Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to secure a php based webservice

I'm developing one android application and I'm creating a php based webservice to retrieve the information from the database.

The thing is that I really don't know how to secure this service.

For example, if my android application needs to retrieve some information from the server it will call http://mywebservice.com/service.php, and it will send several POST parameters as the user and password to login, or something like, for example, one user id to retrieve his data.

Of course, anybody with the knowledge enough will be able to retrieve that data too. And this is what I don't want to happen.

Anybody who know the parameters to send to my server will be able to retrieve information from it.

How can I secure this?

I've been reading about OAuth, OAuth2, two legged and three legged implementations of it, https..

But at the moment, I really don't know how to secure this.

I want that the webservice only answer to my application and not to anybody else.

PS: Even there is something like http://myservice.com/get_information.php that you send an id and you can retrieve a lot of information. Of course, I control that in my application, only logged and authorized people can do that calling, but it's a problem anyway. What's the best way to do this kind of things?

like image 395
JFValdes Avatar asked Apr 29 '15 08:04

JFValdes


People also ask

Is PHP website secure?

PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security.

Which one is secure method in PHP?

PHP Md5 and PHP sha1 Md5 is the acronym for Message Digest 5 and sha1 is the acronym for Secure Hash Algorithm 1. They are both used to encrypt strings. Once a string has been encrypted, it is tedious to decrypt it. Md5 and sha1 are very useful when storing passwords in the database.


3 Answers

Some concepts to secure a webservice(might be forgetting some notions):

  • Protocols: HTTPS in the current case so data are not transfered in a clear format.

  • The Sessions: A session has a lifetime, a unique identifier(session token/id/whatever) and contains an error code. When a user will call your webservice, a session will be created and its token answered back. At every call of the webservice you'll test if the session is still alive. You can add complexity to the expected inputs, outputs and exchanges. The error_code will be used for logging(errors can come from an attack or a bug of your webservice).

  • Data Encryption: Use asymetric functions like password_hash() or crypt() for authentication issues. Use symetric algorithms like AES 128(10 rounds) or 256 (14 rounds) for sensitive data you'll need to retrieve.

  • Testing inputs: If you find yourself inserting given arguments in a query, try to prevent SQL injection. Some bad-minded people can also try to send arguments which would make your webservice fail.

  • Go for standards: As Çagatay said, try to implement for example oAuth2 because standard is most of the time much better than what we'll build :S

Hope it helps.

edit: The REST security sheet is good also.

like image 73
Answers_Seeker Avatar answered Sep 27 '22 05:09

Answers_Seeker


  1. Always use SSL to prevent some man-in-the-middle attack. Otherwise someone that sniffs the connection (in case of connecting via public wi-fi or company networks it's a huge risk) can see the username and password.

  2. Do not send username and password on each request, instead implement oAuth2, your client in this case will have to send the username and password only once and then for the other requests you'll have to send only the auth key. Good documentation for implementing a oauth server: http://www.sitepoint.com/creating-a-php-oauth-server/

  3. Look at this document: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

like image 22
Çağatay Gürtürk Avatar answered Sep 25 '22 05:09

Çağatay Gürtürk


I ended using OAuth. More especifically this library https://bshaffer.github.io/oauth2-server-php-docs/ If you follow the instructions it's really easy to use and it works very well. I think it's a really good way to start working with OAuth.

like image 20
JFValdes Avatar answered Sep 27 '22 05:09

JFValdes