The document discusses HTTP and security topics related to web applications. It provides an overview of HTTP basics including methods like GET and POST. It then covers security threats like cross-site scripting (XSS), SQL injection, sensitive data exposure, and cross-site request forgery (CSRF). The document recommends approaches to protect against these threats, such as input filtering, prepared statements, encryption, using tokens, and more. It also discusses how these security concepts apply to PHP and WordPress applications.
3. HTTP
The Hypertext Transfer Protocol (HTTP) is
an application protocol for distributed,
collaborative, hypermedia information systems
HTTP is the foundation of data communication
for the World Wide Web.
4. HTTP
HTTP functions as a request-response protocol in
the client-server computing model
The response contains completion status
information about the request and may also
contain requested content in its message body
HTTP is an application layer protocol (mostly
TCP, but can use UDP)
5. HTTP SESSIONS
An HTTP session is a sequence of network
request-response transactions
Every session has an ID and reflects conversation
between one client and server
In PHP $_SESSION variable can hold session
parameters
6. HTTP METHODS
GET - Requests a representation of the specified resource
HEAD - likeGET request, but without the response body
POST - Requests that the server accept the entity enclosed
in the request as a new subordinate of the web resource
identified by the URI
PUT - Requests that the enclosed entity be stored under
the supplied URI
DELETE - Deletes the specified resource.
TRACE - Echoes back the received request so that a client
can see what changes or additions have been made by
intermediate servers.
OPTIONS - Returns the HTTP methods that the server
supports for the specified URL
CONNECT - Converts the request connection to a
transparent TCP/IP tunnel
PATCH - Is used to apply partial modifications to a
resource
7. HTTP GET
/test/demo_form.php?name1=value1&name2=val
ue2
GET requests can be cached
GET requests remain in the browser history
GET requests can be bookmarked
GET requests should never be used when dealing
with sensitive data
GET requests have length restrictions (2048)
GET requests should be used only to retrieve
data
8. HTTP POST
POST /test/demo_form.asp HTTP/1.1
Host: w3schools.com
name1=value1&name2=value2
POST requests are never cached
POST requests do not remain in the browser
history
POST requests cannot be bookmarked
POST requests have no restrictions on data
length
9. PHP METHODS FOR POST AND GET
GET - $_GET variable
POST - $_POST variable
$_REQUEST for both + $_COOKIE
if (isset($_GET['user']) && isset($_GET['gen']))
{
$user = $_GET['user'];
$gen = $_GET['gen'];
echo 'User: '. $user. ' - gender: '. $gen;
}
10. AND WORDPRESS
Wordpress core does not use sessions
Wordpress core uses only cookies
However plugins can use sessions
11. SECURITY INTRODUCTION
Weakest part of site is entry point
Write your code secure!
Don’t be victim of laziness and get hacked (or put
users in risk)
It’s easier to protect then to heal
12. CROSS SITE SCRIPTING (XSS)
Adding additional HTML or javascript to source
of page
Injectiong trough url parameters, requests or
form fields
Stored XSS, Reflected, DOM based
14. SQL INJECTION
SQL injection is a code injection technique,
used to attack data driven applications, in which
malicious SQL statements are inserted into an
entry field for execution
Types:
Classic SQLI
Blind or Inference SQL injection
15. SQL INJECTION EXAMPLE
statement = "SELECT * FROM users WHERE
name ='" + userName + "';“
Attacker input 1: ' or '1'='1
Attacker input 2: ' or '1'='1' -- '
Executed query:
1: SELECT * FROM users WHERE name = '' OR
'1'='1';
2: SELECT * FROM users WHERE name = '' OR
'1'='1' -- ';
Consider input:
a';DROP TABLE users; SELECT * FROM
userinfo WHERE 't' = 't
16. SQL INJECTION PROTECTION
Filter user input
Way 1:
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE
name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc())
{ // do something with $row }
Way2:
$unsafe_variable = $_POST["user-input"] ;
$safe_variable = mysql_real_escape_string($unsafe_variable);
mysql_query("INSERT INTO table (column) VALUES ('" .
$safe_variable . "')");
17. SQL INJECTION WORDPRESS PROTECTION
Use prepare function with parameters
$wpdb->query(
$wpdb->prepare(
" DELETE FROM $wpdb->postmeta WHERE post_id
= %d AND meta_key = %s ",
13, 'gargle' )
);
Prepare function filters parameters and is safe
from sql injection
18. SENSITIVE DATA EXPOSURE
All data that are stored should be stored hased or
encrypted
Try to protect also transport layer (best using ssl)
19. CROSS SITE REQUEST FORGERY (CSRF)
Cross-site request forgery, also known as a
one-click attack or session riding and
abbreviated as CSRF, is a type of malicious
exploit of a website whereby unauthorized
commands are transmitted from a user that the
website trusts.
Attacker creates page that request some action
that only authorized user can execute
Attacker sends link of the page to the victim
Victim clicks on link and execute command as
authorized user
20. PROTECTION AGAINST CSRF
Use token when sending every action
Token should be created for each request or at
least per session
In wordpres you may use wp_nonce_field and
wp_verify_nonce, wp_create_nonce
<form method="post">
<!-- some inputs here ... -->
<?php
wp_nonce_field('name_of_my_action','name_of_nonce_field'); ?>
</form>