Banner image SITE-LANGUAGE-en-ICON BROWSER-LANGUAGE--IMAGE
Content / help / hacks .. concise-view << previous next >>

Protection against hacks

This is about protection. Not How to hack!!

Image uploads

  1. Injecting PHP code into an image file.

    With MVC, we can easily restrict direct access to any php script. Images and resources are accessed via their URL, but PHP may never need to be directly accessed via the URL

Session hijacks

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:

Tips

  1. Store uploaded image files outside the public html area
  2. Don't give away path information in javascript. Eg: ajax load script paths.

    A little redirection would work here. If you have a list of scripts, give them each a token label and always load the same script, passing this label to a switch statement that knows the real paths.

Biscuits Considerations for reducing loading

  1. Guest access controls
  2. Possible hashing of the directory listings to avoid disk IO
  3. Turn off the biscuits logs tracker method.

Security tests

  1. Direct access to php file via URL Should fail Direct Access to THIS PHP script should be disallowed
  2. Profile Image upload should validate images with embedded scripts. This image should be blocked as it contains scripts




iBiscuits LOGO