Php security

3,766 views

Published on

A different look at what PHP developers should be looking at. Not in terms of security but in terms of the data flow of the web application. The concepts of security are tied into that itself.

Published in: Technology
4 Comments
3 Likes
Statistics
Notes
No Downloads
Views
Total views
3,766
On SlideShare
0
From Embeds
0
Number of Embeds
139
Actions
Shares
0
Downloads
68
Comments
4
Likes
3
Embeds 0
No embeds

No notes for slide

Php security

  1. PHP Security<br />Akash Mahajan | akashm.com<br />That Web Application Security Guy<br />
  2. This talk isn’t about security<br />This is about data in the web applications<br />How does it flow<br />Where does it come from?<br />Where does it end up?<br />This is about configuration of web applications<br />Do files requires some special permissions?<br />Why does your upload folder have 0777?<br />@makash | akashm.com - That Web Application Security Guy<br />
  3. Web Apps look like this – 3 tier<br />@makash | akashm.com - That Web Application Security Guy<br />
  4. Data View of A Web App in Use<br />@makash | akashm.com - That Web Application Security Guy<br />Web Client controls everything that it has received as part of the request.<br />Web Server<br /><ul><li>TCP Port 80
  5. HTTP Protocol
  6. PHP Interpreter
  7. Trusted Code running on the server</li></ul>Data Store<br />Untrusted Data<br />
  8. Data you can’t trust<br />Good data for a login page<br />Username – foo<br />Password – bar<br />Bad data for a login page<br />Username – foo’ OR 1=1;--<br />Password – bar’ OR 1=1;--<br />Good data for a comment<br />This is a nice comment<br />Bad data for a comment<br />This is an XSS</textarea><script>alert(document.cookie);</script><br />@makash | akashm.com - That Web Application Security Guy<br />
  9. Data you need to protect<br />Clear text passwords for a username email@example.com<br />Password is 123456<br />Data thief steals the entire database and has reusable account details<br />http://somebank.cxm/account-details.php?id=1234<br />Did you check that only user with id 1234 can see this?<br />What if the attacker stole the session cookie of user with id 1234<br />@makash | akashm.com - That Web Application Security Guy<br />
  10. Where all is data coming from<br />GET Requests<br />AJAX Requests<br />POST Requests<br />HTML Form Data<br />Cookies Stored with values<br />HTTP Headers<br />File Uploads<br />External data sources <br />@makash | akashm.com - That Web Application Security Guy<br />
  11. Job of your trusted code<br />Trusted code should remain trusted.<br />Based on the validation we can classify data as tainted/bad or un-tainted/good.<br />Only after that the data which is good data for the application should be processed.<br />@makash | akashm.com - That Web Application Security Guy<br />
  12. I am a developer, not a hacker<br />Agreed you are not a person bent on breaking the app, but<br />Data from requests which is displayed in the browser passes through your trusted code. Injecting HTML/JS is XSS<br />Data from the browser getting stored in the database<br />Injecting SQL in such requests which are sent to the database is SQL Injection.<br />Data stored in cookies which are used for authentication can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF<br />@makash | akashm.com - That Web Application Security Guy<br />
  13. What are we protecting?<br />@makash | akashm.com - That Web Application Security Guy<br />
  14. Again, what are we protecting?<br />We are protecting the web application. <br />From all kinds of injections<br />From unauthorized requests which originate at the user end<br />We are protecting the user information, users have entrusted us with.<br />We are protecting the underlying server and the connected database from malicious commands which come through our trusted code. <br />@makash | akashm.com - That Web Application Security Guy<br />
  15. What about configuration<br />Assume your web application allows users to upload pictures<br />Then there are 3 image formats used – jpg, png, gif<br />The filename of the image is also untrusted data. <br />Files can have an extension which makes it look like an image<br />Images can have code embedded which can execute if requested using a GET <br />@makash | akashm.com - That Web Application Security Guy<br />
  16. What about configuration<br />All your web server needs is write permission for the user it is running as. <br />This is because files are uploaded to a temp directory where can’t be called for execution<br />It is your PHP code which copies them to a folder inside document root<br />Why does the upload folder have execute permissions?<br />Your web application needs to connect to the database. But why does the connection code need to be inside the document root? <br />@makash | akashm.com - That Web Application Security Guy<br />
  17. Questions?<br />Any questions<br />About me<br />Akash Mahajan ( google me )<br />That Web Application Security Guy<br />null Founder and Bangalore Chapter Lead (http://null.co.in)<br />Web Security Consultant<br />@makash on Twitter || http://akashm.com<br />Presentations : http://www.slideshare.net/akashm<br />@makash | akashm.com - That Web Application Security Guy<br />

×