• Like
  • Save
Web Applications Security (LAMP/PHP)
Upcoming SlideShare
Loading in...5
×

Web Applications Security (LAMP/PHP)

  • 836 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
836
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. PHP web applications’ security Mohamed Almasry CitPoint workshop - May 25, 2008
  • 2. Introduction• What Is Computer Security?• Why Absolute Computer Security Is Impossible• What Kinds of Attacks Are Web Applications Vulnerable To?
  • 3. How can some of PHP features provide amalicious attacker with detailed information ? • Register Globals • Error Reporting
  • 4. Principles• Defense in Depth• Least Privilege• Simple Is Beautiful• Minimize Exposure
  • 5. Practices• Balance Risk and Usability• Track Data• Filter Input• Escape Output
  • 6. PHP security in depth• Forms and URLs• Databases and SQL• Sessions and Cookies• Includes• Files and Commands• Authentication and Authorization• Shared Hosting• Configuration Directives• Functions• Cryptography
  • 7. Forms and Data• A user can send data to your application in three predominant ways: – In the URL (e.g., GET data) – In the content of a request (e.g., POST data) – In an HTTP header (e.g., Cookie)
  • 8. Forms and URLs• Forms and Data• Semantic URL Attacks• File Upload Attacks• Cross-Site Scripting• Cross-Site Request Forgeries• Spoofed Form Submissions• Spoofed HTTP Requests
  • 9. Databases and SQL• Exposed Access Credentials• SQL Injection• Exposed Data
  • 10. Sessions and Cookies- Cookie Theft- Exposed Session Data- Session Fixation- Session Hijacking
  • 11. Includes• Exposed Source Code• Backdoor URLs• Filename Manipulation• Code Injection
  • 12. Files and Commands• Traversing the Filesystem• Remote File Risks• Command Injection
  • 13. Authentication and Authorization• Brute Force Attacks• Password Sniffing• Replay Attacks• Persistent Logins