SlideShare ist ein Scribd-Unternehmen logo

Intro to Php Security

Dave Ross
Dave Ross

Basic overview of PHP security for a local Meetup group

Technologie
1 von 30
Downloaden Sie, um offline zu lesen
PHP Security Issues and Options West Suburban Chicago PHP Meetup August 2, 2007
Our Group Meets monthly ● Usually meets at Starbucks in Glen Ellyn ● http://php.meetup.com/381/ ●
Who is this handsome guy? Dave Ross BS in Computer Science ● Eight years development experience ● Six years e-commerce experience ● Currently working as a PHP developer ●
Who is this handsome guy? Dave Ross On the Internet since 1994 ● Using the web since 1995 ●
Reality Check “ More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases.” - Judith Collins, associate criminal justice prof. at Michigan State University. Source: http://www.dallasnews.com/sharedcontent/dws/bus/ personalfinance/stories/060605dnbusidtheft.11c0c6 694.html
Not Insecure By Nature FACT: Almost all PHP programs are written for the web. The web is a nasty place.
Not Insecure By Nature FACT: PHP is free and easy to learn. PHP is attractive to amateurs who don't have training or experience in security
Not Insecure By Nature FACT: Apps considered insecure have PHP in their names. PHPbb, PHPNuke...
Not Insecure By Nature FACT: register_globals is evil What is this, 2001? (Disabled by default since PHP 4.1.0 -- December, 2001)
Common Attack Vectors Validation circumvention ● Code injection ● SQL injection ● Cookie injection ● Mail forms ● Cross-site Scripting (XSS) ● (This is NOT a complete list by ANY means)
Validation Circumvention Application might not be ● expecting invalid data Goal is to make the application ● blow up in an interesting way Put application in an invalid state? ● Reveal debugging info (database pw)? ●
Validation Circumvention Validation on the client side is ● good for the user Validation on the server side is ● good for security Who says you can't do both?
Validation Circumvention PHP provides functions for interrogating values is_int(), is_float(), is_bool(), ● is_finite() intval(), floatval(), doubleval() ● strlen(), strpos() ●
Code Injection Don't use parameters as parameters to something else (directly) $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: http://example.com/myscript.php?message=hello.txt But what if I do this?: http://example.com/myscript.php?message=passwords.cfg
Code Injection This is especially important for includes $module = $_REQUEST['module']; include(“lib/$module”); This is ok: http://example.com/cms?module=login.php But what if I do this?: http://example.com/cms?module=../passwords.ini
Code Injection Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
SQL Injection Kind of the same thing, but using SQL $numChildren = $_REQUEST['children']; $query = “UPDATE users SET children = $numChildren WHERE userID = 4”; $res = mysql_query($query); This is ok: http://example.com/user.php?children=2.5 But what if I do this?: http://example.com/user.php?children=2.5;DELETE FROM users;
SQL Injection PHP offers some functions to help prevent this attack: addslashes() ● mysql_real_escape_string() ● PEAR_MDB2 prepared statements ●
Cookie Injection Cookies are just files full of names and values. i.e. SESSION=18tsd338, username=dave What if I changed my username to “admin”? What if I set a cookie value “admin=true”?
Mail Forms Spammers don't know the meaning of “shame” Few mail servers are ● “open relays” anymore Exploit the way PHP talks to ● mail servers Add their own mail headers (To:, Bcc:) or ● entirely new messages
Mail Forms Look for the magic string ● “rnrn” in any parameter you pass to mail() (except the actual message) Be sure email addresses are ● formatted correctly – use preg_match() See June, 2007 issue of ● PHP|Architect
Cross-site Scripting If I can include HTML or a script in a page, I can make your browser pass a request to another site. <img src=”http://myspace.com? action=deleteMyAccount&really=yesPlease” width=”0” height=”0” />
Cross-site Scripting Nonce (n); the present, or immediate, occasion or purpose (origin: Middle English, 1150-1200) Cryptographic Nonce: A bit or string only used once. Put a hidden value in a form and ● remember it (put it in their session). PHP function uniqid() ● When the user submits that form, ● make sure the nonce matches what you sent them. Someone has to submit that same form (or know the ● nonce) for a valid request.
Tools PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
PHPSecAudit Analyzing file: ./test.php . . . . . . The followings are function calls that need input sanitization: I. 1 ./test.php: 12, HIGH: exec Context: exec($module); Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
Web Developer Toolbars View details about a page (HTML, ● CSS, Cookies, Javascript) View/change things you normally ● can't (CSS, Cookies, password fields)
Firebug View page as a tree of tags ● Edit page in the browser ● Edit field values ● Edit Javascript ●
Tools (Write these URLs down!) PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
Going Forward Read PHP blogs/publications ● blog.php-security.org – PHP|Architect – Open Web Application Security – Project (OWASP) www.php.net/manual/en/security.php – PLAY! “What if I change this value?” ● Don't say “I'll go back and make ● it secure later.” Later never comes.
Picture Credit Lock graphic is “padlocks#3” ● by “sp4mdi55” http://www.flickr.com/photos/ ● ciderpunx/95777022/

Empfohlen

Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
secure php
secure phpsecure php
secure phpRiyad Bin Zaman
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 

Empfohlen

Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
secure php
secure phpsecure php
secure phpRiyad Bin Zaman
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Jayasree Veliyath
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hackXchym Hiệp
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 

Weitere ähnliche Inhalte

Was ist angesagt?

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Jayasree Veliyath
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 

Was ist angesagt? (18)

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web Attacks
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF Protection
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
 

Ähnlich wie Intro to Php Security

Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using phpRishabh Srivastava
 
Streamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web FrameworksStreamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web Frameworksguestf7bc30
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Flash Widget Tutorial
Flash Widget TutorialFlash Widget Tutorial
Flash Widget Tutorialhussulinux
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Max Voloshin - "Organization of frontend development for products with micros...
Max Voloshin - "Organization of frontend development for products with micros...Max Voloshin - "Organization of frontend development for products with micros...
Max Voloshin - "Organization of frontend development for products with micros...IT Event
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Information Retrieval and Extraction
Information Retrieval and ExtractionInformation Retrieval and Extraction
Information Retrieval and ExtractionChristopher Frenz
 
Mozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJSMozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJSRobert Nyman
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 

Ähnlich wie Intro to Php Security (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
 
Api Design
Api DesignApi Design
Api Design
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using php
 
Streamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web FrameworksStreamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web Frameworks
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Intro to php
Intro to phpIntro to php
Intro to php
 
Flash Widget Tutorial
Flash Widget TutorialFlash Widget Tutorial
Flash Widget Tutorial
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Max Voloshin - "Organization of frontend development for products with micros...
Max Voloshin - "Organization of frontend development for products with micros...Max Voloshin - "Organization of frontend development for products with micros...
Max Voloshin - "Organization of frontend development for products with micros...
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Information Retrieval and Extraction
Information Retrieval and ExtractionInformation Retrieval and Extraction
Information Retrieval and Extraction
 
Mozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJSMozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJS
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 

Mehr von Dave Ross

Stylesheets of the future with Sass and Compass
Stylesheets of the future with Sass and CompassStylesheets of the future with Sass and Compass
Stylesheets of the future with Sass and CompassDave Ross
 
HTML5 History & Features
HTML5 History & FeaturesHTML5 History & Features
HTML5 History & FeaturesDave Ross
 
A geek's guide to getting hired
A geek's guide to getting hiredA geek's guide to getting hired
A geek's guide to getting hiredDave Ross
 
NoSQL & MongoDB
NoSQL & MongoDBNoSQL & MongoDB
NoSQL & MongoDBDave Ross
 
Date and Time programming in PHP & Javascript
Date and Time programming in PHP & JavascriptDate and Time programming in PHP & Javascript
Date and Time programming in PHP & JavascriptDave Ross
 
Simulated Eye Tracking with Attention Wizard
Simulated Eye Tracking with Attention WizardSimulated Eye Tracking with Attention Wizard
Simulated Eye Tracking with Attention WizardDave Ross
 
What's new in HTML5?
What's new in HTML5?What's new in HTML5?
What's new in HTML5?Dave Ross
 
The Canvas Tag
The Canvas TagThe Canvas Tag
The Canvas TagDave Ross
 
Lamp Stack Optimization
Lamp Stack OptimizationLamp Stack Optimization
Lamp Stack OptimizationDave Ross
 
The FPDF Library
The FPDF LibraryThe FPDF Library
The FPDF LibraryDave Ross
 
Bayesian Inference using b8
Bayesian Inference using b8Bayesian Inference using b8
Bayesian Inference using b8Dave Ross
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
Web App Security: XSS and CSRF
Web App Security: XSS and CSRFWeb App Security: XSS and CSRF
Web App Security: XSS and CSRFDave Ross
 
The Mobile Web: A developer's perspective
The Mobile Web: A developer's perspectiveThe Mobile Web: A developer's perspective
The Mobile Web: A developer's perspectiveDave Ross
 
Balsamiq Mockups
Balsamiq MockupsBalsamiq Mockups
Balsamiq MockupsDave Ross
 
LAMP Optimization
LAMP OptimizationLAMP Optimization
LAMP OptimizationDave Ross
 
Lint - PHP & Javascript Code Checking
Lint - PHP & Javascript Code CheckingLint - PHP & Javascript Code Checking
Lint - PHP & Javascript Code CheckingDave Ross
 
Cufon - Javascript Font Replacement
Cufon - Javascript Font ReplacementCufon - Javascript Font Replacement
Cufon - Javascript Font ReplacementDave Ross
 

Mehr von Dave Ross (20)

Stylesheets of the future with Sass and Compass
Stylesheets of the future with Sass and CompassStylesheets of the future with Sass and Compass
Stylesheets of the future with Sass and Compass
 
HTML5 History & Features
HTML5 History & FeaturesHTML5 History & Features
HTML5 History & Features
 
A geek's guide to getting hired
A geek's guide to getting hiredA geek's guide to getting hired
A geek's guide to getting hired
 
NoSQL & MongoDB
NoSQL & MongoDBNoSQL & MongoDB
NoSQL & MongoDB
 
Date and Time programming in PHP & Javascript
Date and Time programming in PHP & JavascriptDate and Time programming in PHP & Javascript
Date and Time programming in PHP & Javascript
 
Simulated Eye Tracking with Attention Wizard
Simulated Eye Tracking with Attention WizardSimulated Eye Tracking with Attention Wizard
Simulated Eye Tracking with Attention Wizard
 
What's new in HTML5?
What's new in HTML5?What's new in HTML5?
What's new in HTML5?
 
The Canvas Tag
The Canvas TagThe Canvas Tag
The Canvas Tag
 
Wordpress
WordpressWordpress
Wordpress
 
Lamp Stack Optimization
Lamp Stack OptimizationLamp Stack Optimization
Lamp Stack Optimization
 
The FPDF Library
The FPDF LibraryThe FPDF Library
The FPDF Library
 
FirePHP
FirePHPFirePHP
FirePHP
 
Bayesian Inference using b8
Bayesian Inference using b8Bayesian Inference using b8
Bayesian Inference using b8
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
Web App Security: XSS and CSRF
Web App Security: XSS and CSRFWeb App Security: XSS and CSRF
Web App Security: XSS and CSRF
 
The Mobile Web: A developer's perspective
The Mobile Web: A developer's perspectiveThe Mobile Web: A developer's perspective
The Mobile Web: A developer's perspective
 
Balsamiq Mockups
Balsamiq MockupsBalsamiq Mockups
Balsamiq Mockups
 
LAMP Optimization
LAMP OptimizationLAMP Optimization
LAMP Optimization
 
Lint - PHP & Javascript Code Checking
Lint - PHP & Javascript Code CheckingLint - PHP & Javascript Code Checking
Lint - PHP & Javascript Code Checking
 
Cufon - Javascript Font Replacement
Cufon - Javascript Font ReplacementCufon - Javascript Font Replacement
Cufon - Javascript Font Replacement
 

Kürzlich hochgeladen

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Kürzlich hochgeladen (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Intro to Php Security

  • 1. PHP Security Issues and Options West Suburban Chicago PHP Meetup August 2, 2007
  • 2. Our Group Meets monthly ● Usually meets at Starbucks in Glen Ellyn ● http://php.meetup.com/381/ ●
  • 3. Who is this handsome guy? Dave Ross BS in Computer Science ● Eight years development experience ● Six years e-commerce experience ● Currently working as a PHP developer ●
  • 4. Who is this handsome guy? Dave Ross On the Internet since 1994 ● Using the web since 1995 ●
  • 5. Reality Check “ More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases.” - Judith Collins, associate criminal justice prof. at Michigan State University. Source: http://www.dallasnews.com/sharedcontent/dws/bus/ personalfinance/stories/060605dnbusidtheft.11c0c6 694.html
  • 6. Not Insecure By Nature FACT: Almost all PHP programs are written for the web. The web is a nasty place.
  • 7. Not Insecure By Nature FACT: PHP is free and easy to learn. PHP is attractive to amateurs who don't have training or experience in security
  • 8. Not Insecure By Nature FACT: Apps considered insecure have PHP in their names. PHPbb, PHPNuke...
  • 9. Not Insecure By Nature FACT: register_globals is evil What is this, 2001? (Disabled by default since PHP 4.1.0 -- December, 2001)
  • 10. Common Attack Vectors Validation circumvention ● Code injection ● SQL injection ● Cookie injection ● Mail forms ● Cross-site Scripting (XSS) ● (This is NOT a complete list by ANY means)
  • 11. Validation Circumvention Application might not be ● expecting invalid data Goal is to make the application ● blow up in an interesting way Put application in an invalid state? ● Reveal debugging info (database pw)? ●
  • 12. Validation Circumvention Validation on the client side is ● good for the user Validation on the server side is ● good for security Who says you can't do both?
  • 13. Validation Circumvention PHP provides functions for interrogating values is_int(), is_float(), is_bool(), ● is_finite() intval(), floatval(), doubleval() ● strlen(), strpos() ●
  • 14. Code Injection Don't use parameters as parameters to something else (directly) $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: http://example.com/myscript.php?message=hello.txt But what if I do this?: http://example.com/myscript.php?message=passwords.cfg
  • 15. Code Injection This is especially important for includes $module = $_REQUEST['module']; include(“lib/$module”); This is ok: http://example.com/cms?module=login.php But what if I do this?: http://example.com/cms?module=../passwords.ini
  • 16. Code Injection Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
  • 17. SQL Injection Kind of the same thing, but using SQL $numChildren = $_REQUEST['children']; $query = “UPDATE users SET children = $numChildren WHERE userID = 4”; $res = mysql_query($query); This is ok: http://example.com/user.php?children=2.5 But what if I do this?: http://example.com/user.php?children=2.5;DELETE FROM users;
  • 18. SQL Injection PHP offers some functions to help prevent this attack: addslashes() ● mysql_real_escape_string() ● PEAR_MDB2 prepared statements ●
  • 19. Cookie Injection Cookies are just files full of names and values. i.e. SESSION=18tsd338, username=dave What if I changed my username to “admin”? What if I set a cookie value “admin=true”?
  • 20. Mail Forms Spammers don't know the meaning of “shame” Few mail servers are ● “open relays” anymore Exploit the way PHP talks to ● mail servers Add their own mail headers (To:, Bcc:) or ● entirely new messages
  • 21. Mail Forms Look for the magic string ● “rnrn” in any parameter you pass to mail() (except the actual message) Be sure email addresses are ● formatted correctly – use preg_match() See June, 2007 issue of ● PHP|Architect
  • 22. Cross-site Scripting If I can include HTML or a script in a page, I can make your browser pass a request to another site. <img src=”http://myspace.com? action=deleteMyAccount&really=yesPlease” width=”0” height=”0” />
  • 23. Cross-site Scripting Nonce (n); the present, or immediate, occasion or purpose (origin: Middle English, 1150-1200) Cryptographic Nonce: A bit or string only used once. Put a hidden value in a form and ● remember it (put it in their session). PHP function uniqid() ● When the user submits that form, ● make sure the nonce matches what you sent them. Someone has to submit that same form (or know the ● nonce) for a valid request.
  • 24. Tools PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
  • 25. PHPSecAudit Analyzing file: ./test.php . . . . . . The followings are function calls that need input sanitization: I. 1 ./test.php: 12, HIGH: exec Context: exec($module); Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
  • 26. Web Developer Toolbars View details about a page (HTML, ● CSS, Cookies, Javascript) View/change things you normally ● can't (CSS, Cookies, password fields)
  • 27. Firebug View page as a tree of tags ● Edit page in the browser ● Edit field values ● Edit Javascript ●
  • 28. Tools (Write these URLs down!) PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
  • 29. Going Forward Read PHP blogs/publications ● blog.php-security.org – PHP|Architect – Open Web Application Security – Project (OWASP) www.php.net/manual/en/security.php – PLAY! “What if I change this value?” ● Don't say “I'll go back and make ● it secure later.” Later never comes.
  • 30. Picture Credit Lock graphic is “padlocks#3” ● by “sp4mdi55” http://www.flickr.com/photos/ ● ciderpunx/95777022/