Intro to Php Security

23,177 views
23,040 views

Published on

Basic overview of PHP security for a local Meetup group

Published in: Technology
2 Comments
29 Likes
Statistics
Notes
  • clear information.thanks for your slide show.
    here is a blog related to scam awareness http://scambaitings.blogspot.com/ .
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • It's very clear information about security. Thanks

    www.livedress.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
23,177
On SlideShare
0
From Embeds
0
Number of Embeds
357
Actions
Shares
0
Downloads
1,283
Comments
2
Likes
29
Embeds 0
No embeds

No notes for slide

Intro to Php Security

  1. 1. PHP Security Issues and Options West Suburban Chicago PHP Meetup August 2, 2007
  2. 2. Our Group Meets monthly ● Usually meets at Starbucks in Glen Ellyn ● http://php.meetup.com/381/ ●
  3. 3. Who is this handsome guy? Dave Ross BS in Computer Science ● Eight years development experience ● Six years e-commerce experience ● Currently working as a PHP developer ●
  4. 4. Who is this handsome guy? Dave Ross On the Internet since 1994 ● Using the web since 1995 ●
  5. 5. Reality Check “ More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases.” - Judith Collins, associate criminal justice prof. at Michigan State University. Source: http://www.dallasnews.com/sharedcontent/dws/bus/ personalfinance/stories/060605dnbusidtheft.11c0c6 694.html
  6. 6. Not Insecure By Nature FACT: Almost all PHP programs are written for the web. The web is a nasty place.
  7. 7. Not Insecure By Nature FACT: PHP is free and easy to learn. PHP is attractive to amateurs who don't have training or experience in security
  8. 8. Not Insecure By Nature FACT: Apps considered insecure have PHP in their names. PHPbb, PHPNuke...
  9. 9. Not Insecure By Nature FACT: register_globals is evil What is this, 2001? (Disabled by default since PHP 4.1.0 -- December, 2001)
  10. 10. Common Attack Vectors Validation circumvention ● Code injection ● SQL injection ● Cookie injection ● Mail forms ● Cross-site Scripting (XSS) ● (This is NOT a complete list by ANY means)
  11. 11. Validation Circumvention Application might not be ● expecting invalid data Goal is to make the application ● blow up in an interesting way Put application in an invalid state? ● Reveal debugging info (database pw)? ●
  12. 12. Validation Circumvention Validation on the client side is ● good for the user Validation on the server side is ● good for security Who says you can't do both?
  13. 13. Validation Circumvention PHP provides functions for interrogating values is_int(), is_float(), is_bool(), ● is_finite() intval(), floatval(), doubleval() ● strlen(), strpos() ●
  14. 14. Code Injection Don't use parameters as parameters to something else (directly) $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: http://example.com/myscript.php?message=hello.txt But what if I do this?: http://example.com/myscript.php?message=passwords.cfg
  15. 15. Code Injection This is especially important for includes $module = $_REQUEST['module']; include(“lib/$module”); This is ok: http://example.com/cms?module=login.php But what if I do this?: http://example.com/cms?module=../passwords.ini
  16. 16. Code Injection Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
  17. 17. SQL Injection Kind of the same thing, but using SQL $numChildren = $_REQUEST['children']; $query = “UPDATE users SET children = $numChildren WHERE userID = 4”; $res = mysql_query($query); This is ok: http://example.com/user.php?children=2.5 But what if I do this?: http://example.com/user.php?children=2.5;DELETE FROM users;
  18. 18. SQL Injection PHP offers some functions to help prevent this attack: addslashes() ● mysql_real_escape_string() ● PEAR_MDB2 prepared statements ●
  19. 19. Cookie Injection Cookies are just files full of names and values. i.e. SESSION=18tsd338, username=dave What if I changed my username to “admin”? What if I set a cookie value “admin=true”?
  20. 20. Mail Forms Spammers don't know the meaning of “shame” Few mail servers are ● “open relays” anymore Exploit the way PHP talks to ● mail servers Add their own mail headers (To:, Bcc:) or ● entirely new messages
  21. 21. Mail Forms Look for the magic string ● “rnrn” in any parameter you pass to mail() (except the actual message) Be sure email addresses are ● formatted correctly – use preg_match() See June, 2007 issue of ● PHP|Architect
  22. 22. Cross-site Scripting If I can include HTML or a script in a page, I can make your browser pass a request to another site. <img src=”http://myspace.com? action=deleteMyAccount&really=yesPlease” width=”0” height=”0” />
  23. 23. Cross-site Scripting Nonce (n); the present, or immediate, occasion or purpose (origin: Middle English, 1150-1200) Cryptographic Nonce: A bit or string only used once. Put a hidden value in a form and ● remember it (put it in their session). PHP function uniqid() ● When the user submits that form, ● make sure the nonce matches what you sent them. Someone has to submit that same form (or know the ● nonce) for a valid request.
  24. 24. Tools PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
  25. 25. PHPSecAudit Analyzing file: ./test.php . . . . . . The followings are function calls that need input sanitization: I. 1 ./test.php: 12, HIGH: exec Context: exec($module); Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
  26. 26. Web Developer Toolbars View details about a page (HTML, ● CSS, Cookies, Javascript) View/change things you normally ● can't (CSS, Cookies, password fields)
  27. 27. Firebug View page as a tree of tags ● Edit page in the browser ● Edit field values ● Edit Javascript ●
  28. 28. Tools (Write these URLs down!) PHPSecAudit ● http://developer.spikesource.com/projects/phpsecaudit/ Web Developer Toolbars ● Firefox: http://chrispederick.com/work/web-developer/ Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ● http://www.getfirebug.com/
  29. 29. Going Forward Read PHP blogs/publications ● blog.php-security.org – PHP|Architect – Open Web Application Security – Project (OWASP) www.php.net/manual/en/security.php – PLAY! “What if I change this value?” ● Don't say “I'll go back and make ● it secure later.” Later never comes.
  30. 30. Picture Credit Lock graphic is “padlocks#3” ● by “sp4mdi55” http://www.flickr.com/photos/ ● ciderpunx/95777022/

×