PHP Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

PHP Security

on

  • 41,027 views

Mugdha & Anish - PHP Security

Mugdha & Anish - PHP Security

Statistics

Views

Total Views
41,027
Views on SlideShare
38,763
Embed Views
2,264

Actions

Likes
90
Downloads
3,134
Comments
13

75 Embeds 2,264

http://www.techgig.com 509
http://www.bookzingr.com 302
http://www.masteritsecurity.com 227
http://www.weebly.com 182
http://www.mrkindy.com 152
http://seguridad-informacion.blogspot.com 135
http://localhost 78
http://www.slideshare.net 67
http://www.istudyiwin.com 59
http://masteritsecurity.weebly.com 47
http://lampsailesh.blogspot.in 43
http://www.blogdopedro.net 40
http://techvideos.humourbox.info 40
http://www.moraga.com.br 35
http://lampsailesh.blogspot.com 26
http://karim.byethost5.com 24
http://www.createwebsite.info 22
http://mrkindy.com 22
http://websites.networksolutions.com 21
http://seguridad-informacion.blogspot.mx 20
http://10.150.200.57 20
http://evolvebeyondmoney.com 19
http://livebuzz.com.br 17
http://blog.sailesh.in 12
http://asklife.info 11
http://www.cirip.ro 11
http://www.evolvebeyondmoney.com 10
http://10.211.55.6 9
http://www.nexen.net 7
http://phpv.spb.ru 6
http://www.sharesnack.com 6
http://onwebdev.blogspot.com 6
http://zeta 6
http://www.schoox.com 5
http://ensemble-beta.cc.vt.edu 4
http://seguridad-informacion.blogspot.com.es 4
http://seguridad-informacion.blogspot.com.ar 4
http://slidestudy.jp 3
http://www.php.rk.edu.pl 3
http://sireesh.blog.co.in 3
http://static.slidesharecdn.com 3
http://www.mashme.tv 2
http://s3.amazonaws.com 2
http://dev.monqi.com.br 2
http://www.anyblabla.com 2
http://ilveroblog.wordpress.com 2
http://10.150.200.102 2
http://phpsnake.net 2
http://inmyfield.nsdesign2.net 2
http://kurataka.com 2
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

15 of 13 Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

PHP Security Presentation Transcript

  • 1. . Training Presented By : Anish & Mugdha Value One InfoTech Pvt. Ltd.
  • 2. . Training
    • Importance of PHP Security
    • Concerns of PHP Security
            • Input Validation
            • Cross-Site Scripting
            • SQL Injection
            • Code Injection
            • Session Security
            • Shared Hosting
    Topics of Discussion
  • 3. . Training
    • PHP is widely used language for web applications
    • PHP is making headway into enterprise as well as corporate
    • markets.
    • Most effective & often overlooked measure to prevent malicious
    • users
    • PHP applications often end up working with sensitive data.
    Importance of PHP Security
  • 4. . Training INPUT VALIDATION
  • 5. . Training
    • All user inputs are unreliable and can’t be trusted.
    • Need for validating any user input before use :
        • Unexpected Modification by the user
        • Intentional attempt to gain unauthorized access to the
        • application
        • Attempt to crash the application by the malicious users
    Input Validation
  • 6. . Training
    • Most common source of vulnerabilities in PHP applications.
    • Any input parameters are translated to variables :-
    • ?foo=bar >> $foo = “bar”;
    • No way to determine the input source.
        • Prioritized sources like cookies can overwrite GET values.
    • When register global is set ON, un-initialized variables can be “injected” via user inputs.
    Register Globals
  • 7. . Training
    • Disable register_globals in PHP.ini ( Disabled by-default as of PHP 4.2.0 )
    • Alternative to Register Global : SUPER GLOBALS
      • $_GET – data from get requests.
      • $_POST – post request data.
      • $_COOKIE – cookie information.
      • $_FILES – uploaded file data.
      • $_SERVER – server data
      • $_ENV – environment variables
      • $_REQUEST – mix of GET, POST, COOKIE
    Solutions To Register Globals
  • 8. . Training
    • Type sensitive validation conditions.
      • Because input is always a string, type sensitive compare to a Boolean or an integer will always fail.
    • Example
    • if ($authorized === TRUE)
    • {
      • // LOGIN SUCCESS
      • }
    Contd…
  • 9. . Training
    • Code with error_reporting set to E_ALL.
      • Allows you to see warnings about the use of un-initialized
      • variables.
    • Use of constants
      • Created via define() function
      • Once set, remains defined until end of request
      • Can be made case-insensitive to avoid accidental access to a
      • different datum caused by case variance.
    Contd…
  • 10. . Training
    • Suffers from the loss of data problem, caused when the same parameter is provided by multiple input sources.
    • PHP.ini: variables_order = GPCS (Last data source has highest priority)
    • Example
      • echo $_GET['id']; // 1
        • echo $_COOKIE['id']; // 2
        • echo $_REQUEST['id']; // 2
    • Use the input method-specific superglobals intead of $_REQUEST
    Cons of $ REQUEST
  • 11. . Training
    • All data passed to PHP (GET/POST/COOKIE) ends up being a string. Using strings where integers are needed is not only inefficient but also dangerous.
    • Casting is a simple and very efficient way to ensure that variables contain numeric values.
    • Example of floating point number validation
    • if (!empty($_GET['price'])) {
    • $price = (float) $_GET['price'];
    • } else $price = 0;
    Numeric Data Validation
  • 12. . Training
    • PHP comes with a ctype, extension that offers a very quick mechanism for validating string content.
        • if (!ctype_alnum($_GET['login'])) {
        • echo "Only A-Za-z0-9 are allowed.";
        • }
        • if (!ctype_alpha($_GET['captcha'])) {
        • echo "Only A-Za-z are allowed.";
        • }
        • if (!ctype_xdigit($_GET['color'])) {
        • echo "Only hexadecimal values are allowed";
        • }
    String Validation
  • 13. . Training
    • What are Magic Quotes ??
    • Problems associated with it !!
    • How to deal with it ??
    Using Magic Quotes
  • 14. . Training XSS
  • 15. . Training
    • Cross Site Scripting (XSS) is a situation where by attacker injects HTML code, which is then displayed on the page without further validation.
      • Can lead to embarrassment
      • Session take-over
      • Password theft
      • User tracking by 3rd parties
    Cross Site Scripting (XSS)
  • 16. . Training
    • Prevention of XSS is as simple as filtering input data via one of
    • the following:
      • htmlspecialchars()
      • Encodes ‘, “, <, >, &
      • htmlentities()
      • Convert anything that there is HTML entity for.
      • strip_tags()
      • Strips anything that resembles HTML tag.
      • Tag allowances in strip_tags() are dangerous, because attributes of those tags are not being validated in any way.
    Preventing XSS
  • 17. . Training
    • $str = strip_tags($_POST['message']);
    • // encode any foreign & special chars
    • $str = htmlentities($str);
    • // strip tags can be told to &quot;keep&quot; certain tags
    • $str = strip_tags($_POST['message'], '<b><p><i><u>');
    • // tag allowance problems
        • <u onmouseover=&quot;alert('JavaScript is allowed');&quot;>
        • <b style=&quot;font-size: 500px&quot;>Lot's of text</b>
        • </u>
    Preventing XSS
  • 18. . Training SQL Injection
  • 19. . Training
    • SQL injection is similar to XSS, in the fact that not validated data
    • is being used. But in this case this data is passed to the database.
      • Arbitrary query execution
        • Removal of data.
        • Modification of existing values.
        • Denial of service.
        • Arbitrary data injection.
    • // consider this query, it will delete all records from users
    • $name = “mugdha’; DELETE FROM users;”;
    • mysql_query(“SELECT * FROM users WHERE name =’{$name}’”);
    SQL Injection
  • 20. . Training
    • If your database extension offers a specific escaping function then always use it; instead of other methods
      • MySQL
        • mysql_escape_string()
        • mysql_real_escape_string()
      • PostgreSQL
        • pg_escape_string()
        • pg_escape_bytea()
      • SQLite
        • sqlite_escape_string()
    SQL Escaping
  • 21. . Training SQL Escaping in Practice
    • // undo magic_quotes_gpc to avoid double escaping
    • if (get_magic_quotes_gpc()) {
    • $_GET['name'] = stripslashes($_GET['name'];
    • $_POST['binary'] = stripslashes($_GET['binary']);
    • }
    • $name = pg_escape_string($_GET['name']);
    • $binary = pg_escape_bytea($_POST['binary']);
    • pg_query($db, &quot;INSERT INTO tbl (name,image)
    • VALUES('{$name}', '{$image}')&quot;);
  • 22. . Training
    • When un-quoted integers are passed to SQL queries, escaping functions won’t save you, since there are no special chars to escape.
    • http://example.com/db.php?id=0;DELETE%20FROM%20users
    • <?php
      • $id = sqlite_escape_string($_GET['id']);
      • // $id is still 0;DELETE FROM users
      • sqlite_query($db,&quot;SELECT * FROM users WHERE id={$id}&quot;);
      • // Bye Bye user data...
    • ?>
    Escaping Shortfall
  • 23. . Training
    • Prepared statements are a mechanism to secure and optimize execution of repeated queries.
    • Works by making SQL “compile” the query and then substitute in the changing values for each execution.
      • Increased performance, one compile vs one per query.
      • Better security, data is “type set” will never be evaluated as
      • separate query.
      • Supported by most database systems.
    • MySQL users will need to use version 4.1 or higher.
    • SQLite extension does not support this either.
    Prepared Statements
  • 24. . Training
    • <?php
    • $data = &quot;Here is some text to index&quot;;
    • pg_query($db, &quot;PREPARE my_stmt (text) AS
    • INSERT INTO search_idx (word) VALUES($1)&quot;);
    • foreach (explode(&quot; &quot;, $data) as $word) { // no is escaping needed
    • pg_query($db, &quot;EXECUTE my_stmt({$word})&quot;);
    • }
    • // de-allocte the prepared statement
    • pg_query($db, &quot;DEALLOCATE my_stmt&quot;);
    • ?>
    • Unless explicitly removed, prepared statements “stay alive”
    • between persistent connections.
    Prepared Statements
  • 25. . Training Code Injection
  • 26. . Training
    • Code Injection is the execution of arbitrary local or remote code.
    • The two of the most common sources of code injection are:
      • Dynamic paths/files used in require/include statements
      • eval(): A major source of code injection is the improper validation of eval().
    Code Injection
  • 27. . Training
    • Avoid using dynamic or relative paths/files in your code. Although somewhat less convenient; always use full paths, defined by constants, which will prevent attacks like these:
    • <?php
      • //dynamic path
      • $_GET['path'] = ‘http://bad_site.org’;
      • include &quot;{$_GET['path']}/header.inc&quot;;
      • //dynamic file
      • $_GET[‘interface’] = ‘../../../../../etc/passwd’;
    • require‘home/mbr/profile/templates_c/interfaces/’.$_GET[‘interface’];
    • ?>
    • There are some other ways to secure include or require calls...
    Code Injection Prevention
  • 28. . Training
    • work with a white-list of acceptable values.
    • //create an array of acceptable file names
      • $tmpl = array();
      • foreach(glob(&quot;templates/*.tmpl&quot;) as $v) {
      • $tmpl[md5($v)] = $v;
      • }
      • if (isset($tmpl[$_GET['path']])) {
      • $fp = fopen($tmpl[$_GET['path']], &quot;r&quot;);
      • }
    Code Injection Prevention
  • 29. . Training Session Security
  • 30. . Training
    • Sessions are a common tool for user tracking across a web site.
    • For the duration of a visit, the session is effectively the user’s identity.
    • If an active session can be obtained by 3rd party, it can assume the identity of the user who’s session was compromised.
    Session Security
  • 31. . Training
    • To prevent session id theft, the id can be altered on every request, invalidating old values.
      • <?php
        • session_start();
        • if (!empty($_SESSION)) { // not a new session
        • session_regenerate_id(TRUE); // make new session id
        • }
      • ?>
    • Because the session changes on every request, the “back” button
    • in a browser will no longer work, as it will make a request with
    • the old session id.
    Securing Session ID
  • 32. . Training
    • Another session security technique is to compare the browser signature headers.
      • session_start();
      • $chk = @md5(
          • $_SERVER['HTTP_ACCEPT_CHARSET'] .
          • $_SERVER['HTTP_ACCEPT_ENCODING'] .
          • $_SERVER['HTTP_ACCEPT_LANGUAGE'] .
          • $_SERVER['HTTP_USER_AGENT']);
      • if (empty($_SESSION))
      • $_SESSION['key'] = $chk;
      • else if ($_SESSION['key'] != $chk)
      • session_destroy();
    Session Validation
  • 33. . Training
    • By default PHP sessions are stored as files inside the common /
    • tmp directory.
    • This often means any user on the system could see active sessions and “acquire” them or even modify their content.
    • Solutions?
        • Separate session storage directory via
        • session.save_path
        • Database storage mechanism, mysql, pgsql, oci, sqlite.
        • Custom session handler allowing data storage anywhere.
    Safer Session Storage
  • 34. . Training Shared Hosting
  • 35. . Training
    • Most PHP applications run in shared environments where all
    • users “share” the same web server instances.
    • This means that all files that are involved in serving content must
    • be accessible to the web server (world readable).
    • Consequently it means that any user could read the content of files of all other users.
    Shared Hosting
  • 36. . Training
    • PHP’s solution to this problem are 2 php.ini directives.
    • open_basedir – limits file access to one or more specified directories.
      • Relatively Efficient.
      • Uncomplicated.
    • safe_mode – limits file access based on uid/gid of running script
    • and file to be accessed.
      • Slow and complex approach.
      • Can be bypassed with little effort.
    The PHP Solution
  • 37. . Training
        • php|architect’s Guide to PHP Security
            • By Ilia Alshanetsky
        • Essential PHP Security
            • By Chris Shiflett
    References
  • 38. . Training