4. Introduction
• Security is a
measurement,
not a
characteristic.
• It’s is also an
growing problem
that requires an
continually
evolving
solution.
ØA good
measure of
5. PHP & Security
• PHP keeps on
growing as a
language,
making headway
into enterprise
and corporate
markets.
•
•
• Consequently PHP
applications
6. Session Hijacking
• TCP session
hijacking is when
a hacker takes
over a TCP
session between
two machines.
• Since most
authentication
only occurs at
the start of a
TCP session,
this allows the
8. Protection Against Session
Hijacking
• Use encryption
• Use a secure
protocol
• Limit incoming
connections
• Minimize remote
access
•
9. Input Validation
• One of the key
concepts you
must accept is
that user input is
unreliable and
not to be trusted.
– Partially lost in
transmission
between server
& client.
– Corrupted by
some in-
between
process.
10. Strong Password
• Do not store
password as
plain text
• Do not try to invent
your own
password
security
• Do not encrypt
passwords as
they are
reversible.
Security through
11. Strong Password
• Do not use MD5 –
though this
cryptographic
hashing function
is irreversible , it
is quite easy to
make a list of
millions of
hashed
passwords
(a rainbow table)
and compare the
12. XSS
• Cross Site
Scripting (XSS)
is a situation
where by
attacker injects
HTML code,
which is then
displayed on the
page without
further
validation.
13. XSS Condition
1. A Web
application
accepts user
input
– Well, which
Web
application
doesn't?
–
2. The input is
used to create
dynamic content
14. Who is Affected By XSS
• XSS attack’s first
target is the
Client
– Client trusts
server (Does
not expect
attack)
– Browser
executes
malicious
script
•
15. Impact Of XSS - Attack
Access to authentication
credentials for Web
application
• Cookies, Username and
Password
Ø XSS is not a harmless
flaw !
• Normal users
Ø Access to personal
data (Credit card,
Bank Account)
Ø Access to business
data (Bid details,
construction details)
Ø Misuse account (order
expensive goods)
16. Impact Of XSS - Attack
• Denial-of-Service
– Crash
Users`Browse
r, Pop-Up-
Flodding,
Redirection
• Access to Users`
machine
– Use ActiveX
objects to
control
machine
17. Preventing XSS
Preventing XSS Means Preventing….
• Subversion of
separation of
clients
– Attacker can
access
affected
clients’ data
– Industrial
espionage
• Identity theft
– Attacker can
impersonate
18. XSS Solution
• Implement
XSS-
Prevention in
application
• Do not assume
input values
are benign
• Do not trust
client side
validation
• Check and
validate all
19. What to consider as an “INPUT”
• Not only field
values with user
supplied input
• Should be treated
as Input:
– All field values:
Even hidden
fields
– All HTTP
header fields:
Referer
– And even the
20. How To Perform Input Validation
• Check if the input
is what you
expect
• Do not try
to check
for "bad
input"
• Black list testing is
no solution
21. SQL Injection
• SQL injection is
similar to XSS, in
the fact that not
validated data is
being used. But
in this case this
data is passed to
the database.
– Arbitrary query
execution
• Removal of
data.
22. SQL Injection
• SQL injection
vulnerabilities
come in two
main forms.
• Both forms involve
injecting SQL
code into a
website.
• (1) Injecting into a
form. Such as
username and
password boxes
23. Goals Of SQL Injection
• Your goal as an
injector is to
outsmart the
SQL server.
• SQL server is
normally running
as either the
local 'system'
account, or a
'domain user'
account, an
24. Goals Of SQL Injection
• attacker might use
xp_regXXX
these functions
to read the SAM,
change the
configuration of
a system service
etc
25. How SQL Injection Works
• Before you protect
from an injection,
you must first
understand how
SQL works.
• the username and
password you
entered is kept in
the site's
member table
• The login form
takes the
26. Escape SQL
• If database
interface
extension offers
dedicated
escaping
functions, USE
THEM!
– MySQL
• mysql_esc
ape_stri
ng()
• mysql_rea
l_escape
29. REST Web services
● Representational State Transfer defines a set of
architectural principles by which we can design Web
services that focus on a system's resources, including
how resource states are addressed and transferred
over HTTP by a wide range of clients written in
different languages.
● REST has emerged in the last few years alone as a
predominant Web service design model.
● REST has had such a large impact on the Web that it
has mostly displaced SOAP- and WSDL- based
interface design because it's a considerably simpler
style to use.
30. Design
REST Web service follows four basic design
principles:
● Use HTTP methods explicitly.
● Be stateless.
● Expose directory structure-like URIs.
● Transfer XML, JavaScript Object Notation
(JSON), or both.
31. Use HTTP methods explicitly
● REST asks developers to use HTTP methods
explicitly and in a way that's consistent with the
protocol definition.
● This basic REST design principle establishes a
one-to-one mapping between create, read,
update, and delete (CRUD) operations and
HTTP methods.
32. Use HTTP methods explicitly (cont.)
According to this mapping:
● To create a resource on the server, use POST.
● To retrieve a resource, use GET.
● To change the state of a resource or to update
it, use PUT.
● To remove or delete a resource, use DELETE.
33. Be stateless
● The client–server communication is further
constrained by no client context being stored on
the server between requests. Each request
from any client contains all of the information
necessary to service the request, and any
session state is held in the client.
34. Expose directory structure-like
URIs
Some guidelines about URI structure for a RESTful
Web service are:
● Hide the server-side scripting technology file
extensions (.jsp, .php, .asp), if any, so you can port to
something else without changing the URIs.
● Keep everything lowercase.
● Substitute spaces with hyphens or underscores (one
or the other).
● Avoid query strings as much as you can.
● Instead of using the 404 Not Found code if the request
URI is for a partial path, always provide a default page
or resource as a response.
35. Transfer XML, JSON, or both
● The last set of constraints that goes into a RESTful
Web service design has to do with the format of the
data that the application and service exchange in the
request/response payload or in the HTTP body. This is
where it really pays to keep things simple, human-
readable, and connected.
38. JSON
● JSON (Javascript Object Notation) is a lightweight
computer data interchange format.
● It is a text-based, human-readable format for
representing objects and other data structures and is
mainly used to transmit such structured data over a
network connection (in a process called serialization).
● JSON finds its main application in Ajax web application
programming, as a simple alternative to using XML for
asynchronously transmitting structured information
between client and server.
39. JSON Architecture
JSON is built on two structures:
● A collection of name/value pairs. In various
languages, this is realized as an object, record,
struct, dictionary, hash table, keyed list, or
associative array.
● An ordered list of values. In most languages,
this is realized as an array, vector, list, or
sequence
40. JSON Functions
JSON Functions used in PHP
● json_decode — Decodes a JSON string
● json_encode — Returns the JSON
representation of a value
● json_last_error — Returns the last error
occurred