When the security of PHP applications is in focus usually standard XSS vulnerabilities, SQL Injections, Remote File Inclusions, Header Injections and CSRF are discussed. However there are a number of different vulnerability classes and non obvious exploitation paths that are as dangerous but lesser known. This talk will give an insight in such vulnerabilities and how to defend against them.
Coming with different approach, this slide will explain How we can use Memcache as Session handler in PHP? This slide will also explain, How we can keep session centralised and share it on LB? Considering that you are using linux, the commands given in slides are linux commands.
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
If your B2B blogging goals include earning social media shares and backlinks to boost your search rankings, this infographic lists the size best approaches.
This session is about best practices and awareness to server specific programming and how to avoid it. How to write code that will run on any server with any configuration – things like file functions, directories, locale issues, EGPCS; Maybe even design patterns to help do that.
Coming with different approach, this slide will explain How we can use Memcache as Session handler in PHP? This slide will also explain, How we can keep session centralised and share it on LB? Considering that you are using linux, the commands given in slides are linux commands.
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
If your B2B blogging goals include earning social media shares and backlinks to boost your search rankings, this infographic lists the size best approaches.
This session is about best practices and awareness to server specific programming and how to avoid it. How to write code that will run on any server with any configuration – things like file functions, directories, locale issues, EGPCS; Maybe even design patterns to help do that.
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.
In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:
1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse
2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit
3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse
4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.
The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
Le moyen le plus rapide d'obtenir une réponse d'un Backend est de ne pas l'appeler ;-) Une solution fournie par les "reverse-proxy" me direz-vous, mais pas si simple d'invalider le cache...
Ce talk aborde une fonctionnalité méconnue de Varnish: les tags. Nous verrons comment en tirer partie via les "event listeners" d'une application Symfony standard. Au menu, un cluster de Rasberry Pi, une API, et des données toujours fraîches sous la milliseconde.
meet.php #11 - Huston, we have an airbrakeMax Małecki
Introducing airbrake.io or opensource errbit in to your company software development process. Word about error handling in php. Some more about integrating an php application with errbit.
The code in live coding show was: https://github.com/emgiezet/symfony2-errbit
PHP is the top platform for building and modernizing IBM i applications. In this webinar, Erwin discusses how features of the application server can be leveraged to streamline the development process as well as fast-tracking the management of the PHP environment.
Jun Heider - Flex Application Profiling By Example360|Conferences
This session will be light on slides and heavy on demonstration. The session will start with a brief explanation of the concepts that will be discussed and then kick into high gear with demonstrations and live profiling with the Flex Builder Profiler. During the session the features of the Flex Builder Profiler will be illustrated and light will be shed on how to analyze the data collected by the Profiler. The goal of this session will be to arm the attendee with the ability to use the Flex Builder Profiler to help increase the responsiveness and decrease the memory consumed by their applications.
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
On those slides I will show you 7 simple steps to test different McAfee ENS protection mechanism.
And as a bonus I will show you how to use MVISION Insights to react on SunBurst threat.
List of tests:
- OAS AMCore detection
- OAS GTI detection
- Access Protection
- Exploit Prevention
- Real Protect (ATP-RP)
- Dynamic Application Containment (ATP-DAC)
- Credential Theft Protection (ATP-RP-CTP)
All tests made for built-in rules and conducted without using real malware, so it is safe to repeat those steps in your environment.
#McAfee #MVISION #Insights #SunBurst #SolarWinds #supplychain
Care and Maintenance of Your EPM EnvironmentEmtec Inc.
The EPM Suite of products require care and maintenance to ensure optimal condition and minimized downtime for Business users. Here are some basic yet important steps to maintain your EPM environment as well as additional troubleshooting steps to consider.
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
Apache's configuration files can be used to configure how Apache operates, but they can also be used to configure PHP and how Apache httpd interacts with PHP. In this talk, Jeff explains the different ways Apache can be configured, explains many of the useful config options available for Apache modules, including our own mod_php, and showcases example of how they can be used with, and instead of, your PHP code.
Caching and tuning fun for high scalability @ FOSDEM 2012Wim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
PECL Picks - Extensions to make your life betterZendCon
One of the biggest strengths of PHP is its "glue" power. Take any C library and with a little magic and a compiler you have a fantastic extension. These extensions hide in PECL, but few people can tell the good from the unmaintained or just plain broken. Find the best extensions for your project, learn about PECL, and find out how to become a part of the PECL developer community.
Symfony 2.0 is a major step forward for the symfony project. This new version introduces new concepts and new components, and make the framework even more decoupled and flexible than before. As an added bonus, the framework is also more lightweight and much faster. This session will give you a feeling of the power of Symfony 2.0 by introducing the main new components of the framework.
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.
In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:
1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse
2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit
3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse
4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.
The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
Le moyen le plus rapide d'obtenir une réponse d'un Backend est de ne pas l'appeler ;-) Une solution fournie par les "reverse-proxy" me direz-vous, mais pas si simple d'invalider le cache...
Ce talk aborde une fonctionnalité méconnue de Varnish: les tags. Nous verrons comment en tirer partie via les "event listeners" d'une application Symfony standard. Au menu, un cluster de Rasberry Pi, une API, et des données toujours fraîches sous la milliseconde.
meet.php #11 - Huston, we have an airbrakeMax Małecki
Introducing airbrake.io or opensource errbit in to your company software development process. Word about error handling in php. Some more about integrating an php application with errbit.
The code in live coding show was: https://github.com/emgiezet/symfony2-errbit
PHP is the top platform for building and modernizing IBM i applications. In this webinar, Erwin discusses how features of the application server can be leveraged to streamline the development process as well as fast-tracking the management of the PHP environment.
Jun Heider - Flex Application Profiling By Example360|Conferences
This session will be light on slides and heavy on demonstration. The session will start with a brief explanation of the concepts that will be discussed and then kick into high gear with demonstrations and live profiling with the Flex Builder Profiler. During the session the features of the Flex Builder Profiler will be illustrated and light will be shed on how to analyze the data collected by the Profiler. The goal of this session will be to arm the attendee with the ability to use the Flex Builder Profiler to help increase the responsiveness and decrease the memory consumed by their applications.
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
On those slides I will show you 7 simple steps to test different McAfee ENS protection mechanism.
And as a bonus I will show you how to use MVISION Insights to react on SunBurst threat.
List of tests:
- OAS AMCore detection
- OAS GTI detection
- Access Protection
- Exploit Prevention
- Real Protect (ATP-RP)
- Dynamic Application Containment (ATP-DAC)
- Credential Theft Protection (ATP-RP-CTP)
All tests made for built-in rules and conducted without using real malware, so it is safe to repeat those steps in your environment.
#McAfee #MVISION #Insights #SunBurst #SolarWinds #supplychain
Care and Maintenance of Your EPM EnvironmentEmtec Inc.
The EPM Suite of products require care and maintenance to ensure optimal condition and minimized downtime for Business users. Here are some basic yet important steps to maintain your EPM environment as well as additional troubleshooting steps to consider.
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
Apache's configuration files can be used to configure how Apache operates, but they can also be used to configure PHP and how Apache httpd interacts with PHP. In this talk, Jeff explains the different ways Apache can be configured, explains many of the useful config options available for Apache modules, including our own mod_php, and showcases example of how they can be used with, and instead of, your PHP code.
Caching and tuning fun for high scalability @ FOSDEM 2012Wim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
PECL Picks - Extensions to make your life betterZendCon
One of the biggest strengths of PHP is its "glue" power. Take any C library and with a little magic and a compiler you have a fantastic extension. These extensions hide in PECL, but few people can tell the good from the unmaintained or just plain broken. Find the best extensions for your project, learn about PECL, and find out how to become a part of the PECL developer community.
Symfony 2.0 is a major step forward for the symfony project. This new version introduces new concepts and new components, and make the framework even more decoupled and flexible than before. As an added bonus, the framework is also more lightweight and much faster. This session will give you a feeling of the power of Symfony 2.0 by introducing the main new components of the framework.
Similar to Lesser Known Security Problems in PHP Applications (20)
Solving the C20K problem: Raising the bar in PHP Performance and ScalabilityZendCon
How do you configure and tune your PHP applications to handle 20,000
or more concurrent connections to your database on your desktop? This technical session describes how to implement and tune PHP's OCI8 extension with Oracle's Database Resident Connection Pool (DRCP).
PHP, LAMP, Windows, ASP.NET ?????? Sometimes you can't choose just one.
In this session, long time PHP developer and Microsoft MisfitGeek with explore the plethora of ways you can make PHP and ASP.NET interoperate.
In this session we will take a look at several different methods for building tiered applications. Some of the tiering methodologies include Soap, XML-RPC, RESTful and multiple language architectures. The purpose of this talk will not be to determine which methodology is best, but instead will try to provide an unbiased view of the pros and cons of each.
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...ZendCon
Extend the market reach of your PHP application while creating additional revenue for your Company! Parallels a worldwide leader in virtualization and automation software that optimizes computing across all major hardware, operating systems, and virtualization platforms has the ideal platform for your PHP Application.
DB2 Storage Engine for MySQL and Open Source Applications SessionZendCon
MySQL in i5/OS opens up new and interesting methods both for developing customized web-based applications that leverage i5/OS resources as well as deploying open community solutions.
OpenID and Information Cards are two of the most prominent emerging identity technologies. It is important that you understand the benefits, usage and differences between them in order prepare for the future, even when not ready to deploy them. During this presentation we will examine what digital identities are and specifically what each of these technologies is.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Lesser Known Security Problems in PHP Applications
1. Lesser Known Security Problems in
PHP Applications
Stefan Esser
Zend Conference
September 2008
Santa Clara, CA
2. The Speaker
Stefan Esser
• 8 years of PHP Core Experience
• 10 years of Security Experience
• Suhosin and The Month of PHP Bugs
• Founder and Head of R&D at SektionEins GmbH
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 2
3. Topics
• Lesser Known Security Problems
• Less Obvious Exploitation Paths
• Inter Application Exploitation
• Vulnerability Classes Discovered during Real Audits
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 3
4. The Mantra...
• Filter Input, Escape Output
• often misunderstood
• vulnerabilities hidden in input filters
• wrong escaping / encoding functions
• not every vulnerability is caused by tainted data
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 4
5. Input Filtering - Short reminder
• Filter what you actually use and
not what you believe is the same
<?php
// The TikiWiki approach to input filtering
if (!is_numeric($_REQUEST[‘id‘])) {
die(‘Hack attack‘); // <-- will discuss this later
}
...
$_REQUEST = array_merge($_COOKIE, $_GET, $_POST);
// ^----- really bad idea: GPC != CGP
?>
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 5
6. $_SERVER and URL Encoding
• PHP_SELF and REQUEST_URI often used
• assumed to be URL encoded, but
• PHP_SELF is never encoded (typical XSS)
• REQUEST_URI encoding depends on client
<?php
if ($_SERVER[‘REQUEST_URI‘] == ‘common.php‘) {
die(“do not call this file directly“);
}
// File can still be requested by common%2ephp
?>
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 6
7. $_REQUEST and Cookies
• never forget $_REQUEST also contains cookie data
• cookies or cookie data might be unexpected
• injected through XSS, HTTP Response Splitting
or other cross domain browser bug
• TLD wide cookies - *.co.uk / *.co.kr
• originating from another application on same domain
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 7
8. $_REQUEST and Cookie DOS
• An injected cookie might kill the application
<?php
// one cookie to kill them all
if (isset($_REQUEST[‘GLOBALS‘])) {
die(‘GLOBALS overwrite attempt‘);
}
?>
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 8
9. $_REQUEST and Delayed CSRF
• An injected cookie manipulates/overrides the control
flow of a request performed by the user
• Traditional CSRF protections useless
<?php
// save only modified admin options
foreach ($_REQUEST[‘options‘] as $key => $val) {
if (isset($options[$key]) && $options[$key] != $val) {
saveOption($key, $val);
}
}
// Because options[includePath] could be an evil cookie
// there is a Delayed CSRF vulnerability
// that allows remote file inclusion
?>
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 9
10. auto_globals_jit - Documentation
; When enabled, the SERVER and ENV variables are created when they're first
; used (Just In Time) instead of when the script starts. If these variables
; are not used within a script, having this directive on will result in a
; performance gain. The PHP directives register_globals, register_long_arrays,
; and register_argc_argv must be disabled for this directive to have any affect.
infamous documentation in php.ini
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 10
11. auto_globals_jit - Open Questions
• Documentation is correct ?
- Almost definitely maybe (probably)
- Ok, no
• What about $_REQUEST ?
• Is JIT really just-in-time of first usage ?
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 11
12. auto_globals_jit - Reality
• Documentation is wrong
• There is no just-in-time creation on first usage
• auto_globals are usually created before the start
of the script if the compiler detects their usage
• or when an extension requests their creation
• The compiler just detects direct usage
• access by variable-variables is NOT detected
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 12
13. auto_globals_jit - Security Problem
• prepended input filtering using variable-variables FAILS
• auto_globals do not exist when the filter executes
<?php
$filterTargets = array(‘_REQUEST‘, ‘_SERVER‘, ‘_ENV‘, ...);
foreach ($filterTargets as $target) {
$$target = filterRecursive((array)$$target);
}
?>
• when a PHP script accesses the auto_globals they are
created and filled with the not filtered values
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 13
14. Session Handling - Insecure Cookie Parameters
• very very common problem
• sites use SSL to protect against session identifier sniffing
• but forgets to mark session identifier cookie as secure
• attacker injects HTTP requests to get plaintext cookie
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 14
15. Session Handling - Session Data Mixup (I)
• session data is stored in /tmp by default
• can be changed by configuration
• session data is shared by all applications that store it in
the same location
• bad for shared hosts
• but can also lead to inter application exploits
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 15
16. Session Handling - Session Data Mixup (II)
• Example 1 - Setup:
• customer runs two applications on his own server
• both applications contain multi-step forms
• both applications store data of previous steps in a session
• application 1 merges user input into the session and
validates/filters after all steps are processed
• application 2 merges only validated and filtered data into the
session
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 16
17. Session Handling - Session Data Mixup (III)
• Example 1 - Exploit:
• enter malicious content (XSS, SQL Inj.) into application 1
• copy session identifier of application 1 into session cookie of
application 2
• use application 2 which trust everything within the session
➡ XSS payload from session eventually exploits application 2
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 17
18. Session Handling - Session Data Mixup (IV)
• Example 2 - Setup:
• customer runs two applications on his own server
• both applications serve a separate group of users
• both applications are written by the same developers
• both applications share a similar implementation
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 18
19. Session Handling - Session Data Mixup (V)
• Example 2 - Exploit:
• attacker is a legit user of application 1
(maybe even a moderator / admin)
• attacker logs himself into application 1
• and copies his session identifier into the session cookie of
application 2
• because the implementation of the User object is shared,
application 2 finds a valid User object in its session
• attacker is now logged into application 2
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 19
20. Session Handling - Session Data Mixup (V)
• Best Practices
• store session data in different locations
➡ ini_set(“session.save_path“, “/tmp/application_1/“);
➡ user space session handler
• embed application marker into the session
➡ if ((string)$_SESSION[‘application‘] !== ‘application_1‘) die();
• encrypt session data with application specific keys
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 20
21. Session Handling - Insecure Transactions (I)
• some PHP applications choose to override the internal
session management with a user space session handler
- usual implementation
• open - ignored
• read - SELECT * FROM tb_sessions WHERE sid=:sid
• write - INSERT/UPDATE tb_sessions SET data=:data WHERE sid=:sid
• close - ignore
• destroy - ignore
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 21
22. Session Handling - Insecure Transactions (II)
• Usual implementation ignores that reading, updating
and storing the session data forms a transaction
• Most applications with user space session handlers are
vulnerable to session race conditions
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 22
23. Database Handling - Status Quo
• SQL Injection widely known
• SQL Transactions less known and used
• SQL Errors are seldomly handled
• Input filters let overlong input through
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 23
24. Database Handling - MySQL‘s max_packet_size
• max_packet_size configures maximum size of a packet
• anything bigger will not be sent
• overlong input can result in queries not being sent
• allows e.g. disabling logging queries
• referer header
• user-agent header
• session-identifiers, ...
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 24
25. Database Handling - Truncated Data
• database columns have a maximum width
• by default MySQL will truncate any data that doesn‘t fit
from ‘admin x‘
to ‘admin ‘
• by default string comparision will ignore trailing spaces
➡ Security Problem because there are 2 admin users now
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 25
26. Database Handling - Best Practices
• Use database transactions for application transactions
• Handle errors, assume everything could fail
• Use MySQL‘s sql_mode STRICT_ALL_TABLES
• Catch overlong input in input filtering
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 26
27. Multi-Byte Encodings - A security problem?
• PHP uses backslash escaping in many places
➡ ( => , ‘ => ‘, “ => “ )
• backslash escaping is a problem for multi-byte parsers if
the encoding allows backslashes as 2nd, 3rd, ... byte
• UTF-8 not affected, but several asian encodings like
GBK, EUC-KR, SJIS, ...
SELECT * FROM u WHERE login='X' OR id=1/*' AND pwd='XXXXXXXXXX'
will be parsed as
SELECT * FROM u WHERE login='X' OR id=1/*' AND pwd='XXXXXXXXXX'
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 27
28. Multi-Byte Encodings - Still a problem
• SQL-Injection
• mysql_real_escape_string() not safe when SET NAMES is used
• Shell-Command Injection
• PHP <= 5.2.6 doesn‘t escape shell commands for MB-locales
• Eval/Preg-Replace/Create_Function Injection
• PHP doesn‘t escape correctly for zend_multibyte mode
• PHP Cache/Config Injection
• var_export() doesn‘t escape correctly for zend_multibyte mode
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 28
29. Multi-Byte Encodings - Special Case UTF-7
• UTF-7 is a 7 bit wide encoding
• Characters used -+A-Za-z0-9
• not handled by any of PHP‘s escape functions
• browsers can be tricked to parse pages as UTF-7 when
no charset is given
➡ XSS vulnerabilities (also common on banking sites)
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 29
30. Random Numbers
• Random Number Generators
• srand() / rand()
• Wrapper around libc‘s rand() - 32 bit Seed
• mt_srand() / mt_rand()
• Mersenne Twister - 32 bit Seed
• uniqid(?, true) / lcg_value()
• Combined linear congruential generator - weak 64 bit Seed
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 30
31. mt_srand() / srand() - weak seeding
• PHP seeds automatically since 4.2.0
• Disadvantages of manual seeding
• random number generator state is easier to predict
• seeding influences other applications
• manual seeding usually weaker than PHP‘s seeding
<?php
// examples for very bad seedings
mt_srand(time());
mt_srand(microtime() * 100000);
mt_srand(microtime() * 1000000);
mt_srand(microtime() * 10000000); //<- Joomla Password Reset
?>
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 31
32. mt_srand() / srand() - Automatic seeding
• Automatic seeding in PHP <= 5.2.5
• time(0) * PID * 1000000 * php_combined_lcg()
• on 32bit systems
• lower bits of time(0) and PID can be controlled
• due to modular arithmethic product is 0 every 2.1 years
• on 64bit systems
• precision loss during double to int conversion
• strength around 24 bits
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 32
33. mt_rand() / rand() - weak random numbers
• numbers depend only on 32 bit seed and running time
• not suited for cryptographic secrets
• output of PRNG might leak state
• state is process-wide => PRNG is shared resource
• attacker can get fresh seed by crashing PHP
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 33
34. mt_(s)rand / (s)rand - Shared Hosting
• CGI
• PRNG freshly seeded for every request
• running time not necessary for prediction
• mod_php / fastcgi
• PRNG is shared for requests handled by same process
• e.g. Keep-Alive
• Sharing across VHOSTS
• mean customer can seed PRNG to attack others
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 34
35. mt_(s)rand / (s)rand - Cross Application Attacks
• applications share the same PRNG
• leak in one application allows attacking another
• seeding in one application allows attacking another
• phpBB2 seeds random number generator and leaks state
• allows predicting password reset feature in Wordpress
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 35
36. mt_(s)rand / (s)rand - Best Practices
• do not seed the PRNGs
• do not use PHP‘s PRNGs for cryptographic secrets
• do not directly output random numbers
• combine output of different PRNGs
• use /dev/(u)random on unix systems
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 36
37. PHP‘s ZipArchive
• 0-day Vulnerability in PHP
• exposed by applications using ZipArchive
• discovered during an audit of customer code
• reported 85 days ago to PHP‘s security response team
• unpacking a malicious ZIP can overwrite any file
• Exploit: just name archived files like ../../../../../www/hack.php
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 37
38. HTTP Header Response Splitting/Suppression
• Protection against HTTP Response Splitting
• introduced with PHP 5.1.2
• not sufficient for old Netscape Proxies
• suppresses headers containing recognized attacks
• allows suppressing HTTP headers
• security problem when Content-Disposition: attachment is suppressed
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 38
39. The End ?!?
There are more unusual, lesser known and dangerous
vulnerabilities, but we are running out of time...
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 39
40. Thank you for listening
QUESTIONS ???
Stefan Esser • Lesser Known Security Problems in PHP Applications • 2008/Sep/17 • 40