A different look at what PHP developers should be looking at. Not in terms of security but in terms of the data flow of the web application. The concepts of security are tied into that itself.
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Php security
1. PHP Security Akash Mahajan | akashm.com That Web Application Security Guy
2. This talk isn’t about security This is about data in the web applications How does it flow Where does it come from? Where does it end up? This is about configuration of web applications Do files requires some special permissions? Why does your upload folder have 0777? @makash | akashm.com - That Web Application Security Guy
3. Web Apps look like this – 3 tier @makash | akashm.com - That Web Application Security Guy
8. Data you can’t trust Good data for a login page Username – foo Password – bar Bad data for a login page Username – foo’ OR 1=1;-- Password – bar’ OR 1=1;-- Good data for a comment This is a nice comment Bad data for a comment This is an XSS</textarea><script>alert(document.cookie);</script> @makash | akashm.com - That Web Application Security Guy
9. Data you need to protect Clear text passwords for a username email@example.com Password is 123456 Data thief steals the entire database and has reusable account details http://somebank.cxm/account-details.php?id=1234 Did you check that only user with id 1234 can see this? What if the attacker stole the session cookie of user with id 1234 @makash | akashm.com - That Web Application Security Guy
10. Where all is data coming from GET Requests AJAX Requests POST Requests HTML Form Data Cookies Stored with values HTTP Headers File Uploads External data sources @makash | akashm.com - That Web Application Security Guy
11. Job of your trusted code Trusted code should remain trusted. Based on the validation we can classify data as tainted/bad or un-tainted/good. Only after that the data which is good data for the application should be processed. @makash | akashm.com - That Web Application Security Guy
12. I am a developer, not a hacker Agreed you are not a person bent on breaking the app, but Data from requests which is displayed in the browser passes through your trusted code. Injecting HTML/JS is XSS Data from the browser getting stored in the database Injecting SQL in such requests which are sent to the database is SQL Injection. Data stored in cookies which are used for authentication can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF @makash | akashm.com - That Web Application Security Guy
13. What are we protecting? @makash | akashm.com - That Web Application Security Guy
14. Again, what are we protecting? We are protecting the web application. From all kinds of injections From unauthorized requests which originate at the user end We are protecting the user information, users have entrusted us with. We are protecting the underlying server and the connected database from malicious commands which come through our trusted code. @makash | akashm.com - That Web Application Security Guy
15. What about configuration Assume your web application allows users to upload pictures Then there are 3 image formats used – jpg, png, gif The filename of the image is also untrusted data. Files can have an extension which makes it look like an image Images can have code embedded which can execute if requested using a GET @makash | akashm.com - That Web Application Security Guy
16. What about configuration All your web server needs is write permission for the user it is running as. This is because files are uploaded to a temp directory where can’t be called for execution It is your PHP code which copies them to a folder inside document root Why does the upload folder have execute permissions? Your web application needs to connect to the database. But why does the connection code need to be inside the document root? @makash | akashm.com - That Web Application Security Guy
17. Questions? Any questions About me Akash Mahajan ( google me ) That Web Application Security Guy null Founder and Bangalore Chapter Lead (http://null.co.in) Web Security Consultant @makash on Twitter || http://akashm.com Presentations : http://www.slideshare.net/akashm @makash | akashm.com - That Web Application Security Guy