Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Concern of Web Application Security
1. Concern of Web Application Security ” First and foremost, you must realize and accept that any user-supplied data is inherently unreliable and can't be trusted.” Md. Mahmud Ahsan Zend Certified Engineer http://mahmudahsan.wordpress.com/ http://www.ftechdb.com/
8. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?>
9. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Initialize array for storing filter data
10. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Use switch statement to filter sets
11. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Create cases for the valid values
12. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Color is definately valid so store in the array
13. Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?>
14. Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Create an array to store filtered data
15. Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Username must be alphanumeric
16. Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> If username is alphanumeric store it in the array
21. Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo "<p>Welcome back, {$html['username']}.</p>"; ?> Escaped the filtered username and store in the array
22. Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo "<p>Welcome back, {$html['username']} .</p>"; ?> Send the filtered and escaped username to the client
23. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql); ?>
24. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql); ?> Initialize an array for storing escaped data
25. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql); ?> Escaped the filter username and store it in the array
26. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}' "; $result = mysql_query($sql); ?> Use the filtered and escaped username in the SQL query
27. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql) ; ?> SQL Query is now safe
28.
29. SQL Injection SQL Injection attacking example: http://example.com/db.php?id=0 http://example.com/db.php?id=0 ;DELETE%20FROM%20users <?php $id = $_GET['id']; // $id = 0;DELETE FROM users $result = mysql_query("SELECT * FROM users WHERE id={$id}"); SQL Inject code User table data destroyed
30. SQL Injection SQL Injection attacking example 2: <?php $query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'"; mysql_query($query); //$_POST['username'] = 'manzil'; //$_POST['password'] = "' OR ''='"; echo $query; ?> output: SELECT * FROM users WHERE user='manzil' AND password='' OR ''='' SQL Inject code
31. SQL Injection SQL Injection Protection: <?php $name = mysql_real_escape_string($_POST['username']); $pass = mysql_real_escape_string($_POST['password']); $query = "SELECT * FROM users WHERE user='{$name}' AND password='{$pass}'"; mysql_query($query); ?>
32. Cross-Site Scripting What is XSS ? It is a popular attacking to web application as web application largely echo user input. <?php echo "<p>Welcome back, { $_GET['username'] }.</p>"; ?>
37. Session Hijacking Example of Session Fixation: http://example.org/login.php?PHPSESSID=1234 Prevention of Session Fixation: Use session_regenerate_id() whenever there is a change in the level of privilege: if ($authenticated) { $_SESSION['logged_in'] = TRUE; session_regenerate_id(); }
38. Session Hijacking Another session security technique: Compare the browser signature headers. <?php session_start(); $chk = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']); if (empty($_SESSION)) $_SESSION['key'] = $chk; else if ( $_SESSION['key'] != $chk ) session_destroy(); ?>
39.
40. Cross Site Request Forgeries What is CSRF? An attacker can send arbitrary HTTP requests from avictim. Because the requests originate from the victim, they can bypass traditional safeguards, including firewalls and access control.