Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Php & Web Security - PHPXperts 2009


Published on

  • Dating direct: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ♥♥♥ ♥♥♥
    Are you sure you want to  Yes  No
    Your message goes here
  • Actually you are a Genius....
    Are you sure you want to  Yes  No
    Your message goes here
  • Thank you Mizanur Vhai, really was a great presentation. It help me lot.
    Are you sure you want to  Yes  No
    Your message goes here

Php & Web Security - PHPXperts 2009

  1. 1. PHP & WEB SECURITY M. Mizanur Rahman C.T.O Informatix Software
  2. 2. WHAT IS SECURITY? <ul><li>Security is a measurement, not a characteristic. </li></ul><ul><li>It’s is also an growing problem that requires an continually evolving solution. </li></ul><ul><li>A good measure of secure application is it’s ability to predict and prevent future security problems, before someone devises an exploit. </li></ul><ul><li>As far as application design goes, security must be considered at all times (initial spec, implementation, testing and even maintenance) </li></ul>
  3. 3. NECESSITY OF WEB SECURITY <ul><li>We value our privacy </li></ul><ul><li>We value our client’s important data </li></ul><ul><li>We want to make everyone’s web presence safer and better </li></ul><ul><li>We must remember , it’s the users who uses the system </li></ul><ul><li>Users can be good as well as bad </li></ul>
  4. 4. PHP FACTS <ul><li>A very popular language for web application development </li></ul><ul><li>Easy to learn and adopt. Popular among new learners </li></ul><ul><li>Almost all PHP programs are written for the web </li></ul><ul><li>During development most of us forget one important aspect and that is the security of the application </li></ul><ul><li>Always have a tendency of “do it later”. As a result high possibility of security holes in the system. </li></ul>
  5. 5. COMMON ATTACKS <ul><li>Input Validation </li></ul><ul><li>SQL Injection </li></ul><ul><li>Code Injection </li></ul><ul><li>XSS or Cross Site Scripting </li></ul><ul><li>CSRF or Cross Site Request Forgery </li></ul><ul><li>Session Security </li></ul>
  6. 6. INPUT VALIDATION <ul><li>Common development trends </li></ul><ul><ul><li>Always expecting valid data type, as a result ignoring any validation </li></ul></ul><ul><ul><li>Trusting clients data as it passed the client side validations!!! </li></ul></ul><ul><li>Problems </li></ul><ul><ul><li>Code injection </li></ul></ul><ul><ul><li>SQL injection </li></ul></ul><ul><ul><li>Command injection </li></ul></ul><ul><li>Solution </li></ul><ul><ul><li>Always validate inputs using available PHP functions (is_int(), is_float(), is_bool(),is_finite(), intval(), floatval(), doubleval(), strlen(), strpos(), ctype_alpha(), ctype_alnum() </li></ul></ul>
  7. 7. SQL INJECTION <ul><li>One of the most common problems with security </li></ul><ul><li>SQL queries are injected as input </li></ul><ul><li>Also similar to input validation </li></ul><ul><li>What are the possible problems can be created: </li></ul><ul><ul><li>Data removal </li></ul></ul><ul><ul><li>Modification of existing values </li></ul></ul><ul><ul><li>Unwanted access grant </li></ul></ul><ul><ul><li>Arbitrary data injection </li></ul></ul>
  8. 8. SQL INJECTION - EXAMPLES <ul><li>/* articles.php */ </li></ul><ul><li>$id = $_GET[‘id’]; </li></ul><ul><li>$sql = “select * from articles where id = ‘$id’ ”; </li></ul><ul><li>$result = mysql_query($sql); </li></ul><ul><li>Now when we have a call like: </li></ul><ul><li> </li></ul><ul><li>It is very much valid and we can expect article with id 1 will be fetched from the database. </li></ul>
  9. 9. SQL INJECTION – EXAMPLES CONTINUED <ul><li>Now what if I write the following in the url: </li></ul><ul><li>’; delete from articles; </li></ul><ul><li>Now the query becomes </li></ul><ul><li>“ select * from articles where id = ‘1’; delete from articles” </li></ul><ul><li>So what are we doing, we are actually deleting the whole table as we are not checking for the SQL injection. </li></ul>
  10. 10. SQL INJECTION – THE CURE <ul><li>Escaping inputs using addslashes or built in PHP mechanism magic_quotes_gpc. </li></ul><ul><li>Use dedicated escaping function provided by the database interface </li></ul><ul><ul><li>MySQL </li></ul></ul><ul><ul><ul><li>mysql_escape_string() </li></ul></ul></ul><ul><ul><ul><li>mysql_real_escape_string() </li></ul></ul></ul><ul><ul><li>PostgreSQL </li></ul></ul><ul><ul><ul><li>pg_escape_string() </li></ul></ul></ul><ul><ul><ul><li>pg_escape_bytea() </li></ul></ul></ul><ul><ul><li>SQLite </li></ul></ul><ul><ul><ul><li>sqlite_escape_string() </li></ul></ul></ul>
  11. 11. SQL INJECTION – THE CURE (CONT.) <ul><li>So our example will look like this now </li></ul><ul><li>$id = mysql_real_escape_string ($_GET[‘id’]); </li></ul><ul><li>$sql = “select * from articles where id = ‘$id’ ”; </li></ul><ul><li>$result = mysql_query($sql); </li></ul><ul><li>But sometime escaping can fail as well!!! </li></ul><ul><li>$id = “0; delete from articles”; </li></ul><ul><li>$id = mysql_real_escape_string($id); // 0; delete from articles </li></ul><ul><li>mysql_query(“SELECT * FROM articles WHERE id={$id}”); </li></ul><ul><li>To solve such problem, use explicit casting </li></ul><ul><li>$id = (int) $id; </li></ul>
  12. 12. SQL INJECTION – THE CURE (CONT.) <ul><li>Database specific escaping is not available for all database (MSSQL, ORACLE etc) </li></ul><ul><li>Prepared Statements - another approach </li></ul><ul><ul><li>Prepared queries are query “templates”: the structure of the query is pre-defined and fixed and includes placeholders that stand-in for real data. The placeholders are typically type-specific—for example, int for integer data and text for strings—which allows the database to interpret the data strictly </li></ul></ul><ul><ul><li>We can use PDO (PHP Data Objects) for prepared statement </li></ul></ul>
  13. 13. PREPARED STATEMENT - EXAMPLE <ul><li><?php </li></ul><ul><li>$db = new PDO('mysql:host=localhost;dbname=dbname', 'username', 'password'); </li></ul><ul><li>$stmt = $db->prepare(‘select * from articles where id = ?'); </li></ul><ul><li>try { </li></ul><ul><li>$stmt->execute(array($_GET['id'])); </li></ul><ul><li> $stmt->fetchAll(); </li></ul><ul><li>} </li></ul><ul><li>catch(PDOException $e) { </li></ul><ul><li>echo 'Selection failed. Please try again.'; </li></ul><ul><li>} </li></ul><ul><li>?> </li></ul>
  14. 14. CODE INJECTION <ul><li>Code injection occurs when we use parameters from the web as direct parameter for our code execution. </li></ul><ul><li>This is especially important for includes </li></ul><ul><li>$module = $_REQUEST['module']; </li></ul><ul><li>include(“lib/$module”); </li></ul><ul><li>This is ok: </li></ul><ul><li>But what if I do this?: </li></ul>
  15. 15. CODE INJECTION – PREVENTION <ul><li>Make sure the value is the one you expected. Else show error message </li></ul><ul><li>$requestedModule = $_REQUEST['module']; </li></ul><ul><li>switch($requestedModule) </li></ul><ul><li>{ </li></ul><ul><li>case “login”: </li></ul><ul><li>$module = “login”; break; </li></ul><ul><li>case “logout”: </li></ul><ul><li>$module = “logout”; break; </li></ul><ul><li>default: </li></ul><ul><li>$module = “error”; </li></ul><ul><li>} </li></ul>
  16. 16. XSS – CROSS SITE SCRIPTING <ul><li>Cross Site Scripting (XSS) is a situation where by attacker injects JavaScript code, which is then displayed on the page without further validation. </li></ul><ul><ul><li>Can lead to embarrassment. </li></ul></ul><ul><ul><li>Session take-over. </li></ul></ul><ul><ul><li>Password theft. </li></ul></ul><ul><ul><li>User tracking by 3 rd parties. </li></ul></ul><ul><ul><li>Common XSS examples: </li></ul></ul><ul><ul><ul><li>User submitted content sites such as blogs, forums, wikis etc </li></ul></ul></ul><ul><ul><ul><li>User comments on different sites. </li></ul></ul></ul>
  17. 17. XSS – EXAMPLES <ul><li>You have built a site where user can comment on articles </li></ul><ul><li>You have provided a comment box to take user input and store those in Database then redisplaying in the page. </li></ul><ul><li>What if a user enters the following as comment: </li></ul><ul><li><script> </li></ul><ul><li>Window.location = </li></ul><ul><li></script> </li></ul><ul><li>Since we have not done any filtering of the input data, when the page loads user will be taken to mysite. Which is not the right scenario. </li></ul>
  18. 18. XSS - PREVENTION <ul><li>Prevention of XSS is as simple as filtering input data via one of the following: </li></ul><ul><ul><li>htmlspecialchars() </li></ul></ul><ul><ul><ul><li>Encodes ‘, “, <, >, & </li></ul></ul></ul><ul><ul><li>htmlentities() </li></ul></ul><ul><ul><ul><li>Convert anything that there is HTML entity for. </li></ul></ul></ul><ul><ul><li>strip_tags() </li></ul></ul><ul><ul><ul><li>Strips anything that resembles HTML tags </li></ul></ul></ul><ul><li>Tag allowances in strip_tags() are dangerous, because attributes of those tags are not being validated. </li></ul>
  19. 19. CSRF <ul><li>A CSRF exploit works by exploiting the trust your website has for a specific user (for instance, a user that is logged in). Most websites allow a user to enable a “Remember Me” function that will keep their session active for a long period of time. With this session active, a user could visit a malicious link or visit a website with a malicious iframe, which causes that user to unknowingly perform actions on your site. </li></ul><ul><li>Major attacks on recent time: </li></ul><ul><ul><li>ING – CSRF used to transfer funds without any notice </li></ul></ul><ul><ul><li>Youtube </li></ul></ul>
  20. 20. EXAMPLE <ul><li>UserA is a member of He sends money to UserB and found that the following URL used </li></ul><ul><li> </li></ul><ul><li>Now UserA constructs a URL like above to victimize UserC (who is also a user of </li></ul><ul><li> </li></ul><ul><li>Now UserA sends an email to UserC with a forged request. </li></ul><ul><li><a href=&quot; </li></ul><ul><li>amount=100000&quot;>View my Pictures!</a> </li></ul>
  21. 21. EXAMPLE – (CONTINUED) <ul><li>Now if userC clicks the link, he is actually initiating the request as he is already authenticated in the system. </li></ul><ul><li>But wait, when userC clicks the link, he will definitely notice that a payment has been done. So in order to trick userC without any notice. UserA does this (zero byte image). </li></ul><ul><li><img src=&quot; </li></ul><ul><li>amount=100000&quot; width=&quot;1&quot; height=&quot;1&quot; border=&quot;0“> </li></ul><ul><li>So without any problem, userA has got fund from userC. </li></ul>
  22. 22. PREVENTING CSRF <ul><li>Distinguish each and every request generated from your server. </li></ul><ul><li>Distinguish request generated from your site and also from some other sites. </li></ul><ul><li>Do not rely on HTTP Referrer checking as it is not fully reliable. </li></ul><ul><li>Include a form token on every forms that you display. The form token must be unique and ensure that the request came from your site. </li></ul><ul><li>Yahoo! Uses similar approach and calls it Crumb </li></ul>
  23. 23. EXAMPLE <ul><li><?php </li></ul><ul><li>$_SESSION[‘formKey’] = md5(“unique_id”); </li></ul><ul><li>?> </li></ul><ul><li><form action=&quot;; </li></ul><ul><li>method=&quot;POST&quot;> </li></ul><ul><li><input type=&quot;hidden&quot; name=&quot;id&quot; value=&quot;37&quot;> </li></ul><ul><li><input type=&quot;hidden&quot; name=“formKey&quot; </li></ul><ul><li>value=“<?=$_SESSION[‘formKey’]?>&quot;> </li></ul><ul><li><input type=&quot;submit&quot; value=&quot;Delete this item&quot;> </li></ul><ul><li></form> </li></ul><ul><li>/* server site code */ </li></ul><ul><li>if($_POST[‘formKey’] !== $_SESSION[‘formKey’]) { </li></ul><ul><li>echo ‘not valid request’; </li></ul><ul><li>exit; </li></ul><ul><li>} else { </li></ul><ul><li>// do something </li></ul><ul><li>unset($_SESSION[‘formKey’]); // unset the formKey so it is not used anymore </li></ul><ul><li>} </li></ul>
  24. 24. NOTE <ul><li>Should be unique per user (or one user can use their crumb to attack another) </li></ul><ul><ul><li>Hence should be tied to the user’s session or login cookie </li></ul></ul><ul><li>Should be changed over time (even for same form request multiple time) </li></ul><ul><li>Ajax requests must be from the same domain </li></ul><ul><li>Limiting the lifetime of authentication cookies </li></ul>
  25. 25. SESSION SECURITY <ul><li>Sessions are common tool for user tracking across a web site </li></ul><ul><li>For the duration of a visit, the session is effectively the user’s identity </li></ul><ul><li>If an active session can be obtained by 3 rd party, it can assume the identify of the user who’s session was compromised </li></ul><ul><li>During standard HTTP transactions, all request and response information is transmitted as plain-text. Anyone capable of intercepting these messages can steal the user’s session. </li></ul>
  26. 26. SECURING SESSION <ul><li>To prevent session id theft, the id can be altered on every request, invalidating old values. </li></ul><ul><li><?php </li></ul><ul><li>session_start(); </li></ul><ul><li>if (!empty($_SESSION)) { // not a new session </li></ul><ul><li>session_regenerate_id(TRUE); // make new session id </li></ul><ul><li>} ?> </li></ul><ul><li>Because the session changes on every request, the “back” button in a browser will no longer work, as it will make a request with the old session id </li></ul>
  27. 27. NOTES <ul><li>Use HTTPS Pass secure information </li></ul><ul><li>Stop session ID being passed via URL </li></ul><ul><li>Set session.use_only_cookies so that it is hard to generate session fixation. </li></ul><ul><li>Another session security technique is to compare the browser signature headers </li></ul>
  28. 28. THERE ARE MORE!!!! <ul><li>There are more security issues out there. </li></ul><ul><li>Always try to be proactive on security measure rather than being reactive. </li></ul><ul><li>Keep updated with latest security flaws and fixes </li></ul><ul><li>Always try to avoid common pitfalls. </li></ul>
  29. 29. RESOURCES <ul><li> (mod_security Apache module) </li></ul><ul><li> (PHP Security Patches) </li></ul><ul><li> (Security Scanner) </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  30. 30. THANK YOU <ul><li>Questions? </li></ul>