to check whether the user is logged on.
The code is as follows:
if (Isset ($_session[' userid '))) return True, the call to modify the password interface is transmitted to the server via Ajax post.
$.post ("interface *******", {oldpass:oldpass, Newpass:newpass, Userid:uid,}, function (data) {data = eval (' (' +data+ ') '); $ ('. gr Ant_info '). html (Infos[data.info]). Show (); }); Note that I write this code in the HTML page here, so that if you see the HTML code, you will know the interface address. The interface to modify the password is implemented, the first is to determine whether the user is logged in, if the login will be password modification operation. The implementation of the test example is probably the one described above.
Using SessionID attacks
1. The first is to get SessionID, of course the attacker gets this logo in a lot of ways, because my level is limited, as to how to get me here not to do the introduction. We can simulate the normal access to the project and then view the SessionID through the browser to get a legitimate user ID. You can see this item ID accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8accept-encoding:gzip in the request header. Deflateaccept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3connection:keep-alivecookie:hm_lvt_ bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7; Host: ******referer: ******user-agent:mozilla/5.0 (Windows NT 6.1; rv:41.0) gecko/20100101 firefox/41.0 after SessionID, If the user is logged in successfully, the user's information will be available in the server session.
2. After getting to SessionID, if the attacker already knows the interface to change the password, the user's password can be modified directly. If an attacker has not yet received an interface address, you can find the interface address by looking at the page code. You can use the following command #curl--cookie "PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7" page address as we said in this example, the AJAX code is written in the HTML page, So this page can be viewed to the interface address part of the HTML code as follows ... var uid = $ (". UserID"). Val (); $.post ("/user/user/modifypass_do", {oldpass:oldpass, Newpass:newpass, Userid:uid,}, function (data) {data = eval (' (' +data+ ') '), $ ('. Grant_info '). html (Infos[data.info]). Show (); } );......
3. After getting the interface can send data via curl analog post to modify password command as follows # Curl--cookie "Phpsessid=2eiq9hcpu3ksri4r587ckt9jt7"-D oldpass=111111-d newpass=000000-d userid= User ID interface address if the user is already logged in, the attacker can modify the user's password by executing the above command. Workaround for the above approach, we can enhance the security by complicating the authentication method. One way is to use the User-agent entry in the request header to enhance its security accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-encoding:gzip, deflate
Accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3connection:keep-alivecookie:hm_lvt_ bf1154ec41057869fceed66e9b3af5e7=1450428827,1450678226,1450851291,1450851486; PHPSESSID=2EIQ9HCPU3KSRI4R587CKT9JT7; Host: ******referer: ******user-agent:mozilla/5.0 (Windows NT 6.1; rv:41.0) gecko/20100101 firefox/ 41.0 at the beginning of the project, we used the session_start () function to open the session initially. Now we can add this code under Session_Start () $_session[' user_agent '] = MD5 ($_server[' http_user_agent '), and then add the judging criteria each time you decide whether to log in or not: If (Isset ($_session[' userid ')) && $_session[' user_agent '] = = MD5 ($_server[' http_user_agent ')) {return true;} This avoids the simple attack described above.
Summary: Of course, the actual situation of the attack is far from so simple, first in the acquisition of SessionID This step is more difficult, and then the server-side interaction code as far as possible to encrypt, can avoid the above situation. After we modify the code for the second time, we can increase the complexity of the attack and not eliminate the attack. There are many ways to attack, but here is a simple way to provide only one idea, but the principle is the same, in the actual situation can be based on the actual situation to enhance the security of our code. Here is just to share their work in the problems encountered, the right to be a point, I hope you can further study further.
http://www.bkjia.com/PHPjc/1118030.html www.bkjia.com true http://www.bkjia.com/PHPjc/1118030.html techarticle is the session in PHP safe? PHP development for such a long time, really did not really care about security issues, each time is to complete the project-based, recently saw an article on the Internet on security ...
