Among the different online content management platforms available, Joomla is preferred for its flexibility and improved security. Yet, this doesn’t stop hackers from prying into your site's vulnerabilities to exploit them. Regardless of the type of website and security level, websites are always susceptible to being hacked. Most times this is due to the use of vulnerable 3rd party extensions.
Joomla is developed by expert developers and has a strong security model to combat vulnerabilities in web applications. Security holes being introduced in the web applications are mostly the consequences of poorly coded extensions that don’t implement the Joomla security model. That is why it is quite critical to choose an extension from a reputed provider. In this post, we'll cover the most common types of vulnerabilities, and how they can be prevented when creating custom Joomla extensions.
You can download sample code where these vulnerabilities are correctly handled here.
HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences like - account takeover or more generally, allow an attacker to modify the page content seen by the victims.
This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded.
Solution - Use filter - safehtml to strip all HTML tags
Here we are using the filter safehtml to save user input data (Last Name) free of any sort of HTML code. The example below shows how to use the filter to save the Last Name.
<field name="lname" type="text" label="COM_SCHOOL_FORM_LBL_STUDENT_LNAME" description="COM_SCHOOL_FORM_DESC_STUDENT_LNAME" required="true" filter="safehtml"/>
Sometimes vulnerabilities in other parts of code allow injection of payloads in the database. In such a case, our web application must not execute any malicious code on the client-side even if the database is infected. Hence - Only storing the data in a sanitized manner is not enough. We must also use filters to display this data in a safe way.
<?php echo $this->escape($item->fname . ' ' . $item->lname); ?>
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. To prevent this, any user inputs should be escaped before substituting in a query.
Solution - Use function $db->escape() and $db->quote() while accepting the user input data.
The code below is written such that the search query is executed only after all the user input is sanitized for any possible SQLInjection payloads.
$search = Factory::getApplication()->input->get('search', '', 'STRING');
$search = $db->quote('%' . $db->escape($search) . '%');
Here we are using function $db->escape() to sanitize all the data received in the search query from a user. Here we can also typecast the user input data to only allow integers or characters etc.
If the above function is not used - a single quote will be enough to break the SQL query syntax and the attacker will be able to inject and run his SQL query of choice on the webserver.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users.
XSS can cause a variety of problems for the end-user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve the disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.
Solution - There must be a validation of user input data on the client-side and server-side as well before it is stored in the database.
Server-side validation - For server-side validation, we must define proper filters in the XML files to sanitize input. If accepting strings they must be properly escaped before storing in database. ( example - JFactory::getDBO()->escape() )
<field name="description" type="text" label="COM_SCHOOL_FORM_LBL_DESC" description="" required="true" filter="RAW"/>
Here for the description - we have used WORD filter to only accept alphabets and underscores.
$data['description'] = JFactory::getDBO()->escape($data['description']);
<?php echo $this->escape($item->description); ?>
Along with these mechanisms, there are many more - for developers to take care while writing secure code. We will discuss the same in more blogs to come.
For a secure Joomla website, you must gain real experience, or get experienced help from others. There are many aspects to deal with while implementing a secure Joomla website. And who knows this better than the folks at Techjoomla. Being one of India’s biggest Joomla companies and having experience of more than 12 years - We have a wide range of extensions and services available, all with high levels of security standards to satisfy all your requirements. Check out our few extensions here or you can contact us here for custom requirements.