CI security

#1
[eluser]Songoko20000[/eluser]
Hi guys Smile
I have been asked to develop a website and um using codeigniter but I was asked to account for certain security issues ex:
 Session fixation
 Session hijacking
 Spoofed form submissions
 Spoofed HTTP requests
 Cross-Site scripting (XSS)
 Cross-Site request forgeries (CSRF)
 Exposed access credentials
 SQL injection

I think I read in CI user guide that it has built in filtration for "Cross-Site scripting (XSS)" using the $config['global_xss_filtering'] in the config file.

but what about the other threats ? are they supported also or what ? is there libraries i can download for CI to support them ?

Thanx in advance

#2
[eluser]richzilla[/eluser]
A good intro to CI security:

http://ellislab.com/forums/viewthread/125687/

#3
[eluser]Songoko20000[/eluser]
Thanks for the post Smile It's a good intro indeed !
But it only stated that SQL injection and XSS are supported in CI.
What about the rest ?

#4
[eluser]richzilla[/eluser]
Session Fixation / Hijacking, Exposed acces credentials - Use the standard php session library, which is server based and therefore cannot be accessed. The other options include hashing the session in the cookie (there is a function to so this: http://ellislab.com/codeigniter/user-gui...sions.html. Storing sessions in the database is another layer of security

CSRF / Spoofed form submissions - CSRF is like XSS but the other way round. The best way to protect from this is to insert a known key into any POST submissions. This key is unique to each user, and can be cross checked with their credentials in the DB.

The biggest security tip however is to validate absolutely anything the user has access to, this inlcudes things that arent immediately obvious. I once had a problem on a blog where i didnt validate the post id in the url, so the link read:

Code:
blog/post/view/92

Any user could have replaced the 92 with anything they liked. It didnt occur to me immediately as the user has no direct interaction with it (they click on a link to view a post).

EDIT: One more thing, im sure its mentioned in the post i linked to earlier, but only the active record functions automatically escape database queries, so if your inputting raw sql, youll have to do all the escaping yourself.

#5
[eluser]Songoko20000[/eluser]
ok one more question:
I read the "Saving Session Data to a Database" in the session page in the user guide.

What I understood is by creating the "ci_session" table in the database and updating the config.php file sessions will be stored in the table automatically.

So if a user logs in a new session is created, it's then inserted in the database automatically. If he navigates to any other page his session id is compared automatically to the one in the database and if correct he is granted permission and his session in the table gets updated.
if it's different he is denied and his session is destroyed and removed from the database automatically also.

Is that correct ? everything is done automatically or do I need to write a code to do a certain task ?

#6
[eluser]richzilla[/eluser]
Correct, the storing of the session is done automatically, so all you need to do, is write a function that checks for the presence of the session id in the database, and you know its a session thats been created by your server rather than created artificially.

#7
[eluser]n0xie[/eluser]
[quote author="Songoko20000" date="1275872261"]
but what about the other threats ? are they supported also or what ? is there libraries i can download for CI to support them ?[/quote]
There are no silver bullets when it comes to most of these security threats. There is just good practice and defensive coding. You need to familiarise yourself with what the terms mean and how you should try to avoid/deal with them. It's not some magical 'switch' you can turn on or off.

#8
[eluser]mzuser[/eluser]
[quote author="ricardino" date="1275921088"]Correct, the storing of the session is done automatically, so all you need to do, is write a function that checks for the presence of the session id in the database, and you know its a session thats been created by your server rather than created artificially.[/quote]


When checking the session ID is it worth while to check the other info like IP and User Agent data as well? Or can this cause issues if they log in from another computer?

#9
[eluser]WanWizard[/eluser]
These additional checks are done automatically by the Session library, unless you disable this in the config.

A session is identified by the session cookie which is stored locally. So multiple sessions from different PC's (or different browers on the same PC) have different cookies, and are therefore considered different sessions.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.