CodeIgniter Security tips

The security of your web application cannot be compromised. According to Symantec, one of the world’s foremost security firms, there are 4 vulnerabilities (XXS, SQL, Enumeration, Remote Execution) to web applications.

The evaluation below shows the results of tests conducted on a sample CodeIgniter web application to deduce the level of security of the system. If you are a web application developer writing apps in PHP, CodeIgniter has a lot to offer in terms of security.

Remote Code Execution

This type of an attack allows the hacker to execute unwanted code from a remote location using shell scripting or other measures. This is counter measured by using two things.

At first, the htaccess file should be set to allow access to only certain directories, which pose minimum threat if hacked, such as the img/.

RewriteCond $1 !^(index\.php|img|robots\.txt)

Secondly, each .php file in CodeIgniter is protected with the line on the top.

<? php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

This ensures that the PHP file is not accessible directly by manipulating or running a script, which would compromise the system.

SQL Injection

This type of attack is highly common on the web. A SQL injection occurs when an attacker exploits the front-end and the post data to retrieve secure data from the database. According to CodeIgniter manual, it becomes evident that your web application is automatically safe from SQL injection as the POST data is retrieved in the controller using $this->input->post (‘’); which is automatically filtered by CodeIgniter.

CodeIgniter User Manual excerpt proves this fact:

“Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.”

XSS Attacks

An XSS or Cross Site scripting attack is unarguably the common reason for the demise of web applications. A XSS attack works by a hacker crafting a malicious URL into the browser in order to compromise the security of the application. CodeIgniter has a built in XSS filter which is initialized automatically.

In order to double check the security threats against XSS attacks, a Firefox add-on called XXS Me (download here) can be used to test the sample application against 96 different types of attacks. The results are shown in the image below.  It shows that the all form input fields were not found unencoded, which means the XSS filter within CodeIgniter did its job.

Username enumeration

Username enumeration can be prevented by having a call back to a username_unique function (see image below) in your controllers that checks for an existing username, and if the num_rows==1, it will not allow anyone to create the account with the same username again.

Also, consistent error messages should be shown, which only reveal that a certain username is not available and not showing the available list of valid usernames, which could be used by the attacker to make educated guesses for an attack.


Other security Features in CodeIgniter

Apart from the ones mentioned above, there are a few minor security features that web application developers can apply. For example, make sure your web application does not allow any two different user groups to access each other’s accounts on the same session.

This is possible by having the session data encoded with user id and user type so it can be used to determine if the account belongs to the user whose user data is in the active session.

When it comes to storing passwords, the MD5 algorithm should be used to encrypt passwords. Also, if you are using file uploads, make sure the file names are encoded with a random 32-bit string so that private or sensitive information is anonymous.

In addition, CodeIgniter’s form validation library can prove to be very useful. Form validation ensures that invalid information is not entered into the database. To provide a double layer of security, the SQL structure can be as such that it each field conforms to the incoming form data by a) type and b) length.

Overall security testing

A Google Chrome extension called Websecurify is a cool piece of software that tests the security of any web application against around 20 top attack types. You can download Websecurify from here.