The document discusses HTTP and security topics related to web applications. It provides an overview of HTTP basics including methods like GET and POST. It then covers security threats like cross-site scripting (XSS), SQL injection, sensitive data exposure, and cross-site request forgery (CSRF). The document recommends approaches to protect against these threats, such as input filtering, prepared statements, encryption, using tokens, and more. It also discusses how these security concepts apply to PHP and WordPress applications.

1. HTTP AND SECURITY

2. AGENDA
HTTP basics
 HTTP methods
 PHP and HTTP
 Security threats and attacks
 Security in PHP


3. HTTP
The Hypertext Transfer Protocol (HTTP) is
an application protocol for distributed,
collaborative, hypermedia information systems
 HTTP is the foundation of data communication
for the World Wide Web.


4. HTTP
HTTP functions as a request-response protocol in
the client-server computing model
 The response contains completion status
information about the request and may also
contain requested content in its message body
 HTTP is an application layer protocol (mostly
TCP, but can use UDP)


5. HTTP SESSIONS
An HTTP session is a sequence of network
request-response transactions
 Every session has an ID and reflects conversation
between one client and server
 In PHP $_SESSION variable can hold session
parameters


6. HTTP METHODS









GET - Requests a representation of the specified resource
HEAD - likeGET request, but without the response body
POST - Requests that the server accept the entity enclosed
in the request as a new subordinate of the web resource
identified by the URI
PUT - Requests that the enclosed entity be stored under
the supplied URI
DELETE - Deletes the specified resource.
TRACE - Echoes back the received request so that a client
can see what changes or additions have been made by
intermediate servers.
OPTIONS - Returns the HTTP methods that the server
supports for the specified URL
CONNECT - Converts the request connection to a
transparent TCP/IP tunnel
PATCH - Is used to apply partial modifications to a
resource

7. HTTP GET
/test/demo_form.php?name1=value1&name2=val
ue2
 GET requests can be cached
 GET requests remain in the browser history
 GET requests can be bookmarked
 GET requests should never be used when dealing
with sensitive data
 GET requests have length restrictions (2048)
 GET requests should be used only to retrieve
data


8. HTTP POST
POST /test/demo_form.asp HTTP/1.1
 Host: w3schools.com
 name1=value1&name2=value2

POST requests are never cached
 POST requests do not remain in the browser
history
 POST requests cannot be bookmarked
 POST requests have no restrictions on data
length


9. PHP METHODS FOR POST AND GET
GET - $_GET variable
 POST - $_POST variable
 $_REQUEST for both + $_COOKIE

if (isset($_GET['user']) && isset($_GET['gen']))
{
 $user = $_GET['user'];
 $gen = $_GET['gen'];
 echo 'User: '. $user. ' - gender: '. $gen;
}


10. AND WORDPRESS
Wordpress core does not use sessions
 Wordpress core uses only cookies
 However plugins can use sessions


11. SECURITY INTRODUCTION
Weakest part of site is entry point
 Write your code secure!
 Don’t be victim of laziness and get hacked (or put
users in risk)
 It’s easier to protect then to heal


12. CROSS SITE SCRIPTING (XSS)
Adding additional HTML or javascript to source
of page
 Injectiong trough url parameters, requests or
form fields
 Stored XSS, Reflected, DOM based


13. XSS PROTECTION
Stripping tags
 Transform characters like <,>,/,’,” etc to html
entities
 Php functions:




string strip_tags ( string $str [, string
$allowable_tags ] )
string htmlentities ( string $string)
string htmlspecialchars( string $string)

14. SQL INJECTION
SQL injection is a code injection technique,
used to attack data driven applications, in which
malicious SQL statements are inserted into an
entry field for execution
 Types:



Classic SQLI
Blind or Inference SQL injection

15. SQL INJECTION EXAMPLE
statement = "SELECT * FROM users WHERE
name ='" + userName + "';“
 Attacker input 1: ' or '1'='1
 Attacker input 2: ' or '1'='1' -- '
 Executed query:
 1: SELECT * FROM users WHERE name = '' OR
'1'='1';
 2: SELECT * FROM users WHERE name = '' OR
'1'='1' -- ';
 Consider input:
 a';DROP TABLE users; SELECT * FROM
userinfo WHERE 't' = 't


16. SQL INJECTION PROTECTION
Filter user input
 Way 1:








$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE
name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc())
{ // do something with $row }
Way2:
$unsafe_variable = $_POST["user-input"] ;
 $safe_variable = mysql_real_escape_string($unsafe_variable);
 mysql_query("INSERT INTO table (column) VALUES ('" .
$safe_variable . "')");


17. SQL INJECTION WORDPRESS PROTECTION
Use prepare function with parameters
 $wpdb->query(
 $wpdb->prepare(



" DELETE FROM $wpdb->postmeta WHERE post_id
= %d AND meta_key = %s ",
13, 'gargle' )
);
 Prepare function filters parameters and is safe
from sql injection


18. SENSITIVE DATA EXPOSURE
All data that are stored should be stored hased or
encrypted
 Try to protect also transport layer (best using ssl)


19. CROSS SITE REQUEST FORGERY (CSRF)
Cross-site request forgery, also known as a
one-click attack or session riding and
abbreviated as CSRF, is a type of malicious
exploit of a website whereby unauthorized
commands are transmitted from a user that the
website trusts.
 Attacker creates page that request some action
that only authorized user can execute
 Attacker sends link of the page to the victim
 Victim clicks on link and execute command as
authorized user


20. PROTECTION AGAINST CSRF
Use token when sending every action
 Token should be created for each request or at
least per session
 In wordpres you may use wp_nonce_field and
wp_verify_nonce, wp_create_nonce



<form method="post">
<!-- some inputs here ... -->

<?php
wp_nonce_field('name_of_my_action','name_of_nonce_field'); ?>

</form>

21. INSECURE DIRECT OBJECT REFERENCES