Preventing Exploits and Securing Your Web AppNovember 19, 2013 8:39 am ·
When a PHP exploit was reported as hacking vulnerable sites, rvcw was worried about the security of his web application. He wrote:
“…Security is something I’m very concerned and careful about. Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.”
Experts duncanb7, Ray_Paseur, and bportlock explored the problem and narrowed down the concern to code injection threats using compromised cookie data. Unfortunately, sanitizing the data was not a viable solution since cookies reside on the client and are therefore subject to being compromised. A proper solution needed to insure that the cookie sent to the server was the original data and not something manipulated by a hacker.
When Ray_Paseur posted the code that he uses to prevent cookie tampering from going undetected, it was definitive. Rvcw took less than an hour to analyze the code and realize that it absolutely prevented the kind of attack he was concerned about.