Is your PHP/Laravel website hackable?

This is a short list of bugs that can compromise PHP/Laravel website security. Some are well known and easy to exploit. Others need stars to align for things to happen.

1. SQL injection

Probably best known vulnerability. Basically, it allows website attacker to inject his SQL into your code. If you have code like this:

$post_id = $_POST['post_id'];$sql = "DELETE FROM posts WHERE user_id = 1 AND id = $post_id";\DB::statement($sql);

If somebody will enter this into email field: 1 OR 1. SQL query will look like this:

$sql = "DELETE FROM posts WHERE user_id = 1 AND id = 1 OR 1";

Basically what you are saying now — please delete all posts for all users.

2. XSS (cross site scripting)

Cross site scripting vulnerability is similar to SQL injection. It allows to inject HTML/JavaScript code into your page HTML.

Imagine page like Google, where users can enter a search query. On the result page you will show what they were searching for:

<?php echo 'You searched for: ' . $_GET['search_query']; ?>

If attacker will enter something like this:

<script>alert('surprise!');</script>

JavaScript will be executed by browser and user will see popup saying “surprise!”.

What attacker can do with that, is steal cookies, redirect users to other website, steal passwords. What, your password was 123456?

3. CSRF (cross site request forgery)

For example you have a link on your website where user can delete his account.

<a href="http://your-website.com/delete-account">delete account</a>

Guess what will happen if attacker will post a comment on your website looking like this:

<img src=”http://your-website.com/delete-account”> lol :D

Users who will look at this comment will get their accounts deleted. Let’s go on a commenting spree!

4. Clickjacking

This attack type tries to make you click where you didn’t wanted. For example by placing invisible Facebook like button on top of other button.

Another example would be to open Facebook in <iframe> and position this iframe with JavaScript so whenever you click somewhere, you will always click on on share button on Facebook page.

For example click here.

You liked this example too?

5. File upload to public_html

This attack allows attacker to upload .php or other executable file into your public_html folder.

Imagine if you have image upload on your website and you are not validating what file is uploaded. I see a file upload storm cumming…

6. ZIP bomb

Some websites allow to upload files in .zip archive. After that they extract .zip archive and do something with those files. But there is a catch.

It is possible to make .zip archive that just takes 42 KB and when extracted it will take 4718592 GB of space. Think of this file as a nuclear bomb.

Example of file

7. file_get_contents()

It is an easy to use function to get content of a file:

echo file_get_contents('https://some-website.com/friend-list.txt');

But if you let attacker to enter what he wants, he can enter file name from your server, example:

echo file_get_contents('.env');ORecho file_get_contents('secret-code.php');

This function will read file from your server and will display it’s content to the attacker.

This vulnerability is hard to find, like a Pikatchu in pokemons.

8. Double form submission

User can double click on the form submit button and your PHP script will be executed twice. Sometimes this can rezult in nasty bugs.

Conclusion

The best way to win a war on vulnerabilities is knowing them by their face.

Is your website protected from all of them? If yes, post it’s url and somebody will check that :)

Mantas Donelavicius

Written by

Simplicity is the ultimate sophistication.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade