Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Web security best practices for PHP

158 Aufrufe

Veröffentlicht am

Part 1 of a two-part webinar series discussing the best practices every development team should follow to ensure the security of their web applications.

You’ll learn a few best practices to help ward off incessant attacks on your web application including: The different attack types;
What role log monitoring plays; What is injection and where it comes from; Understanding the importance of developing a severity matrix; Gain insights on how PHP versioning end-of-life impacts web security.

Veröffentlicht in: Software
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Gehören Sie zu den Ersten, denen das gefällt!

Web security best practices for PHP

  1. 1. © 2019 Rogue Wave Software, Inc. All rights reserved Webinar series: PHP security best practices Part 1: Web security best practices for PHP
  2. 2. © 2019 Rogue Wave Software, Inc. All rights reserved PHPsecuritybestpracticesPHPsecuritybestpractices by Daryl Wood Senior Technical Trainer Webinar, March 25, 2019 Rogue Wave Software, Inc.
  3. 3. © 2019 Rogue Wave Software, Inc. All rights reserved PHPapplicationsecurityPHPapplicationsecurity BestpracticefundamentalsBestpracticefundamentals Security attack types Log monitoring Attack injection Attack severities and impacts PHP version end of life
  4. 4. © 2019 Rogue Wave Software, Inc. All rights reserved AttackseveritiesandimpactsAttackseveritiesandimpacts
  5. 5. © 2019 Rogue Wave Software, Inc. All rights reserved AttackseveritiesAttackseverities
  6. 6. © 2019 Rogue Wave Software, Inc. All rights reserved AttackimpactsAttackimpacts Impacts of injection success include: Data loss, corruption, access denial, or complete host takeover Lack of accountability Bad public relations Litigation expense Web site front-facing impacts Account(s) compromise
  7. 7. © 2019 Rogue Wave Software, Inc. All rights reserved Injectionandattacktypes(limited)Injectionandattacktypes(limited) Some of the most common attacks or vulnerabilities include: Cross-site scripting (XSS) SQL injection Broken session management Brute force
  8. 8. © 2019 Rogue Wave Software, Inc. All rights reserved InjectionInjection Injection is an attempt to insert something nefarious into an application. It can: Allow malicious code pass through Include system calls Include whole scripts Cause an interpreter to execute unauthorized code
  9. 9. © 2019 Rogue Wave Software, Inc. All rights reserved Cross-sitescripting(XSS)Cross-sitescripting(XSS) An injection of script code, typically JavaScript, into an application from an outside client. This vulnerability occurs when input data is used without proper ltering, validation, and escaping. Two types of XSS (can occur on a server or client): Stored Re ected
  10. 10. © 2019 Rogue Wave Software, Inc. All rights reserved Cross-sitescripting(XSS)Cross-sitescripting(XSS) AstoredvulnerableexampleAstoredvulnerableexample $_POST['username'] = 'pablo'; $_POST['comment'] = '<script>alert("document.cookie")</script>'; if($_POST) { $result = null; try { $pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog', 'vagrant', 'vagrant'); $stmt = $pdo->query("INSERT INTO blog (username, comment) VALUES ({$_POST['username']}, {$_POST['comment']})"); if($stmt) $stmt->execute(); // Then subsequently $result = $pdo->exec("SELECT * FROM blog WHERE username='{$_POST['username']}'"); } catch (Throwable $e){ // Handle ... } if($result){ echo $result['comment']; } }
  11. 11. © 2019 Rogue Wave Software, Inc. All rights reserved SQLinjectionSQLinjection SQL injection de nes an attempt to inject some amount of SQL, or any database interface language, in input data from a client. It attempts to execute unauthorized database actions on a database server.
  12. 12. © 2019 Rogue Wave Software, Inc. All rights reserved SQLinjectionSQLinjection AvulnerabledodeexampleAvulnerabledodeexample But, what if the Id parameter looks like this: if ($_GET && isset($_GET['Submit'])) { 1. //Employ ACL to determine access try { $pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog', 'vagrant', 'vagrant'); $stmt = $pdo->query("SELECT first_name, last_name FROM blog WHERE user_id = '{$_GET['id']}'"); $stmt->execute(); $result = $stmt->fetch(PDO::FETCH_ASSOC); } catch (PDOException $e) { // Handle ... } } ;update blog set username = attacker where user_id = 1;
  13. 13. © 2019 Rogue Wave Software, Inc. All rights reserved BrokensessionmanagementBrokensessionmanagement Broken session management can allow unauthorized attackers access to privileged account data. When this happens: Account(s) are compromised Can allow further exploitation
  14. 14. © 2019 Rogue Wave Software, Inc. All rights reserved BrokensessionmanagementBrokensessionmanagement AvulnerablecodeexampleAvulnerablecodeexample class LoginController { // ... public function logoutAction() { $this->view->setTemplate('login'); $this->view->render(); } // ... }
  15. 15. © 2019 Rogue Wave Software, Inc. All rights reserved BruteforceBruteforce A brute force attack is an attempt to break authentication. The brute force attacker tries every character/special character/symbol/number mutation possible until successful. Robotic Attempts to identify authentication mechanism Good at covering tracks Success is a not a matter of if, but when? Extremely dangerous on success
  16. 16. © 2019 Rogue Wave Software, Inc. All rights reserved BruteforceBruteforce AvulnerablecodeexampleAvulnerablecodeexample if($_POST && isset( $_POST['Login'] ) ) { $username = $_POST['username']; $password = md5($_POST['password']); try{ $stmt = $this->getPdo()->query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $stmt->execute(); $result = $stmt->fetch(PDO::FETCH_ASSOC); }catch(PDOException $e){ // Handle ... } if( $result && count($result) ) { // Login Successful echo "<p>Welcome to the password protected area " . $user . "</p>"; } else { //Login failed echo "<pre><br>Username and/or password incorrect.</pre>"; } }
  17. 17. © 2019 Rogue Wave Software, Inc. All rights reserved LogmonitoringLogmonitoring
  18. 18. © 2019 Rogue Wave Software, Inc. All rights reserved LogmonitoringLogmonitoring Log monitoring is all about keeping an eye on what's being attacked, from where, and sometimes by whom. This section includes: Log location Enabling Monitoring tools
  19. 19. © 2019 Rogue Wave Software, Inc. All rights reserved LoglocationLoglocation Where are the logs? This is dependant on your server's OS. Here are locations for a Debian-based Linux server using the Apache web server: Syslog: /var/log/syslog Apache access: /var/log/apache2/access.log Apache error: /var/log/apache2/error.log PHP error When enabled, and by default, is the syslog.
  20. 20. © 2019 Rogue Wave Software, Inc. All rights reserved LogmonitoringLogmonitoring LogEntryExamplesLogEntryExamples A cut from a Debian-based Linux syslog: A cut from an Apache access log: A cut from an Apache error log: Mar 15 09:58:40 linux systemd[1]: Timed out waiting for device dev-disk-byx2did-usbx2dWDC_WD10_02FAEXx2d00Z3A0_152D00539000x2d0:0x2dpart1.device. 127.0.0.1 - - [14/Mar/2019:08:10:14 -0700] "GET / HTTP/1.1" 200 1330 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" [Fri Mar 15 08:11:41.867281 2019] [mpm_prefork:notice] [pid 1473] AH00169: caught SIGTERM, shutting down
  21. 21. © 2019 Rogue Wave Software, Inc. All rights reserved EnablingPHPerrorloggingEnablingPHPerrorlogging PHP application error logging is not enabled by default. Enabeling in a Debian-based Linux PHP installation for apache looks like this: The le location: /etc/php/<version>/<parser type>/php.ini. ... ; Besides displaying errors, PHP can also log errors to locations such as a ; server-specific log, STDERR, or a location specified by the error_log ; directive found below. While errors should not be displayed on productions ; servers they should still be monitored and logging is a great way to do that. ; Default Value: Off ; Development Value: On ; Production Value: On ; http://php.net/log-errors log_errors = On ...
  22. 22. © 2019 Rogue Wave Software, Inc. All rights reserved MonitoringtoolsMonitoringtools Include: Framework tools Third party library (https://packagist.org) Third party service
  23. 23. © 2019 Rogue Wave Software, Inc. All rights reserved PHPversionend-of-lifePHPversionend-of-life
  24. 24. © 2019 Rogue Wave Software, Inc. All rights reserved PHPversionend-of-lifePHPversionend-of-life PHP servers must be kept up to date, and a formal process established to a ect that update. Version end of life means that support for: Bug xes will cease Security xes will cease System optimizations will cease System monitoring might be impacted and fail to function correctly, if at all. Being proactive with version updates will help prevent problems!
  25. 25. © 2019 Rogue Wave Software, Inc. All rights reserved RecapRecap
  26. 26. © 2019 Rogue Wave Software, Inc. All rights reserved RecapRecap Let's recap: Attack severities and their technical and business impacts. A limited set of injection and attack types. Logging importance and some monitoring information. The risks of PHP version end of life.
  27. 27. © 2019 Rogue Wave Software, Inc. All rights reserved Whatelse?Whatelse? Oh, and, we never mentioned: Cross site request forgery Remote code injection Command injection Man-in-the-middle attacks How to target log for severities And more...
  28. 28. © 2019 Rogue Wave Software, Inc. All rights reserved What'snext?What'snext?
  29. 29. © 2019 Rogue Wave Software, Inc. All rights reserved StaytunedStaytuned Additional resources: PHP Security, support and migration: zend.com/phpsecurity Training, PHP security and more: zend.com/en/services/training Don't forget to join this webinar where we’ll dive a little deeper into the PHP security best practices with code xes! April25th:PHPsecuritybestpracticescontinuesApril25th:PHPsecuritybestpracticescontinues
  30. 30. © 2019 Rogue Wave Software, Inc. All rights reserved Q&AQ&A
  31. 31. © 2019 Rogue Wave Software, Inc. All rights reserved Thankyou!Thankyou! Contact Ryan: ryan.krszjzaniek@roguewave.com Contact Daryl: daryl.wood@roguewave.com Follow me on Twitter: @datashuttle

×