Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro to Php Security


Published on

Basic overview of PHP security for a local Meetup group

Published in: Technology
  • clear information.thanks for your slide show.
    here is a blog related to scam awareness .
    Are you sure you want to  Yes  No
    Your message goes here
  • It's very clear information about security. Thanks
    Are you sure you want to  Yes  No
    Your message goes here

Intro to Php Security

  1. 1. PHP Security Issues and Options West Suburban Chicago PHP Meetup August 2, 2007
  2. 2. Our Group Meets monthly ● Usually meets at Starbucks in Glen Ellyn ● ●
  3. 3. Who is this handsome guy? Dave Ross BS in Computer Science ● Eight years development experience ● Six years e-commerce experience ● Currently working as a PHP developer ●
  4. 4. Who is this handsome guy? Dave Ross On the Internet since 1994 ● Using the web since 1995 ●
  5. 5. Reality Check “ More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases.” - Judith Collins, associate criminal justice prof. at Michigan State University. Source: personalfinance/stories/060605dnbusidtheft.11c0c6 694.html
  6. 6. Not Insecure By Nature FACT: Almost all PHP programs are written for the web. The web is a nasty place.
  7. 7. Not Insecure By Nature FACT: PHP is free and easy to learn. PHP is attractive to amateurs who don't have training or experience in security
  8. 8. Not Insecure By Nature FACT: Apps considered insecure have PHP in their names. PHPbb, PHPNuke...
  9. 9. Not Insecure By Nature FACT: register_globals is evil What is this, 2001? (Disabled by default since PHP 4.1.0 -- December, 2001)
  10. 10. Common Attack Vectors Validation circumvention ● Code injection ● SQL injection ● Cookie injection ● Mail forms ● Cross-site Scripting (XSS) ● (This is NOT a complete list by ANY means)
  11. 11. Validation Circumvention Application might not be ● expecting invalid data Goal is to make the application ● blow up in an interesting way Put application in an invalid state? ● Reveal debugging info (database pw)? ●
  12. 12. Validation Circumvention Validation on the client side is ● good for the user Validation on the server side is ● good for security Who says you can't do both?
  13. 13. Validation Circumvention PHP provides functions for interrogating values is_int(), is_float(), is_bool(), ● is_finite() intval(), floatval(), doubleval() ● strlen(), strpos() ●
  14. 14. Code Injection Don't use parameters as parameters to something else (directly) $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: But what if I do this?:
  15. 15. Code Injection This is especially important for includes $module = $_REQUEST['module']; include(“lib/$module”); This is ok: But what if I do this?:
  16. 16. Code Injection Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
  17. 17. SQL Injection Kind of the same thing, but using SQL $numChildren = $_REQUEST['children']; $query = “UPDATE users SET children = $numChildren WHERE userID = 4”; $res = mysql_query($query); This is ok: But what if I do this?:;DELETE FROM users;
  18. 18. SQL Injection PHP offers some functions to help prevent this attack: addslashes() ● mysql_real_escape_string() ● PEAR_MDB2 prepared statements ●
  19. 19. Cookie Injection Cookies are just files full of names and values. i.e. SESSION=18tsd338, username=dave What if I changed my username to “admin”? What if I set a cookie value “admin=true”?
  20. 20. Mail Forms Spammers don't know the meaning of “shame” Few mail servers are ● “open relays” anymore Exploit the way PHP talks to ● mail servers Add their own mail headers (To:, Bcc:) or ● entirely new messages
  21. 21. Mail Forms Look for the magic string ● “rnrn” in any parameter you pass to mail() (except the actual message) Be sure email addresses are ● formatted correctly – use preg_match() See June, 2007 issue of ● PHP|Architect
  22. 22. Cross-site Scripting If I can include HTML or a script in a page, I can make your browser pass a request to another site. <img src=” action=deleteMyAccount&really=yesPlease” width=”0” height=”0” />
  23. 23. Cross-site Scripting Nonce (n); the present, or immediate, occasion or purpose (origin: Middle English, 1150-1200) Cryptographic Nonce: A bit or string only used once. Put a hidden value in a form and ● remember it (put it in their session). PHP function uniqid() ● When the user submits that form, ● make sure the nonce matches what you sent them. Someone has to submit that same form (or know the ● nonce) for a valid request.
  24. 24. Tools PHPSecAudit ● Web Developer Toolbars ● Firefox: Internet Explorer 7: FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ●
  25. 25. PHPSecAudit Analyzing file: ./test.php . . . . . . The followings are function calls that need input sanitization: I. 1 ./test.php: 12, HIGH: exec Context: exec($module); Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
  26. 26. Web Developer Toolbars View details about a page (HTML, ● CSS, Cookies, Javascript) View/change things you normally ● can't (CSS, Cookies, password fields)
  27. 27. Firebug View page as a tree of tags ● Edit page in the browser ● Edit field values ● Edit Javascript ●
  28. 28. Tools (Write these URLs down!) PHPSecAudit ● Web Developer Toolbars ● Firefox: Internet Explorer 7: FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 (Just google “IE7 web developer toolbar”) Firebug ●
  29. 29. Going Forward Read PHP blogs/publications ● – PHP|Architect – Open Web Application Security – Project (OWASP) – PLAY! “What if I change this value?” ● Don't say “I'll go back and make ● it secure later.” Later never comes.
  30. 30. Picture Credit Lock graphic is “padlocks#3” ● by “sp4mdi55” ● ciderpunx/95777022/