Http and security

AGENDA
HTTP basics
 HTTP methods
 PHP and HTTP
 Security threats and attacks
 Security in PHP


HTTP
The Hypertext Transfer Protocol (HTTP) is
an application protocol for distributed,
collaborative, hypermedia information systems
 HTTP is the foundation of data communication
for the World Wide Web.


HTTP
HTTP functions as a request-response protocol in
the client-server computing model
 The response contains completion status
information about the request and may also
contain requested content in its message body
 HTTP is an application layer protocol (mostly
TCP, but can use UDP)


HTTP SESSIONS
An HTTP session is a sequence of network
request-response transactions
 Every session has an ID and reflects conversation
between one client and server
 In PHP $_SESSION variable can hold session
parameters


HTTP METHODS













GET - Requests a representation of the specified resource
HEAD - likeGET request, but without the response body
POST - Requests that the server accept the entity enclosed
in the request as a new subordinate of the web resource
identified by the URI
PUT - Requests that the enclosed entity be stored under
the supplied URI
DELETE - Deletes the specified resource.
TRACE - Echoes back the received request so that a client
can see what changes or additions have been made by
intermediate servers.
OPTIONS - Returns the HTTP methods that the server
supports for the specified URL
CONNECT - Converts the request connection to a
transparent TCP/IP tunnel
PATCH - Is used to apply partial modifications to a
resource

HTTP GET
/test/demo_form.php?name1=value1&name2=val
ue2
 GET requests can be cached
 GET requests remain in the browser history
 GET requests can be bookmarked
 GET requests should never be used when dealing
with sensitive data
 GET requests have length restrictions (2048)
 GET requests should be used only to retrieve
data


HTTP POST
POST /test/demo_form.asp HTTP/1.1
 Host: w3schools.com
 name1=value1&name2=value2


POST requests are never cached
 POST requests do not remain in the browser
history
 POST requests cannot be bookmarked
 POST requests have no restrictions on data
length


PHP METHODS FOR POST AND GET
GET - $_GET variable
 POST - $_POST variable
 $_REQUEST for both + $_COOKIE


if (isset($_GET['user']) && isset($_GET['gen']))
{
 $user = $_GET['user'];
 $gen = $_GET['gen'];
 echo 'User: '. $user. ' - gender: '. $gen;
}


AND WORDPRESS
Wordpress core does not use sessions
 Wordpress core uses only cookies
 However plugins can use sessions


SECURITY INTRODUCTION
Weakest part of site is entry point
 Write your code secure!
 Don’t be victim of laziness and get hacked (or put
users in risk)
 It’s easier to protect then to heal


CROSS SITE SCRIPTING (XSS)
Adding additional HTML or javascript to source
of page
 Injectiong trough url parameters, requests or
form fields
 Stored XSS, Reflected, DOM based


XSS PROTECTION
Stripping tags
 Transform characters like <,>,/,’,” etc to html
entities
 Php functions:






string strip_tags ( string $str [, string
$allowable_tags ] )
string htmlentities ( string $string)
string htmlspecialchars( string $string)

SQL INJECTION
SQL injection is a code injection technique,
used to attack data driven applications, in which
malicious SQL statements are inserted into an
entry field for execution
 Types:





Classic SQLI
Blind or Inference SQL injection

SQL INJECTION EXAMPLE
statement = "SELECT * FROM users WHERE
name ='" + userName + "';“
 Attacker input 1: ' or '1'='1
 Attacker input 2: ' or '1'='1' -- '
 Executed query:
 1: SELECT * FROM users WHERE name = '' OR
'1'='1';
 2: SELECT * FROM users WHERE name = '' OR
'1'='1' -- ';
 Consider input:
 a';DROP TABLE users; SELECT * FROM
userinfo WHERE 't' = 't


SQL INJECTION PROTECTION
Filter user input
 Way 1:












$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE
name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc())
{ // do something with $row }

Way2:
$unsafe_variable = $_POST["user-input"] ;
 $safe_variable = mysql_real_escape_string($unsafe_variable);
 mysql_query("INSERT INTO table (column) VALUES ('" .
$safe_variable . "')");


SQL INJECTION WORDPRESS PROTECTION
Use prepare function with parameters
 $wpdb->query(
 $wpdb->prepare(





" DELETE FROM $wpdb->postmeta WHERE post_id
= %d AND meta_key = %s ",
13, 'gargle' )

);
 Prepare function filters parameters and is safe
from sql injection


SENSITIVE DATA EXPOSURE
All data that are stored should be stored hased or
encrypted
 Try to protect also transport layer (best using ssl)


CROSS SITE REQUEST FORGERY (CSRF)
Cross-site request forgery, also known as a
one-click attack or session riding and
abbreviated as CSRF, is a type of malicious
exploit of a website whereby unauthorized
commands are transmitted from a user that the
website trusts.
 Attacker creates page that request some action
that only authorized user can execute
 Attacker sends link of the page to the victim
 Victim clicks on link and execute command as
authorized user


PROTECTION AGAINST CSRF
Use token when sending every action
 Token should be created for each request or at
least per session
 In wordpres you may use wp_nonce_field and
wp_verify_nonce, wp_create_nonce





<form method="post">




<?php
wp_nonce_field('name_of_my_action','name_of_nonce_field'); ?>



</form>

INSECURE DIRECT OBJECT REFERENCES

Http and security

More Related Content

What's hot

Viewers also liked

Similar to Http and security

More from Nikola Milosevic

Recently uploaded

Http and security