SlideShare ist ein Scribd-Unternehmen logo

Tulsa techfest2010 security

Jason Ragsdale
Jason Ragsdale

The document discusses various methods for securing a web application from common vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It recommends input filtering user-provided data, output encoding data returned to users, using prepared statements for database queries, adding anti-CSRF tokens to forms, and regularly updating systems and security patches. The document also stresses secure coding practices like auditing code for security issues and protecting source code and configuration files.

1 von 26
Downloaden Sie, um offline zu lesen
What is Security? Jason Ragsdale Sr. Technical Yahoo Yahoo! Help us Thank our Sponsors: Friday, November 12, 2010
A good place to start... php.ini display_errors = Off register_globals = Off open_basedir = .... What about safe_mode?? Friday, November 12, 2010
Don’t be stupid Never require/include any file based on user input without checking it first. <?php if (isset($_GET[‘page’]) { require $_GET[‘page’]; } ?> URL: script.php?page=/etc/passwd .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Friday, November 12, 2010
Don’t be stupid... 2 If your solution uses eval().... you are doing it wrong <?php if (isset($_GET[‘input’]) { eval($_GET[‘input’]); } ?> URL: script.php?input=passthru(“cat /etc/passwd”); .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Friday, November 12, 2010
Input Filtering What is input? Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...) What is a whitelist? “A list of approved or favored items” What is a blacklist? “A list persons who are disapproved of or are to be punished or boycotted” Friday, November 12, 2010
Input Validation Unfiltered code Example <?php if (isset($_POST[‘username’])) { $username = $_POST[‘username’]; } Friday, November 12, 2010
Input Validation ctype Example <?php $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } Friday, November 12, 2010
Input Validation Zend_Filter_Input Example <?php if (isset($_POST[‘username’])) { $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]); } Friday, November 12, 2010
Input Validation php/filter Example <?php if (isset($_POST[‘username’])) { $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ) ); } Friday, November 12, 2010
Output Encoding What is output? Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...) htmlentities Example <?php $str = “A ‘quote’ is <b>bold</b>”; //Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str); //Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str, ENT_QUOTES); Friday, November 12, 2010
Tim Stiles At this point mention XmlWriter and all it’s wonders.... ;) Friday, November 12, 2010
Database Inputs (or: How I Learned to Stop Worrying and Love the Users) Friday, November 12, 2010
How do i deal with it? A input filter (whitelist) combined with prepared statements... DONE $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } $sql = “SELECT `username` FROM `users` WHERE `username` = :username”; $sth = $dbh->prepare($sql); $sth->execute(array(‘:username’=> $clean[‘username’])); $username = $sth->fetchColumn(); Friday, November 12, 2010
XSS (Cross Site Scripting) Example <?php echo “<p> Welcome back, {$_GET[‘username’]}.</p>”; ?> ------ Let’s exploit this ------ <p> Welcome back, <script> ....do something bad here... </script>. </p> Friday, November 12, 2010
XSS (Cross Site Scripting) If you do the two items we spoke about Input Filtering Output Encoding You most likely are still vulnerable, but it’ll be a lot harder to exploit Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter) Friday, November 12, 2010
CSRF (Cross Site Request Forgeries) Somewhere on MyFavoriteForum.com: <img src=”bank.com/transfermoney.php? to=me&amount=100.00”> ...if users are logged in, invisible actions can be taken on their behalf, with their authority. Friday, November 12, 2010
CSRF (Cross Site Request Forgeries) Solutions Sign your forms with a token (MD5 hash with a secret key) Validate the token before processing the data This can be done with Cookie and Session data as well Friday, November 12, 2010
Protecting Source Code Make sure all code file extensions are blocked from viewing You can remove them from the html root Or block them in the apache config <FilesMatch “.inc$”> order deny, allow deny from all </FilesMatch> Friday, November 12, 2010
Protecting Source Code Watch for editor backup files too! .file.php.tmp file.php~ etc... Or don’t edit code on production boxes. Friday, November 12, 2010
Code Auditing Set a standard for your team (and yes a team can be a single person) Input Filtering Methods Output Encoding Methods Database Access Methods Search code security points (echo, print...) Enforce these methods Friday, November 12, 2010
Code Auditing Default to Secure. Make being unsecure obvious and auditable YAHOO_GET_RAW( “blah” ) Friday, November 12, 2010
System Security Your website is only as secure as the server/network is it hosted on Perform regular package updates Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases Friday, November 12, 2010
Firewalls & Access Control Only allow access to ports that you need to 80 - Web 443 - SSL 22 - SSH Friday, November 12, 2010
Misc... Signed Data (MD5) Encrypted passwords in the DB Config Files outside DOCROOT Secret keys outside code, in config files If it’s customer data USE SSL Friday, November 12, 2010
Q&A Friday, November 12, 2010
Please Complete An Evaluation Form http://joind.in/talk/view/2356 Friday, November 12, 2010

Empfohlen

What Is Security
What Is SecurityWhat Is Security
What Is Security
Jason Ragsdale
 
Php 101: PDO
Php 101: PDOPhp 101: PDO
Php 101: PDO
Jeremy Kendall
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secrets
smueller_sandsmedia
 
Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2
Fabien Potencier
 
PHP Data Objects
PHP Data ObjectsPHP Data Objects
PHP Data Objects
Wez Furlong
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
Fabien Potencier
 
php plus mysql
php plus mysqlphp plus mysql
php plus mysql
Jayson de Leon
 
Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3
Fabien Potencier
 

Empfohlen

What Is Security
What Is SecurityWhat Is Security
What Is Security
Jason Ragsdale
 
Php 101: PDO
Php 101: PDOPhp 101: PDO
Php 101: PDO
Jeremy Kendall
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secrets
smueller_sandsmedia
 
Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2
Fabien Potencier
 
PHP Data Objects
PHP Data ObjectsPHP Data Objects
PHP Data Objects
Wez Furlong
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
Fabien Potencier
 
php plus mysql
php plus mysqlphp plus mysql
php plus mysql
Jayson de Leon
 
Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3
Fabien Potencier
 
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Fabien Potencier
 
dcs plus Catalogue 2015
dcs plus Catalogue 2015dcs plus Catalogue 2015
dcs plus Catalogue 2015
dcs plus
 
Unittests für Dummies
Unittests für DummiesUnittests für Dummies
Unittests für Dummies
Lars Jankowfsky
 
Dependency injection - phpday 2010
Dependency injection - phpday 2010Dependency injection - phpday 2010
Dependency injection - phpday 2010
Fabien Potencier
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 
PhpUnit - The most unknown Parts
PhpUnit - The most unknown PartsPhpUnit - The most unknown Parts
PhpUnit - The most unknown Parts
Bastian Feder
 
jQuery secrets
jQuery secretsjQuery secrets
jQuery secrets
Bastian Feder
 
Php
PhpPhp
Php
Linh Tran
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Mail.ru Group
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
Valentine Dianov
 
Php unit the-mostunknownparts
Php unit the-mostunknownpartsPhp unit the-mostunknownparts
Php unit the-mostunknownparts
Bastian Feder
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
Sébastien Prunier
 
zinno
zinnozinno
zinno
guest6a7933
 
Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8
PrinceGuru MS
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
PrinceGuru MS
 
Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010
Fabien Potencier
 
PHP 5.4
PHP 5.4PHP 5.4
PHP 5.4
Federico Damián Lozada Mosto
 
PhpBB meets Symfony2
PhpBB meets Symfony2PhpBB meets Symfony2
PhpBB meets Symfony2
Fabien Potencier
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
Tobias Zander
 
Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010
Jason Ragsdale
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And Scalability
Jason Ragsdale
 
Tulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalabilityTulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalability
Jason Ragsdale
 

Weitere ähnliche Inhalte

Was ist angesagt?

Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Fabien Potencier
 
Dependency injection - phpday 2010
Dependency injection - phpday 2010Dependency injection - phpday 2010
Dependency injection - phpday 2010
Fabien Potencier
 
Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8
PrinceGuru MS
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
PrinceGuru MS
 

Was ist angesagt? (19)

Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
 
dcs plus Catalogue 2015
dcs plus Catalogue 2015dcs plus Catalogue 2015
dcs plus Catalogue 2015
 
Unittests für Dummies
Unittests für DummiesUnittests für Dummies
Unittests für Dummies
 
Dependency injection - phpday 2010
Dependency injection - phpday 2010Dependency injection - phpday 2010
Dependency injection - phpday 2010
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
 
PhpUnit - The most unknown Parts
PhpUnit - The most unknown PartsPhpUnit - The most unknown Parts
PhpUnit - The most unknown Parts
 
jQuery secrets
jQuery secretsjQuery secrets
jQuery secrets
 
Php
PhpPhp
Php
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Php unit the-mostunknownparts
Php unit the-mostunknownpartsPhp unit the-mostunknownparts
Php unit the-mostunknownparts
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
 
zinno
zinnozinno
zinno
 
Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
 
Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010
 
PHP 5.4
PHP 5.4PHP 5.4
PHP 5.4
 
PhpBB meets Symfony2
PhpBB meets Symfony2PhpBB meets Symfony2
PhpBB meets Symfony2
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
 

Andere mochten auch

Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010
Jason Ragsdale
 
Tulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalabilityTulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalability
Jason Ragsdale
 
Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009
Jason Ragsdale
 
Test Driven Development - 09/2009
Test Driven Development - 09/2009Test Driven Development - 09/2009
Test Driven Development - 09/2009
Jason Ragsdale
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
Jason Ragsdale
 

Andere mochten auch (8)

Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And Scalability
 
Tulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalabilityTulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalability
 
Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009
 
Test Driven Development - 09/2009
Test Driven Development - 09/2009Test Driven Development - 09/2009
Test Driven Development - 09/2009
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
 
Yii Introduction
Yii IntroductionYii Introduction
Yii Introduction
 
Yii Framework
Yii FrameworkYii Framework
Yii Framework
 

Ähnlich wie Tulsa techfest2010 security

12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
Aung Khant
 

Ähnlich wie Tulsa techfest2010 security (20)

12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Web Security
Web SecurityWeb Security
Web Security
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Android | Busy Java Developers Guide to Android: Persistence | Ted Neward
Android | Busy Java Developers Guide to Android: Persistence | Ted NewardAndroid | Busy Java Developers Guide to Android: Persistence | Ted Neward
Android | Busy Java Developers Guide to Android: Persistence | Ted Neward
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
 
Building Custom PHP Extensions
Building Custom PHP ExtensionsBuilding Custom PHP Extensions
Building Custom PHP Extensions
 
Mojolicious
MojoliciousMojolicious
Mojolicious
 
Php security3895
Php security3895Php security3895
Php security3895
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
PHP CLI: A Cinderella Story
PHP CLI: A Cinderella StoryPHP CLI: A Cinderella Story
PHP CLI: A Cinderella Story
 
Separation of concerns - DPC12
Separation of concerns - DPC12Separation of concerns - DPC12
Separation of concerns - DPC12
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Lithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate FrameworksLithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate Frameworks
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyLet's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 

Tulsa techfest2010 security

  • 1. What is Security? Jason Ragsdale Sr. Technical Yahoo Yahoo! Help us Thank our Sponsors: Friday, November 12, 2010
  • 2. A good place to start... php.ini display_errors = Off register_globals = Off open_basedir = .... What about safe_mode?? Friday, November 12, 2010
  • 3. Don’t be stupid Never require/include any file based on user input without checking it first. <?php if (isset($_GET[‘page’]) { require $_GET[‘page’]; } ?> URL: script.php?page=/etc/passwd .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Friday, November 12, 2010
  • 4. Don’t be stupid... 2 If your solution uses eval().... you are doing it wrong <?php if (isset($_GET[‘input’]) { eval($_GET[‘input’]); } ?> URL: script.php?input=passthru(“cat /etc/passwd”); .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Friday, November 12, 2010
  • 5. Input Filtering What is input? Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...) What is a whitelist? “A list of approved or favored items” What is a blacklist? “A list persons who are disapproved of or are to be punished or boycotted” Friday, November 12, 2010
  • 6. Input Validation Unfiltered code Example <?php if (isset($_POST[‘username’])) { $username = $_POST[‘username’]; } Friday, November 12, 2010
  • 7. Input Validation ctype Example <?php $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } Friday, November 12, 2010
  • 8. Input Validation Zend_Filter_Input Example <?php if (isset($_POST[‘username’])) { $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]); } Friday, November 12, 2010
  • 9. Input Validation php/filter Example <?php if (isset($_POST[‘username’])) { $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ) ); } Friday, November 12, 2010
  • 10. Output Encoding What is output? Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...) htmlentities Example <?php $str = “A ‘quote’ is <b>bold</b>”; //Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str); //Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str, ENT_QUOTES); Friday, November 12, 2010
  • 11. Tim Stiles At this point mention XmlWriter and all it’s wonders.... ;) Friday, November 12, 2010
  • 12. Database Inputs (or: How I Learned to Stop Worrying and Love the Users) Friday, November 12, 2010
  • 13. How do i deal with it? A input filter (whitelist) combined with prepared statements... DONE $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } $sql = “SELECT `username` FROM `users` WHERE `username` = :username”; $sth = $dbh->prepare($sql); $sth->execute(array(‘:username’=> $clean[‘username’])); $username = $sth->fetchColumn(); Friday, November 12, 2010
  • 14. XSS (Cross Site Scripting) Example <?php echo “<p> Welcome back, {$_GET[‘username’]}.</p>”; ?> ------ Let’s exploit this ------ <p> Welcome back, <script> ....do something bad here... </script>. </p> Friday, November 12, 2010
  • 15. XSS (Cross Site Scripting) If you do the two items we spoke about Input Filtering Output Encoding You most likely are still vulnerable, but it’ll be a lot harder to exploit Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter) Friday, November 12, 2010
  • 16. CSRF (Cross Site Request Forgeries) Somewhere on MyFavoriteForum.com: <img src=”bank.com/transfermoney.php? to=me&amount=100.00”> ...if users are logged in, invisible actions can be taken on their behalf, with their authority. Friday, November 12, 2010
  • 17. CSRF (Cross Site Request Forgeries) Solutions Sign your forms with a token (MD5 hash with a secret key) Validate the token before processing the data This can be done with Cookie and Session data as well Friday, November 12, 2010
  • 18. Protecting Source Code Make sure all code file extensions are blocked from viewing You can remove them from the html root Or block them in the apache config <FilesMatch “.inc$”> order deny, allow deny from all </FilesMatch> Friday, November 12, 2010
  • 19. Protecting Source Code Watch for editor backup files too! .file.php.tmp file.php~ etc... Or don’t edit code on production boxes. Friday, November 12, 2010
  • 20. Code Auditing Set a standard for your team (and yes a team can be a single person) Input Filtering Methods Output Encoding Methods Database Access Methods Search code security points (echo, print...) Enforce these methods Friday, November 12, 2010
  • 21. Code Auditing Default to Secure. Make being unsecure obvious and auditable YAHOO_GET_RAW( “blah” ) Friday, November 12, 2010
  • 22. System Security Your website is only as secure as the server/network is it hosted on Perform regular package updates Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases Friday, November 12, 2010
  • 23. Firewalls & Access Control Only allow access to ports that you need to 80 - Web 443 - SSL 22 - SSH Friday, November 12, 2010
  • 24. Misc... Signed Data (MD5) Encrypted passwords in the DB Config Files outside DOCROOT Secret keys outside code, in config files If it’s customer data USE SSL Friday, November 12, 2010
  • 26. Please Complete An Evaluation Form http://joind.in/talk/view/2356 Friday, November 12, 2010