https://github.com/php/php-src
my github link https://github.com/sanalrakam
project download file https://github.com/sanalrakam/security-solution-php/blob/master/index.php
What Will I Learn?
- Detects and blocks your login information even if it is stolen, even try to use it with a different device or with a different browser succes a secure method.
Requirements
- Know: generaly php struct knowledge...
- Tool: google chrome or any browser;
- Editor: and any php or txt editor.
- Notepad++ (https://notepad-plus-plus.org/download/v7.5.6.html)
- Firefox-developer version: for cookie edit,try works
(https://www.mozilla.org/tr/firefox/developer/) - usually php versions is 7.2, 7.0 also no-plugin, no-framework require
- localhost php app (win,mac)
(https://laragon.org/download/index.html)
Difficulty
- Intermediate
Description
PHP Cookie Hack prevention, blocking (secure)
I recently a lot of try work, of my custom secure cookie between hacking research, i like more secure php, if any hacking attach to anyone. i would know-research hacking of technique. Also most people do unannounced.Maybe ? can fix it, more secure think. I especially had a lot of information on these issues and I did a lot of experimentation, i went this way. i found special solution.
What is this ?
Mostly php web apps and wordpress unfortinely not secure (cookie-hacking-using). Most poeople do not know and not very well of this subject, also most everyone doesnt try a lot of (hack ability) whatever. Most people are using for php framework. i think riskly
How can try ?
Open google chrome and observe cookie name and value; thats not hide. And posible any data, string copy, also copying from thirdy party javascript code. again whatever.
If Hash to Cookie Data (Cryptic)?
Thats doesnt matter because copy able. (all data- cryptic ). again whatever. it's just maybe useful for some things.
Proof & evidence (Hack-simple)
<?php
//global cookie time setup option
$time=time() + (86400 * 30);
if( isset($_GET['logout']) ){
//logout promp command prosses
//delete cookie and exit, and redirect;
setcookie("login_name","",-1, "/");
setcookie("login","",-1, "/");
header('Location: index.php');
exit;
}
if(isset($_GET['login']) =='1' && isset($_GET['v1']) && isset($_GET['v2'])){
$v1=$_GET['v1'];
$v2=$_GET['v2'];
setcookie("login_name",base64_encode($v1),$time, "/");
setcookie("login",'1',$time, "/");
header('Location: index.php');
exit;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>Bare - Start Bootstrap Template</title>
(html comment removed: Bootstrap core CSS )
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.0/css/bootstrap.min.css">
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
(html comment removed: Custom styles for this template )
<style>
body {padding-top: 54px;}
@media (min-width: 992px) {
body {padding-top: 56px;}
}
</style>
</head>
<body>
(html comment removed: Navigation )
<nav class="navbar navbar-expand-lg navbar-dark bg-dark fixed-top">
<div class="container">
<a class="navbar-brand" href="#">Start Bootstrap</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ml-auto">
<li class="nav-item active">
<a class="nav-link" href="#">Home
<span class="sr-only">(current)</span>
</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#">About</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#">Services</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#">Contact</a>
</li>
</ul>
</div>
</div>
</nav>
(html comment removed: Page Content )
<div class="container">
<div class="row">
<?php
$login=0;
//login prosses if get login and login name
if(isset($_COOKIE['login']) && isset($_COOKIE['login_name'])){
if(!empty($_COOKIE['login']) && !empty($_COOKIE['login_name'])){
$name=base64_decode($_COOKIE['login_name']);
$login=1;
//login able=1 setting-up
}
}
if($login == 1 && !empty($name)){
//user login true
?>
<div class="col-lg-12 text-center w3-teal w3-text-white">
<h3>Panel-screen</h3>
<h2 class='w3-grey w3-inline' ><?php print($name); ?></h2>
<hr>
<a class='w3-margin w3-padding w3-white' href='?logout=1'>Logout-exit</a>
<br><br><br>
</div>
<?php
}else{
// if login not work, then show login page
?>
<div class='w3-grey w3-block w3-margin w3-padding'>
Test-Login
<label class='w3-block w3-margin w3-padding'>
<b>name</b>
<input type='text' name='v1' class='form-control'>
</label>
<label class='w3-block w3-margin w3-padding'>
<b>Pass</b>
<input type='password' name='v2' class='form-control'>
</label>
<div id='teter3' class='w3-btn w3-red'>LOG?N TRY</div>
</div>
<?php } ?>
</div>
</div>
<script>
$('#teter3').click(function(){
//clicking login button fast try login
window.location.href+='?login=1&v1='+$('input[name=v1]').val()+'&v2='+$('input[name=v2]').val();
});
</script>
</body>
</html>
Thats above code copy and paste into index.php,
and run local host from google chrome,
type user name and any password and click login button.
Then click chrome browser (i) icon and observe cookies
there code base64 copy and, using any tools for decode
(https://www.base64decode.org/)
Google search to base64 online decoder
Possibility of cookie stealing....
some examples
- Authentication Bypass
a) SQL Injection
url: http://host/hg/admin.php
Username: ' or 1/*
Password: any
b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1
- Cross-Site Scripting Example
Url: http://host/hg/sign.php
Location: <XSS>
Website: javascript:alert(123)
Message: <XSS>
- SQL Injection Example:
http://host/hg/admin/edit_smilie.php? id=333'% 20union%20select% 201,2,3,4/*
When is stolen session information how use?
So simple example..
step:1
step:2
now will run another browser (Firefox-developer version)
because firefox able to add remove cookie-editor
https://www.mozilla.org/tr/firefox/developer/
download and install mozilla firefox
and open local host index.php
step: 3
Click right menu and “inspect element(Q)” click then bottom panel opening..
storage -> cookies selected
step:4
sample my values and names:
login_name = ZGVtbzEy
login = 1
how long can it be added
finish
my adding two cookie..
and reload page
and getting-show user panel page,? mean login to user account this only simple example... any malicious people be able to make.. can be partial on many websites, You can try..
Is a powerful solution?
yes ? try alltime all cross platform browsers.. that works many possibilities, ? doest observe of slowdown. ? using for few web app.
How to fix problem (hack guard)
step:1
first adding php head setting-up
thats only small prevention:
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure'
step:2
my special cookie resetter function, Reseting and delete-unset all cookie.
function cookie_reset(){
global $cookie_sure;
if(isset($_SERVER['HTTP_COOKIE'])){
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie){ //loop all cookie
$parts = explode('=', $cookie);
if($parts){
$name = trim($parts[0]);
if($name){
// if need specificly cookie skip
if($name=='cook_rem'){continue;}
setcookie($name,'',time()-$time);
setcookie($name,'',time()-$time, '/');
}
}
}
}
//reload page
echo "<script>window.location.href='index.php';</script>";
exit;
//stop prossing
}
step:3
getting ip data (HTTP_CLIENT_IP)
function getip(){$ip="0";
if(isset($_SERVER['HTTP_CLIENT_IP']) && isset($_SERVER['HTTP_X_FORWARDED_FOR']) && isset($_SERVER['REMOTE_ADDR'])){
if (!empty($_SERVER['HTTP_CLIENT_IP'])){
$ip=$_SERVER['HTTP_CLIENT_IP'];
}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip=$_SERVER['REMOTE_ADDR'];
}
}else{$ip="0";}
return $ip;
}
step:4
Custom key code generate (CLIENT key unique)
generating custom-key (iphone,android,chrome,firefox)
function key_gen(){
// iphone,android,mobile,firefox, all browsers...
$e="";
if(isset($_SERVER['HTTP_USER_AGENT'])){
if(!empty($_SERVER['HTTP_USER_AGENT'])){
$e=$_SERVER['HTTP_USER_AGENT'];
}else{$e="0";}
}
else{$e="0";}
return sha1(getip().$e);
//sha hash return key
}
step:5
custom key code generate (CLIENT key unique)
now if the incoming key is correct
$new=key_gen();
if(isset($_COOKIE['key'])){
if($new !== $_COOKIE['key'] && !empty($_COOKIE['key'])){
cookie_reset();
echo "<script>window.location.href='index.php';</script>";exit;
}
}
step:6 (finish)
also replacing login php code
if(isset($_GET['login']) =='1' && isset($_GET['v1']) && isset($_GET['v2'])){
$v1=rawurldecode ($_GET['v1']);
$v2=$_GET['v2'];
$usr_c=base64_encode($v1.'-xx-'.$new);
setcookie("login_name",$usr_c,$time, "/");
setcookie("login",'1',$time, "/");
setcookie("key",$new,$time,'/');
header('Location: index.php');
exit;
}
and this change:
login-panel screen/ login screen part
cookie user_name parts using
(html comment removed: Page Content )
<div class="container">
<div class="row">
<?php
$login = 0;
if (isset($_COOKIE['login']) && isset($_COOKIE['login_name'])) {
if (!empty($_COOKIE['login']) && !empty($_COOKIE['login_name'])) {
$name = base64_decode($_COOKIE['login_name']);
$ar = explode('-xx-', $name);
if (isset($ar[0]) && isset($ar[1])) {
if ($ar[1] !== $new) {
cookie_reset();
echo "<script>window.location.href='index.php';</script>";
exit;
}
$usr_name = $ar[0];
$login = 1;
}
}
}
if ($login == 1) {
echo "<h3>Panel-screen</h3>";
?>
<div class="col-lg-12 text-center w3-teal w3-text-white">
<h3>Panel-screen</h3>
<h2 class='w3-grey w3-inline' ><?php
print($usr_name);
?>
</h2>
<hr>
<a class='w3-margin w3-padding w3-white' href='?logout=1'>Logout-exit</a>
<br><br><br>
</div>
<?php
} else {
?>
<div class='w3-grey w3-block w3-margin w3-padding'>
Test-Login
<label class='w3-block w3-margin w3-padding'>
<b>name</b>
<input type='text' name='v1' class='form-control'>
</label>
<label class='w3-block w3-margin w3-padding'>
<b>Pass</b>
<input type='password' name='v2' class='form-control'>
</label>
<div id='teter3' class='w3-btn w3-red'>LOG?N TRY</div>
</div>
<?php
}
?>
</div>
</div>
Now try to work
step1: google chorome, localhost create login and copy all cookie information
step2:
open again firefox-developer
Click right menu and “inspect element(Q)” click then bottom panel opening..
storage -> cookies selected
all cookie adding (+) click and reload page
system is doing...if the logged in information is stolen, it will delete the whole thing
(all cookie remove) and reload page... i think so secure...Specially-produced, compact solution.
### Finish these index.php code (Total-head-latest state)
<?php
//global cookie time setup option
$time=time() + (86400 * 30);
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
function cookie_reset(){
global $cookie_sure;
if(isset($_SERVER['HTTP_COOKIE'])){
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie){
$parts = explode('=', $cookie);
if($parts){
$name = trim($parts[0]);
if($name){
if($name=='cook_rem'){continue;}
setcookie($name,'',time()-$time);
setcookie($name,'',time()-$time, '/');
}
}
}
}
echo "<script>window.location.href='index.php';</script>";exit;
}
function getip(){$ip="0";
if(isset($_SERVER['HTTP_CLIENT_IP']) && isset($_SERVER['HTTP_X_FORWARDED_FOR']) && isset($_SERVER['REMOTE_ADDR'])){
if (!empty($_SERVER['HTTP_CLIENT_IP'])){
$ip=$_SERVER['HTTP_CLIENT_IP'];
}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip=$_SERVER['REMOTE_ADDR'];
}
}else{$ip="0";}
return $ip;
}
function key_gen(){
$e="";
if(isset($_SERVER['HTTP_USER_AGENT'])){
if(!empty($_SERVER['HTTP_USER_AGENT'])){
$e=$_SERVER['HTTP_USER_AGENT'];
}else{$e="0";}
}
else{$e="0";}
return sha1(getip().$e);
}
//generate-new
$new=key_gen();
if(isset($_COOKIE['key'])){
if($new !== $_COOKIE['key'] && !empty($_COOKIE['key'])){
cookie_reset();
echo "<script>window.location.href='index.php';</script>";exit;
}
}
if(isset($_GET['logout'])){
setcookie("login_name","",-1, "/");
setcookie("login","",-1, "/");
header('Location: index.php');
exit;
}
if(isset($_GET['login']) =='1' && isset($_GET['v1']) && isset($_GET['v2'])){
$v1=rawurldecode ($_GET['v1']);
$v2=$_GET['v2'];
$usr_c=base64_encode($v1.'-xx-'.$new);
setcookie("login_name",$usr_c,$time, "/");
setcookie("login",'1',$time, "/");
setcookie("key",$new,$time,'/');
header('Location: index.php');
exit;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>Bare - Start Bootstrap Template</title>
(html comment removed: Bootstrap core CSS )
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.0/css/bootstrap.min.css">
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
(html comment removed: Custom styles for this template )
<style>
body {padding-top: 54px;}
@media (min-width: 992px) {
body {padding-top: 56px;}
}
</style>
</head>
<body>
(html comment removed: Navigation )
<nav class="navbar navbar-expand-lg navbar-dark bg-dark fixed-top">
<div class="container">
<a class="navbar-brand" href="#">Start Bootstrap</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ml-auto">
<li class="nav-item active">
<a class="nav-link" href="#">Home
<span class="sr-only">(current)</span>
</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#">About</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#">Services</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#">Contact</a>
</li>
</ul>
</div>
</div>
</nav>
(html comment removed: Page Content )
<div class="container">
<div class="row">
<?php
$login=0;
if(isset($_COOKIE['login']) && isset($_COOKIE['login_name'])){
if(!empty($_COOKIE['login']) && !empty($_COOKIE['login_name'])){
$name=base64_decode($_COOKIE['login_name']);
$ar=explode('-xx-',$name);
if(isset($ar[0]) && isset($ar[1])){
if($ar[1] !== $new){
//if cookie not valid
cookie_reset();
echo "<script>window.location.href='index.php';</script>";
exit;
}
$usr_name=$ar[0];
$login=1;
// login able
}
}
}
if($login == 1){
echo "<h3>Panel-screen</h3>xx";
?>
<div class="col-lg-12 text-center w3-teal w3-text-white">
<h3>Panel-screen</h3>
<h2 class='w3-grey w3-inline' ><?php print($usr_name); ?></h2>
<hr>
<a class='w3-margin w3-padding w3-white' href='?logout=1'>Logout-exit</a>
<br><br><br>
</div>
<?php }else{ ?>
<div class='w3-grey w3-block w3-margin w3-padding'>
Test-Login
<label class='w3-block w3-margin w3-padding'>
<b>name</b>
<input type='text' name='v1' class='form-control'>
</label>
<label class='w3-block w3-margin w3-padding'>
<b>Pass</b>
<input type='password' name='v2' class='form-control'>
</label>
<div id='teter3' class='w3-btn w3-red'>LOG?N TRY</div>
</div>
<?php } ?>
</div>
</div>
<script>
$('#teter3').click(function(){
//try to login redirect
window.location.href+='?login=1&v1='+$('input[name=v1]').val()+'&v2='+$('input[name=v2]').val();
});
</script>
</body>
</html>
Thank you for your contribution.
See in this link an example of a good tutorial.
Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]
thanks for advice