Thursday, November 15, 2012

8:08 AM
In general, security by obscurity is one of the weakest forms of security. Suppose If I were exploiting a site, I wouldn’t check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use x language isn’t going to prevent me from bypassing poor security. But in some cases, every little bit of extra security is desirable.

A few simple techniques can help to hide PHP, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php to off in your php.ini file, you reduce the amount of information available to them.

Another tactic is to configure web servers such as apache server to parse different filetypes through PHP, either with an .htaccess directive, or in the apache configuration file itself. You can then use misleading file extensions:

Hiding PHP as another language:

AddType application/x-httpd-php .asp .py .pl 

Or obscure it completely.

Using unknown types for PHP extensions:

AddType application/x-httpd-php .bop .foo .133t

Or hide it as HTML code, which has a slight performance hit because all HTML will be parsed through the PHP engine:

Using HTML types for PHP extensions:

AddType application/x-httpd-php .htm .html 

For this to work effectively, you must rename your PHP files with the above extensions. While it is a form of security through obscurity, it’s a minor preventative measure with few drawbacks.