• Save
PHPUG Presentation
Upcoming SlideShare
Loading in...5
×
 

PHPUG Presentation

on

  • 1,909 views

Presentation on securing PHP web applications given to Seattle PHP Users Group.

Presentation on securing PHP web applications given to Seattle PHP Users Group.

Statistics

Views

Total Views
1,909
Views on SlideShare
1,909
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

PHPUG Presentation PHPUG Presentation Presentation Transcript

  • Securing PHP Web Applications Web Applications
    • Damon P. Cortesi, CISSP
    • Directory @ Alchemy Security
    • Stats Nut | Security Geek | Builder of Tools
  • $ whoami
    • Security Consultant
    • Part-time Web Dev (PHP, Django, Rails)
    • Destroyer of Web Apps and Dual-Cores
  • <?=presoinfo();?>
    • Typical web application vulnerabilities
      • SQL Injection
      • Cross-Site Scripting
    • What to watch out for
    • How to secure your PHP apps
  • SQL Injection
    • $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“;
    • What if username is: “dpc’ or ‘a’=’a” ?
    • ... username = ‘ dpc’ or ‘a’=’a ‘ ...
    • http://www.flickr.com/photos/tekalpha/94105897/
  • SQL Injection
    • Username: dpc
    • SELECT * FROM users WHERE username = ‘dpc‘ AND password = ‘apassword’;
    • Username: dpc’ OR ‘A’=’A
    • SELECT * FROM users WHERE username = ‘dpc ’ OR ‘A’=’A ‘ AND password = ‘apassword’;
  • Cross-Site Scripting
    • User input re-displayed in browser and interpreted as HTML or ... JavaScript
    • My name is Damon”><script>alert(‘hi’)</script>
    • Why is this bad?
      • Phishing
      • Cookie stealing
      • Arbitrary JavaScript execution...
  • XSS Example
    • Ability to spoof an entire site by including JavaScript from elsewhere
    • http://realsite.com/projects/search?q=test ”><script src=” http://badsite.com/evilphishingpage.js ”></script>...
    • JavaScript can rewrite any DOM element...
  • Real-world Dangers
    • We live in an interactive web
  • So what?
    • I run a blog ... XSS me all day long ...
    • I DON’T CARE!
    • Fair enough.
    • Importance of security is directly proportional to level of risk.
    • Blog != Payment Gateway.
  • Coder for Hire?
    • Are you willing to put your company reputation at stake?
    • What type of apps are you building?
    • Where _might_ your code be used?
    • Themes? Plugins? include(‘wp_story’);
  • Common Mitigations
    • “Increase your security by 80%, by fixing 20% of the problems.”
    • Input Sanitization and Validation
    • Data Encoding and Escaping
  • Sanitization/Encoding
    • SQL: mysql_real_escape_string()
    • HTML/XSS: htmlentities()
      • “ <b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt;
      • Beware encoding
  • Input Sanitization Fail
    • exec(mysql_escape_string($_GET[‘var’]))
      • Problem #1: mysql_escape_string is deprecated.
      • Problem #2: MySQL escape does not make it safe for exec().
    • ?? preg_match(&quot;/.jpe?g$/i&quot;, $var)
    exec ( &quot;convert '&quot; . mysql_escape_string ( $path ) . &quot;' /tmp/'&quot; . mysql_escape_string ( basename ( $path )). &quot;'.png&quot; );
  • Better?
    • Instead of dynamically constructing SQL queries...use a framework.
      • CodeIgniter, CakePHP, Zend
    • Or build a db.inc.php (but not a db.inc).
    • Use an output library that automatically escapes.
  • Server-Side Checks
    • Client-side code can be modified
      • HTTP Proxies
      • Toolbars
      • Super-hack “save to disk” & modify
    • Validate all user input with server-side code
  • Bug Hunting
    • Data Inputs
      • $_GET, $_POST, $_REQUEST
      • $_SERVER[‘QUERY_STRING’]
      • $_SERVER[‘PHP_SELF’]
      • $_COOKIE
    • Shell commands: exec()
  • Cross-Site Request Forgery
    • Let’s Google for “javascript are you sure?”
    • First result (circa 2006) is susceptible to CSRF (and probably SQL Injection).
    • What is this CSRF?
  • GET CSRF
    • delete.php?id=123
    • An action that modifies data called via HTTP GET (against HTTP specs).
    • <img src=” http://x.com/delete.php?id=123” />
  • POST CSRF
    • Only difference: JavaScript required to automate attack.
    <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
  • CSRF in Action
  • Fixing CSRF
    • Do not modify data using GET
    • Use tokens on all form POSTs
      • per-session
      • per-form
      • Up to you - convenience vs. security
  • Other Protections
    • Secure Cookie Flag
      • Restricts transmission of cookies set via HTTPS
    • HTTPOnly Cookie Flag
      • Can’t be accessed using <script>
    • Use innerText, not innerHTML
  • 3rd Party Plugins
    • Need a plugin or specific function?
    • Google. Download. Hackhack. It works!
    • Is that code secure? (See prev. CSRF)
  • Server Config
    • Not always some über-technical sploit...
    • /phpMyAdmin unprotected?
    • demo/demo password
    • Email on confirmation page
  • Location: $references
    • Chris Shiflett: http://shiflett.org /
      • Essential PHP Security
    • PHP Manual: http://www.php.net/manual/en/security.php
    • Disable register_globals
      • Disabled by default in PHP > 4.2.0
    • http://www.owasp.org/index.php/PHP_Top_5
    • http://startupsecurity.info
  • Thanks
    • [email_address]
    http://xkcd.com/327/