Secure Web App Programming in PHP<br />Akash Mahajan v1.0<br />
Cross Site Scripting - XSS<br />Injecting HTML/JS into the site. <br />Non-persistent/Reflected/First Order<br />Script is...
XSS mitigation in PHP<br />Sanitize all globals ($_GET, $_POST, $_COOKIE)<br />Use strip_tags()<br />Use inpekt library co...
SQL Injection <br />Allowing SQL to be injected in the database query. <br />Most common attack point is the search of any...
SQL Injection - Mitigation<br />mysql_real_escape_string()<br />$dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, ...
File Uploads<br />Web apps add a directory in document root for storing file uploads and give write access. <br />They don...
File Uploads - Mitigation<br />The usual use case is uploading of image files. <br />Use getimageinfo() to get the correct...
Endgame<br />At this point you have reasonable ensured that your PHP web application is not compromised. <br />But the use...
Upcoming SlideShare
Loading in …5
×

Secure Programming In Php

6,392 views

Published on

Basic programming practices to ensure secure PHP web applications.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,392
On SlideShare
0
From Embeds
0
Number of Embeds
1,767
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Secure Programming In Php

  1. 1. Secure Web App Programming in PHP<br />Akash Mahajan v1.0<br />
  2. 2. Cross Site Scripting - XSS<br />Injecting HTML/JS into the site. <br />Non-persistent/Reflected/First Order<br />Script is taken from the request and displayed in the browser directly<br />example.com/search?q=&lt;script&gt;alert(‘hi’);&lt;/script&gt;<br />Example.com/index.php?lang=path to php shell <br />Persistent/Stored/Second Order<br />First name of a registration form is vuln and the value is stored in the database<br />Hello &lt;iframesrc=http://f1y.in/0.js&gt;&lt;/iframe&gt;<br />DOM Based<br />No example, mentioned by AmitKlien in his paper XSS of the Third Kind<br />
  3. 3. XSS mitigation in PHP<br />Sanitize all globals ($_GET, $_POST, $_COOKIE)<br />Use strip_tags()<br />Use inpekt library code.google.com/p/inspekt<br />Escape everything before displaying<br />htmlentities(), htmlspeciachars()<br />Client headers like user agent can be malicious as well. <br />Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data.<br />White listing helps in verifying good data more than black listing.<br />See examples at xssed.com <br />
  4. 4. SQL Injection <br />Allowing SQL to be injected in the database query. <br />Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. <br />$sql = &quot;SELECT * FROM table WHERE id = &apos;&quot; . $_REQUEST[&apos;id&apos;] . &quot;&apos;&quot;;<br />id = ‘ OR 1 UNION ALL SELECT * FROM table;<br />Excellent examples http://google.com/search?q=site:slideshare.net sql injection<br />
  5. 5. SQL Injection - Mitigation<br />mysql_real_escape_string()<br />$dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’));<br />Parameterized queries<br />$res = $query(“SELECT name FROM user WHERE id=?”, $id);<br />Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli<br /> Stored Procedures<br />See a kickass example of stored proc used to hack more than hundred thousand websites<br />http://www.breach.com/resources/breach-security-labs/alerts/mass-sql-injection-attack-evolutio<br />
  6. 6. File Uploads<br />Web apps add a directory in document root for storing file uploads and give write access. <br />They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. <br />The malicious user is now free to call it using a GET request and it gets executed. <br />http://www.scanit.be/uploads/php-file-upload.pdf<br />
  7. 7. File Uploads - Mitigation<br />The usual use case is uploading of image files. <br />Use getimageinfo() to get the correct mime type of the file from the file header.<br />Generate a random file name <br />$rand = time() . substr(md5(microtime()), 0, rand(5, 12));<br />Return $rand and append file extension<br />Ideally noexec permission should be set on the directory where files are copied to.<br />
  8. 8. Endgame<br />At this point you have reasonable ensured that your PHP web application is not compromised. <br />But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc.<br />There are work around to the standard PHP functions like this one for mysql_real_escape_strings()<br />http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string<br />

×