Secure Web App Programming

            Akash Mahajan
   Talk at NULL Bangalore Meeting
            8th August 2009
Cross Site Scripting - XSS
• Injecting HTML/JS into the site.
   – Non-persistent/Reflected/First Order
      • Script is ...
XSS mitigation in PHP
• Sanitize all globals ($_GET, $_POST, $_COOKIE)
   – Use strip_tags()
   – Use inpekt library code....
SQL Injection
• Allowing SQL to be injected in the database
  query.
• Most common attack point is the search of any
  dyn...
SQL Injection - Mitigation
• mysql_real_escape_string()
   – $dbquery = sprintf(“SELECT name FROM user WHERE
     id=‘%s’”...
File Uploads
• Web apps add a directory in document root
  for storing file uploads and give write access.
• They don’t ra...
File Uploads - Mitigation
• The usual use case is uploading of image files.
• Use getimageinfo() to get the correct mime
 ...
Endgame
• At this point you have reasonable ensured that
  your PHP web application is not compromised.
• But the user con...
Upcoming SlideShare
Loading in …5
×

null Bangalore meet - Php Security

1,855 views

Published on

null Bangalore meet - PHP Security – By Akash Mahajan
http://null.co.in

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,855
On SlideShare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

null Bangalore meet - Php Security

  1. 1. Secure Web App Programming Akash Mahajan Talk at NULL Bangalore Meeting 8th August 2009
  2. 2. Cross Site Scripting - XSS • Injecting HTML/JS into the site. – Non-persistent/Reflected/First Order • Script is taken from the request and displayed in the browser directly • example.com/search?q=<script>alert(‘hi’);</script> • Example.com/index.php?lang=path to php shell – Persistent/Stored/Second Order • First name of a registration form is vuln and the value is stored in the database • Hello <iframe src=http://f1y.in/0.js></iframe> – DOM Based • No example, mentioned by Amit Klien in his paper XSS of the Third Kind
  3. 3. XSS mitigation in PHP • Sanitize all globals ($_GET, $_POST, $_COOKIE) – Use strip_tags() – Use inpekt library code.google.com/p/inspekt • Escape everything before displaying – htmlentities(), htmlspeciachars() • Client headers like user agent can be malicious as well. • Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data. • White listing helps in verifying good data more than black listing. • See examples at xssed.com
  4. 4. SQL Injection • Allowing SQL to be injected in the database query. • Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. • $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id'] . "'"; • id = ‘ OR 1 UNION ALL SELECT * FROM table; • Excellent examples http://google.com/search?q=site:slideshare.net sql injection
  5. 5. SQL Injection - Mitigation • mysql_real_escape_string() – $dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’)); • Parameterized queries – $res = $query(“SELECT name FROM user WHERE id=?”, $id); – Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli • Stored Procedures – See a kickass example of stored proc used to hack more than hundred thousand websites • http://www.breach.com/resources/breach-security- labs/alerts/mass-sql-injection-attack-evolutio
  6. 6. File Uploads • Web apps add a directory in document root for storing file uploads and give write access. • They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. • The malicious user is now free to call it using a GET request and it gets executed. • http://www.scanit.be/uploads/php-file- upload.pdf
  7. 7. File Uploads - Mitigation • The usual use case is uploading of image files. • Use getimageinfo() to get the correct mime type of the file from the file header. • Generate a random file name – $rand = time() . substr(md5(microtime()), 0, rand(5, 12)); – Return $rand and append file extension • Ideally noexec permission should be set on the directory where files are copied to.
  8. 8. Endgame • At this point you have reasonable ensured that your PHP web application is not compromised. • But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc. • There are work around to the standard PHP functions like this one for mysql_real_escape_strings() – http://shiflett.org/blog/2006/jan/addslashes-versus- mysql-real-escape-string

×