Open in app

Sign in

Write

Sign in

Comprehensive PHP application security audit : Leveraging PHP.ini security scanner, code review, and vulnerability scanning tools

Larbi OUIYZME
4 min readJul 21, 2024

--

Photo by Markus Spiske on Unsplash

Securing PHP applications is a critical task in web application security, depending on the size of the project and the large number of files involved. With the growing complexity and sophistication of attacks, ensuring that your PHP applications are fortified against vulnerabilities is paramount. This article explores a holistic approach to PHP application security audits, focusing on the PHP.ini Security Scanner available on GitHub and additional tools for detecting vulnerabilities as identified by the OWASP Top 10. We also delve into best practices for PHP.ini configuration, code review, and vulnerability scanning for PHP files using tools like OWASP ZAP, Burp Suite, SQLMap and SonarQube.

Introduction

PHP, as a widely used server-side scripting language, often becomes a target for various security threats. To safeguard your PHP applications, adopting a comprehensive security strategy is essential. This article outlines the use of a custom PHP.ini Security Scanner along with other well-known tools like Burp Suite, OWASP ZAP, SQLMap, and SonarQube to identify and mitigate security risks.

PHP.ini Security Scanner

The PHP.ini Security Scanner is a tool designed to audit the PHP configuration file (php.ini) against best security practices. It checks for common misconfigurations and provides recommendations to enhance the security of your PHP environment.

Key Features :

  • Configuration Verification : Checks the php.ini file for recommended security settings.
  • Report Generation : Produces a detailed report outlining current configurations and recommended changes.
  • User-Friendly Interface : Simple to use with straightforward prompts and output.

Installation and Usage :

To use the PHP.ini Security Scanner, follow these steps :

  • Clone the Repository :
git clone https://github.com/larbi67/php-ini-security-scanner.git
cd php-ini-security-scanner
  • Run the Scanner :
python php_ini_scanner.py
  • Follow the Prompts :

Enter the path to your php.ini file and review the generated report.

  • Sample Report :
ID P1 (Authentication) - Configuration 'allow_url_fopen': Current Value = on, Recommended Value = Off
ID P2 (Session Management) - Configuration 'session.cookie_secure': Current Value = Not Set, Recommended Value = On
ID P2 (Session Management) - Configuration 'session.cookie_httponly': Current Value = Empty, Recommended Value = On
ID P2 (Session Management) - Configuration 'session.cookie_samesite': Current Value = Empty, Recommended Value = Strict
...

Best Practices for PHP.ini Configuration

Securing your PHP configuration involves setting parameters that minimize risk and enhance the overall security of your PHP environment. Here are some best practices :

  • Disable Dangerous Functions :

Prevent execution of potentially dangerous functions that can be exploited by attackers.

disable_functions = exec,passthru,shell_exec,system
  • Disable URL Fopen :

Prevent PHP from accessing remote files, reducing the risk of remote file inclusion attacks.

allow_url_fopen = Off
  • Error Display :

Disable error display in production environments to avoid leaking sensitive information.

display_errors = Off
  • File Uploads :

Disable file uploads if not required to mitigate file upload vulnerabilities.

file_uploads = Off
  • Session Security:

Ensure secure, HTTP-only, and same-site cookies for session management. Use strong entropy and hashing functions.

session.cookie_secure = On
session.cookie_httponly = On
session.cookie_samesite = Strict
session.entropy_length = 32
session.hash_function = sha256
  • Resource Limits :

Set limits to prevent abuse of server resources and potential denial-of-service attacks.

max_execution_time = 30
memory_limit = 128M
post_max_size = 8M
upload_max_filesize = 2M

Code Review and Quality Tools

In addition to configuration audits, conducting code reviews and using quality assurance tools is crucial for maintaining secure and high-quality PHP code.

Code Review Best Practices

  • Peer Reviews : Conduct code reviews with peers to identify potential vulnerabilities and ensure adherence to coding standards.
  • Static Code Analysis : Use tools to automatically analyze code for common vulnerabilities and code smells.
  • Regular Reviews : Schedule regular code reviews to catch issues early and maintain code quality over time.

Quality and Vulnerability Scanning Tools

  1. SonarQube : SonarQube is a popular tool for static code analysis, providing detailed insights into code quality and security vulnerabilities.
  2. Burp Suite : Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process. Use Case: Identify and exploit SQL injection, XSS, and other OWASP vulnerabilities. Usage : Launch Burp Suite and configure the browser to use Burp as a proxy
  3. OWASP ZAP : ZAP (Zed Attack Proxy) is an open-source web application security scanner. It is designed to find security vulnerabilities in web applications. Use Case: Automated scanners and a set of tools for finding security vulnerabilities. Usage: Launch OWASP ZAP and initiate a scan against your application
  4. SQLMap : SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Use Case: Detect and exploit SQL injection vulnerabilities. Usage : sqlmap -u “http://target.com/vulnerable_param" — batch — dbs

Comprehensive Security Strategy

To achieve a robust security posture, it is recommended to integrate the PHP.ini Security Scanner into your regular security audits, alongside using tools like Burp Suite, OWASP ZAP, SQLMap, and SonarQube. This multi-faceted approach ensures that both your server configuration and application code are scrutinized for vulnerabilities.

Conclusion

Securing PHP applications requires diligent attention to both configuration and code-level vulnerabilities. The PHP.ini Security Scanner provides a focused approach to securing the PHP environment, while tools like Burp Suite, OWASP ZAP, SQLMap, and SonarQube address application-level threats. By incorporating these tools into your security strategy, you can significantly enhance the resilience of your PHP applications against cyber threats.

For more information and to download the PHP.ini Security Scanner, visit the GitHub repository.

Contributing

Contributions to the PHP.ini Security Scanner are welcome. Feel free to submit issues or pull requests on the GitHub repository.

License

This project is licensed under the MIT License. See the LICENSE file for details.

PHP
Web Security
Owasp
Code Review
Vulnerability

--

--

Larbi OUIYZME

Written by Larbi OUIYZME

30 Followers

I'm Larbi, from Morocco. IT trainer and Chief Information Security Officer (CISO), I'm committed to share knowledge. Also, Ham Radio CN8FF passionate about RF

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams