Intro to Php Security
Loading...
Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.
21 Favorites & 1 Group
-
jheijmannJohn Heijmann,
favorited this 1 week ago
-
adrianoaguiar
favorited this 4 months ago
-
lizziewong
favorited this 6 months ago
-
ahmed.samir
favorited this 6 months ago
-
Thomas B, Student at INSA de Rouen,
favorited this 6 months ago
-
testpro
favorited this 7 months ago
-
oleole
favorited this 7 months ago
-
eduardoe
favorited this 7 months ago
-
Reinaldo Junior favorited this 8 months ago
-
mailforlen
favorited this 8 months ago
-
allan_smithee
favorited this 8 months ago
-
Rama Rao, SE/Prg at Sysnetts, favorited this 8 months ago
-
JesusVLC
favorited this 10 months ago
-
joyShare
favorited this 11 months ago
-
Amit Ranjan, Co-founder & COO at SlideShare, added this to the group PHP
Intro to Php Security - Presentation Transcript
- PHP Security Issues and Options West Suburban Chicago PHP Meetup August 2, 2007
- Our Group Meets monthly ● Usually meets at Starbucks in Glen Ellyn ● http://php.meetup.com/381/ ●
- Who is this handsome guy? Dave Ross BS in Computer Science ● Eight years development experience ● Six years e-commerce experience ● Currently working as a PHP developer ●
- Who is this handsome guy? Dave Ross On the Internet since 1994 ● Using the web since 1995 ●
- Reality Check “ More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases.” - Judith Collins, associate criminal justice prof. at Michigan State University. Source: http://www.dallasnews.com/sharedcontent/dws/bus/ personalfinance/stories/060605dnbusidtheft.11c0c6 694.html
- Not Insecure By Nature FACT: Almost all PHP programs are written for the web. The web is a nasty place.
- Not Insecure By Nature FACT: PHP is free and easy to learn. PHP is attractive to amateurs who don't have training or experience in security
- Not Insecure By Nature FACT: Apps considered insecure have PHP in their names. PHPbb, PHPNuke...
- Not Insecure By Nature FACT: register_globals is evil What is this, 2001? (Disabled by default since PHP 4.1.0 -- December, 2001)
- Common Attack Vectors Validation circumvention ● Code injection ● SQL injection ● Cookie injection ● Mail forms ● Cross-site Scripting (XSS) ● (This is NOT a complete list by ANY means)
- Validation Circumvention Application might not be ● expecting invalid data Goal is to make the application ● blow up in an interesting way Put application in an invalid state? ● Reveal debugging info (database pw)? ●
- Validation Circumvention Validation on the client side is ● good for the user Validation on the server side is ● good for security Who says you can't do both?
- Validation Circumvention PHP provides functions for interrogating values is_int(), is_float(), is_bool(), ● is_finite() intval(), floatval(), doubleval() ● strlen(), strpos() ●
- Code Injection Don't use parameters as parameters to something else (directly) $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: http://example.com/myscript.php?message=hello.txt But what if I do this?: http://example.com/myscript.php?message=passwords.cfg
- Code Injection This is especially important for includes $module = $_REQUEST['module']; include(“lib/$module”); This is ok: http://example.com/cms?module=login.php But what if I do this?: http://example.com/cms?module=../passwords.ini
- Code Injection Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
- SQL Injection Kind of the same thing, but using SQL $numChildren = $_REQUEST['children']; $query = “UPDATE users SET children = $numChildren WHERE userID = 4”; $res = mysql_query($query); This is ok: http://example.com/user.php?children=2.5 But what if I do this?: http://example.com/user.php?children=2.5;DELETE FROM users;
- SQL Injection PHP offers some functions to help prevent this attack: addslashes() ● mysql_real_escape_string() ● PEAR_MDB2 prepared statements ●
- Cookie Injection Cookies are just files full of names and values. i.e. SESSION=18tsd338, username=dave What if I changed my username to “admin”? What if I set a cookie value “admin=true”?
- Mail Forms Spammers don't know the meaning of “shame” Few mail servers are ● “open relays” anymore Exploit the way PHP talks to ● mail servers Add their own mail headers (To:, Bcc:) or ● entirely new messages
- Mail Forms Look for the magic string ● “\\r\\n\\r\\n” in any parameter you pass to mail() (except the actual message) Be sure email addresses are ● formatted correctly – use preg_match() See June, 2007 issue of ● PHP|Architect
- Cross-site Scripting If I can include HTML or a script in a page, I can make your browser pass a request to another site. <img src=”http://myspace.com? action=deleteMyAccount&really=yesPlease” width=”0” height=”0” />
- Cross-site Scripting Nonce (n); the present, or immediate, occasion or purpose (origin: Middle English, 1150-1200) Cryptographic Nonce: A bit or string only used once. Put a hidden value in a form and ● remember it (put it in their session). PHP function uniqid() ● When the user submits that form, ● make sure the nonce matches what you sent them. Someone has to submit that same form (or know the ● nonce) for a valid request.
- Tools PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
- PHPSecAudit Analyzing file: ./test.php . . . . . . The followings are function calls that need input sanitization: I. 1 ./test.php: 12, HIGH: exec Context: exec($module); Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
- Web Developer Toolbars View details about a page (HTML, ● CSS, Cookies, Javascript) View/change things you normally ● can't (CSS, Cookies, password fields)
- Firebug View page as a tree of tags ● Edit page in the browser ● Edit field values ● Edit Javascript ●
- Tools (Write these URLs down!) PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
- Going Forward Read PHP blogs/publications ● blog.php-security.org – PHP|Architect – Open Web Application Security – Project (OWASP) www.php.net/manual/en/security.php – PLAY! “What if I change this value?” ● Don't say “I'll go back and make ● it secure later.” Later never comes.
- Picture Credit Lock graphic is “padlocks#3” ● by “sp4mdi55” http://www.flickr.com/photos/ ● ciderpunx/95777022/
9720 views, 21 favs, more stats
Basic overview of PHP security for a local Meetup g more
More Info
- Total Views 9720
- 9430 on SlideShare
- Comments 3
- Favorites 21
- Downloads 678
Most viewed embeds
All embeds
- Also on LinkedIn
- Uploaded via SlideShare
- Uploaded as Adobe PDF
3 comments
Comments 1 - 3 of 3 previous next Post a comment