Php security

PHP Security
Akash Mahajan | akashm.com
That Web Application Security Guy

This talk isn’t about security
This is about data in the web applications
How does it flow
Where does it come from?
Where does it end up?
This is about configuration of web applications
Do files requires some special permissions?
Why does your upload folder have 0777?
@makash | akashm.com - That Web Application Security Guy

Web Apps look like this – 3 tier

Data View of A Web App in Use
Web Client controls everything that it has received as part of the request.
Web Server
TCP Port 80
HTTP Protocol
PHP Interpreter
Trusted Code running on the server
Data Store
Untrusted Data

Data you can’t trust
Good data for a login page
Username – foo
Password – bar
Bad data for a login page
Username – foo’ OR 1=1;--
Password – bar’ OR 1=1;--
Good data for a comment
This is a nice comment
Bad data for a comment
This is an XSS</textarea><script>alert(document.cookie);</script>

Data you need to protect
Clear text passwords for a username email@example.com
Password is 123456
Data thief steals the entire database and has reusable account details
http://somebank.cxm/account-details.php?id=1234
Did you check that only user with id 1234 can see this?
What if the attacker stole the session cookie of user with id 1234

Where all is data coming from
GET Requests
AJAX Requests
POST Requests
HTML Form Data
Cookies Stored with values
HTTP Headers
File Uploads
External data sources

Job of your trusted code
Trusted code should remain trusted.
Based on the validation we can classify data as tainted/bad or un-tainted/good.
Only after that the data which is good data for the application should be processed.

I am a developer, not a hacker
Agreed you are not a person bent on breaking the app, but
Data from requests which is displayed in the browser passes through your trusted code. Injecting HTML/JS is XSS
Data from the browser getting stored in the database
Injecting SQL in such requests which are sent to the database is SQL Injection.
Data stored in cookies which are used for authentication can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF

What are we protecting?

Again, what are we protecting?
We are protecting the web application.
From all kinds of injections
From unauthorized requests which originate at the user end
We are protecting the user information, users have entrusted us with.
We are protecting the underlying server and the connected database from malicious commands which come through our trusted code.

What about configuration
Assume your web application allows users to upload pictures
Then there are 3 image formats used – jpg, png, gif
The filename of the image is also untrusted data.
Files can have an extension which makes it look like an image
Images can have code embedded which can execute if requested using a GET

What about configuration
All your web server needs is write permission for the user it is running as.
This is because files are uploaded to a temp directory where can’t be called for execution
It is your PHP code which copies them to a folder inside document root
Why does the upload folder have execute permissions?
Your web application needs to connect to the database. But why does the connection code need to be inside the document root?

Questions?
Any questions
About me
Akash Mahajan ( google me )
That Web Application Security Guy
null Founder and Bangalore Chapter Lead (http://null.co.in)
Web Security Consultant
@makash on Twitter || http://akashm.com
Presentations : http://www.slideshare.net/akashm

http://funnel.hasgeek.com	81
http://lanyrd.com	10
http://paper.li	3
http://funnel.hasgeek.in	3
http://translate.googleusercontent.com	1

Php security

by Akash Mahajan

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 98

Statistics

Php security Presentation Transcript

Php security

by Akash Mahajan

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 98

Statistics

Php security Presentation Transcript

Let LinkedIn power your SlideShare experience

Let LinkedIn power your SlideShare experience

Customize SlideShare content based on your interests

Keep up to date when your LinkedIn contacts post on SlideShare