SlideShare ist ein Scribd-Unternehmen logo

Php security

Als PPTX, PDF herunterladen
Akash Mahajan
Akash Mahajan

A different look at what PHP developers should be looking at. Not in terms of security but in terms of the data flow of the web application. The concepts of security are tied into that itself.

Technologie
1 von 14
PHP Security Akash Mahajan | akashm.com That Web Application Security Guy
This talk isn’t about security This is about data in the web applications How does it flow Where does it come from? Where does it end up? This is about configuration of web applications Do files requires some special permissions? Why does your upload folder have 0777? @makash | akashm.com - That Web Application Security Guy
Web Apps look like this – 3 tier @makash | akashm.com - That Web Application Security Guy
Data View of A Web App in Use @makash | akashm.com - That Web Application Security Guy Web Client controls everything that it has received as part of the request. Web Server ,[object Object]
HTTP Protocol
PHP Interpreter
Trusted Code running on the serverData Store Untrusted Data
Data you can’t trust Good data for a login page Username – foo Password – bar Bad data for a login page Username – foo’ OR 1=1;-- Password – bar’ OR 1=1;-- Good data for a comment This is a nice comment Bad data for a comment This is an XSS</textarea><script>alert(document.cookie);</script> @makash | akashm.com - That Web Application Security Guy
Data you need to protect Clear text passwords for a username email@example.com Password is 123456 Data thief steals the entire database and has reusable account details http://somebank.cxm/account-details.php?id=1234 Did you check that only user with id 1234 can see this? What if the attacker stole the session cookie of user with id 1234 @makash | akashm.com - That Web Application Security Guy
Where all is data coming from GET Requests AJAX Requests POST Requests HTML Form Data Cookies Stored with values HTTP Headers File Uploads External data sources @makash | akashm.com - That Web Application Security Guy
Job of your trusted code Trusted code should remain trusted. Based on the validation we can classify data as tainted/bad or un-tainted/good. Only after that the data which is good data for the application should be processed. @makash | akashm.com - That Web Application Security Guy
I am a developer, not a hacker Agreed you are not a person bent on breaking the app, but Data from requests which is displayed in the browser passes through your trusted code. Injecting HTML/JS is XSS Data from the browser getting stored in the database Injecting SQL in such requests which are sent to the database is SQL Injection. Data stored in cookies which are used for authentication can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF @makash | akashm.com - That Web Application Security Guy
What are we protecting? @makash | akashm.com - That Web Application Security Guy
Again, what are we protecting? We are protecting the web application. From all kinds of injections From unauthorized requests which originate at the user end We are protecting the user information, users have entrusted us with. We are protecting the underlying server and the connected database from malicious commands which come through our trusted code. @makash | akashm.com - That Web Application Security Guy

Empfohlen

Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing site
gaurav jain
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
MetaKave
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Srivigneshwar R Prasad
 
Cloud security monitoring
Cloud security monitoringCloud security monitoring
Cloud security monitoring
Gabe Akisanmi
 
Open APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the CloudOpen APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the Cloud
CA API Management
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
Cheap SSL Coupon Code
 

Empfohlen

Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing site
gaurav jain
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
MetaKave
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Srivigneshwar R Prasad
 
Cloud security monitoring
Cloud security monitoringCloud security monitoring
Cloud security monitoring
Gabe Akisanmi
 
Open APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the CloudOpen APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the Cloud
CA API Management
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
Cheap SSL Coupon Code
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Site opsys
Site opsysSite opsys
Site opsys
Thomas George
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
Akash Mahajan
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
Secure coding checklist
Secure coding checklistSecure coding checklist
Secure coding checklist
Prabhanshu Saraswat
 
Api security
Api security Api security
Api security
teodorcotruta
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
Rob Daigneau
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
Sandro Zaccarini
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
Vishal Kumar
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
Sandro Zaccarini
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013
rjsmelo
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
A Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security EducationA Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security Education
chunkybacon
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
n|u - The Open Security Community
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
Rob Daigneau
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 

Was ist angesagt? (11)

Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
 
Site opsys
Site opsysSite opsys
Site opsys
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Secure coding checklist
Secure coding checklistSecure coding checklist
Secure coding checklist
 
Api security
Api security Api security
Api security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 

Andere mochten auch

PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
Sandro Zaccarini
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
Sandro Zaccarini
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
Mark Niebergall
 

Andere mochten auch (20)

How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
A Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security EducationA Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security Education
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersNullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
 
Web application security
Web application securityWeb application security
Web application security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Nikto
NiktoNikto
Nikto
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
 

Ähnlich wie Php security

Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
Steven Cahill
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
Austina Francis
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank Hack
Caleb Sima
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 

Ähnlich wie Php security (20)

Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Application Security
Application SecurityApplication Security
Application Security
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMACSecure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank Hack
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 

Mehr von Akash Mahajan

Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 

Mehr von Akash Mahajan (13)

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs Session
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
Startups Security
Startups SecurityStartups Security
Startups Security
 

Kürzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Php security

  • 1. PHP Security Akash Mahajan | akashm.com That Web Application Security Guy
  • 2. This talk isn’t about security This is about data in the web applications How does it flow Where does it come from? Where does it end up? This is about configuration of web applications Do files requires some special permissions? Why does your upload folder have 0777? @makash | akashm.com - That Web Application Security Guy
  • 3. Web Apps look like this – 3 tier @makash | akashm.com - That Web Application Security Guy
  • 4.
  • 7. Trusted Code running on the serverData Store Untrusted Data
  • 8. Data you can’t trust Good data for a login page Username – foo Password – bar Bad data for a login page Username – foo’ OR 1=1;-- Password – bar’ OR 1=1;-- Good data for a comment This is a nice comment Bad data for a comment This is an XSS</textarea><script>alert(document.cookie);</script> @makash | akashm.com - That Web Application Security Guy
  • 9. Data you need to protect Clear text passwords for a username email@example.com Password is 123456 Data thief steals the entire database and has reusable account details http://somebank.cxm/account-details.php?id=1234 Did you check that only user with id 1234 can see this? What if the attacker stole the session cookie of user with id 1234 @makash | akashm.com - That Web Application Security Guy
  • 10. Where all is data coming from GET Requests AJAX Requests POST Requests HTML Form Data Cookies Stored with values HTTP Headers File Uploads External data sources @makash | akashm.com - That Web Application Security Guy
  • 11. Job of your trusted code Trusted code should remain trusted. Based on the validation we can classify data as tainted/bad or un-tainted/good. Only after that the data which is good data for the application should be processed. @makash | akashm.com - That Web Application Security Guy
  • 12. I am a developer, not a hacker Agreed you are not a person bent on breaking the app, but Data from requests which is displayed in the browser passes through your trusted code. Injecting HTML/JS is XSS Data from the browser getting stored in the database Injecting SQL in such requests which are sent to the database is SQL Injection. Data stored in cookies which are used for authentication can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF @makash | akashm.com - That Web Application Security Guy
  • 13. What are we protecting? @makash | akashm.com - That Web Application Security Guy
  • 14. Again, what are we protecting? We are protecting the web application. From all kinds of injections From unauthorized requests which originate at the user end We are protecting the user information, users have entrusted us with. We are protecting the underlying server and the connected database from malicious commands which come through our trusted code. @makash | akashm.com - That Web Application Security Guy
  • 15. What about configuration Assume your web application allows users to upload pictures Then there are 3 image formats used – jpg, png, gif The filename of the image is also untrusted data. Files can have an extension which makes it look like an image Images can have code embedded which can execute if requested using a GET @makash | akashm.com - That Web Application Security Guy
  • 16. What about configuration All your web server needs is write permission for the user it is running as. This is because files are uploaded to a temp directory where can’t be called for execution It is your PHP code which copies them to a folder inside document root Why does the upload folder have execute permissions? Your web application needs to connect to the database. But why does the connection code need to be inside the document root? @makash | akashm.com - That Web Application Security Guy
  • 17. Questions? Any questions About me Akash Mahajan ( google me ) That Web Application Security Guy null Founder and Bangalore Chapter Lead (http://null.co.in) Web Security Consultant @makash on Twitter || http://akashm.com Presentations : http://www.slideshare.net/akashm @makash | akashm.com - That Web Application Security Guy