SECURITY
CPTR304: INTERNET AUTHORING
HENRY OSBORNE
This presentation examines some attack vectors and
highlights means to mitigate and even eliminate most
attacks.

CPTR304:...
ALL INPUT IS TAINTED
 As a general rule of thumb, the data in all of PHP’s superglobals arrays

should be considered tain...
WHITELIST VS BLACKLIST FILTERING

 The blacklist approach is the less restrictive form of

filtering that assumes the pro...
FILTER INPUT
<form method="POST">

Username: <input type="text" name="username" /><br/>
Password: <input type="text" name=...
FILTER INPUT CONT’D
$clean = array();
if (ctype_alpha($_POST[’username’]))
{
$clean[’username’] = $_POST[’username’];
}
if...
FILTER INPUT CONT’D

Filtering with a whitelist approach places the control firmly in
your hands and ensures that your app...
ESCAPE OUTPUT

Output is anything that leaves your application, bound for a
client. The client, in this case, is anything ...
ESCAPE OUTPUT CONT’D

To escape output intended for a Web browser, PHP
provides htmlspecialchars() and
htmlentities(), the...
$html = array();
$html[’message’] = htmlentities($user_message,
ENT_QUOTES, ’UTF-8’);
echo $html[’message’];

CPTR304: INT...
WEBSITE SECURITY

CPTR304: INTERNET AUTHORING

11
SPOOFED FORMS
 A common method used by attackers is a spoofed form

submission.
 There are various ways to spoof forms, ...
CROSS-SITE SCRIPTING (XSS)

 One of the most common and best known kinds of attacks.
 An XSS attack exploits the user’s ...
CROSS-SITE REQUEST FORGERIES (CSRF)
 An attack that tricks the victim into loading a page that contains a

malicious requ...
DATABASE SECURITY

CPTR304: INTERNET AUTHORING

15
SQL INJECTION

A technique where an attacker creates or alters
existing SQL commands to expose hidden data,
or to override...
SESSION SECURITY

CPTR304: INTERNET AUTHORING

17
SESSION FIXATION

 Manually setting the session identifier through the query

string, forcing the use of a particular ses...
SESSION HIJACKING

Any means by which an attacker gains a user’s valid
session identifier (rather than providing one of hi...
FILE SYSTEM SECURITY

CPTR304: INTERNET AUTHORING

20
REMOTE CODE INJECTION

A remote code injection attack occurs when an attacker is
able to cause your application to execute...
COMMAND INJECTION

The injection and execution of arbitrary system commands.
 exec(), system() and passthru() functions

...
Despite the many ways your applications can be attacked,
four simple words can sum up most solutions to Web
application se...
SECURITY
http://www.php.net/manual/en/security.php

CPTR304: INTERNET AUTHORING

24
Upcoming SlideShare
Loading in …5
×

Website Security

1,369 views

Published on

PHP provides a rich toolset with immense power—some have argued that it is perhaps too much power—and this power, when used with careful attention to detail, allows for the creation of complex and robust applications. Without this attention to detail, though, malicious users can use PHP’s power to their advantage, attacking applications in a variety of ways.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Website Security

  1. 1. SECURITY CPTR304: INTERNET AUTHORING HENRY OSBORNE
  2. 2. This presentation examines some attack vectors and highlights means to mitigate and even eliminate most attacks. CPTR304: INTERNET AUTHORING 2
  3. 3. ALL INPUT IS TAINTED  As a general rule of thumb, the data in all of PHP’s superglobals arrays should be considered tainted.  $_SERVER array is not fully safe, because it contains some data provided by the client.  Before processing tainted data, it is important to filter it  Two approaches to filtering data:  The whitelist approach  The blacklist approach. CPTR304: INTERNET AUTHORING 3
  4. 4. WHITELIST VS BLACKLIST FILTERING  The blacklist approach is the less restrictive form of filtering that assumes the programmer knows everything that should not be allowed to pass through.  Whitelist filtering is much more restrictive, yet it affords the programmer the ability to accept only the input he expects to receive. CPTR304: INTERNET AUTHORING 4
  5. 5. FILTER INPUT <form method="POST"> Username: <input type="text" name="username" /><br/> Password: <input type="text" name="password" /><br/> Favorite color: <select name="color"> <option>Red</option> <option>Blue</option> <option>Yellow</option> <option>Green</option> </select><br/> <input type="submit" /> </form> CPTR304: INTERNET AUTHORING 5
  6. 6. FILTER INPUT CONT’D $clean = array(); if (ctype_alpha($_POST[’username’])) { $clean[’username’] = $_POST[’username’]; } if (ctype_alnum($_POST[’password’])) { $clean[’password’] = $_POST[’password’]; } $colors = array(’Red’, ’Blue’, ’Yellow’, ’Green’); if (in_array($_POST[’color’], $colors)) { $clean[’color’] = $_POST[’color’]; } CPTR304: INTERNET AUTHORING 6
  7. 7. FILTER INPUT CONT’D Filtering with a whitelist approach places the control firmly in your hands and ensures that your application will not receive bad data. CPTR304: INTERNET AUTHORING 7
  8. 8. ESCAPE OUTPUT Output is anything that leaves your application, bound for a client. The client, in this case, is anything from a Web browser to a database server, and just as you should filter all incoming data, you should escape all outbound data. Whereas filtering input protects your application from bad or harmful data, escaping output protects the client and user from potentially damaging commands. CPTR304: INTERNET AUTHORING 8
  9. 9. ESCAPE OUTPUT CONT’D To escape output intended for a Web browser, PHP provides htmlspecialchars() and htmlentities(), the latter being the most exhaustive and, therefore, recommended function for escaping. CPTR304: INTERNET AUTHORING 9
  10. 10. $html = array(); $html[’message’] = htmlentities($user_message, ENT_QUOTES, ’UTF-8’); echo $html[’message’]; CPTR304: INTERNET AUTHORING 10
  11. 11. WEBSITE SECURITY CPTR304: INTERNET AUTHORING 11
  12. 12. SPOOFED FORMS  A common method used by attackers is a spoofed form submission.  There are various ways to spoof forms, the easiest of which is to simply copy a target form and execute it from a different location.  Spoofing a form makes it possible for an attacker to remove all client-side restrictions imposed upon the form in order to submit any and all manner of data to your application. CPTR304: INTERNET AUTHORING 12
  13. 13. CROSS-SITE SCRIPTING (XSS)  One of the most common and best known kinds of attacks.  An XSS attack exploits the user’s trust in the application and is usually an effort to steal user information, such as cookies and other personally identifiable data.  All applications that display input are at risk. CPTR304: INTERNET AUTHORING 13
  14. 14. CROSS-SITE REQUEST FORGERIES (CSRF)  An attack that tricks the victim into loading a page that contains a malicious request.  It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf.  CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. CPTR304: INTERNET AUTHORING 14
  15. 15. DATABASE SECURITY CPTR304: INTERNET AUTHORING 15
  16. 16. SQL INJECTION A technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. CPTR304: INTERNET AUTHORING 16
  17. 17. SESSION SECURITY CPTR304: INTERNET AUTHORING 17
  18. 18. SESSION FIXATION  Manually setting the session identifier through the query string, forcing the use of a particular session.  This is most commonly achieved by creating a link to your application and appending the session identifier that the attacker wishes to give any user clicking the link. <a href="http://example.org/index.php?PHPSESSID=1234">Click here</a> CPTR304: INTERNET AUTHORING 18
  19. 19. SESSION HIJACKING Any means by which an attacker gains a user’s valid session identifier (rather than providing one of his own). CPTR304: INTERNET AUTHORING 19
  20. 20. FILE SYSTEM SECURITY CPTR304: INTERNET AUTHORING 20
  21. 21. REMOTE CODE INJECTION A remote code injection attack occurs when an attacker is able to cause your application to execute PHP code of their choosing. CPTR304: INTERNET AUTHORING 21
  22. 22. COMMAND INJECTION The injection and execution of arbitrary system commands.  exec(), system() and passthru() functions CPTR304: INTERNET AUTHORING 22
  23. 23. Despite the many ways your applications can be attacked, four simple words can sum up most solutions to Web application security problems (though not all): filter input, escape output. CPTR304: INTERNET AUTHORING 23
  24. 24. SECURITY http://www.php.net/manual/en/security.php CPTR304: INTERNET AUTHORING 24

×