SlideShare a Scribd company logo

Secure PHP Coding - Part 2

Download as PPTX, PDF
Vinoth Kumar
Vinoth Kumar

Secure PHP Coding - Part 2

Technology
1 of 21
Secure PHP Coding – Part II
Types of Security Vulnerabilities 1. Remote File Inclusion (RFI) 2. Local File Inclusion (LFI) 3. Local File Disclosure/Download 4. Remote File Upload 5. Remote Command Execution 6. Remote Code Execution (RCE) 7. Authentication Bypass/Insecure Permissions 8. Cross Site Scripting (XSS) 9. Cross Site Request Forgery (CSRF)
Types of Security Vulnerabilities 1. Remote File Inclusion (RFI) 2. Local File Inclusion (LFI) 3. Local File Disclosure/Download 4. Remote File Upload 5. Remote Command Execution 6. Remote Code Execution (RCE) 7. Authentication Bypass/Insecure Permissions 8. Cross Site Scripting (XSS) 9. Cross Site Request Forgery (CSRF)
Remote Code Execution(RCE)
Remote Code Execution – Vulnerable Codes Evaluating eval() <?php $title = $_GET['title']; eval('echo Welcome '.$title.';'); // assert() also vulnerable ?> Regular Expression <?php $string = $_GET['string']; print preg_replace('/^(.*)/e', 'strtoupper(1)', $string); ?> Attack http://localhost/rce/to_upper.php?string=phpinfo() Attack http://localhost/rce/display_title.php?title=vinoth;phpinfo(); Expected Input Expected Input http://localhost/rce/display_title.php?title=vinoth http://localhost/rce/to_upper.php?string=lowerstring
Remote Code Execution – Vulnerable Codes Dynamic Variables <?php foreach ($_GET as $key => $value) { $$key = $value; } //extract($_GET); //parse_str($_GET); function isLoggedIn(){ return $_SESSION['isLoggedIn']; } if (isLoggedIn()) { echo "You are logged in :)"; } else{ echo "you are not logged in :("; die(); } ?> Attack http://localhost/rce/user.php?_SESSION[isLoggedIn]=true Expected Input http://localhost/rce/user.php?name=vinoth
Remote Code Execution – Vulnerable Codes Dynamic Functions <?php $callback = $_GET['callback']; $arguments = $_GET['arguments']; function callback($args){ echo 'function called with arguments'; } $callback($arguments); // $func = new ReflectionFunction($callback); $func->invoke($arguments); also same // create_function also vulnerable create_function('$foobar', "echo $foobar;"); ?> Attack http://localhost/rce/callback.php?callback=phpinfo&arguments=1 Expected Input http://localhost/rce/callback.php?callback=callback&arguments=args
Remote Code Execution – Fix • Don't allow any special character like "(",")","``"&";" etc • Never create ($$, extract & parse_str()) dynamic variables from $_POST, $_GET or $_REQUEST • Validate callback with array of allowed callback <?php $callbacks = array('callback', 'another_callback'); $callback = $_GET['callback']; $arguments = $_GET['arguments']; function callback($args){ echo 'function called with arguments'; } if (in_array($callback, $callbacks)) { $callback($arguments); } ?> callback_fixed.php <?php $title = preg_replace("/[^A-Za-z0-9_]/","",$_GET['title']); eval('echo Welcome'.$title.';'); ?> display_title_fixed.php to_upper_fixed.php <?php $string = $_GET['string']; print preg_replace('/^(.*)/e', 'strtoupper("1")', $string); ?>
Remote Code Execution – Functions • eval • Assert • preg_replace // with /e in regex • create_function • functions with callbacks for example (array_map, usort, ob_start & preg_replace_callback etc) • $$, extract & parse_str with one parameter • dynamic function • ReflectionFunction • unserialize
Authentication Bypass/Insecure Permissions
Authentication Bypass – Vulnerable Scenarios • Validation of user permissions in View Page & missing user validation in handler page • Improper validation of id parameter index.php <?php include 'util.php'; if (!isLoggedIn()) { echo 'Not Authorized'; die(); } ?> <!DOCTYPE html> <html> <body> <p>Welcome Admin</p> <form action="handler" method="post"> <input type="text" name="user_id"> <input type="hidden" name="type" value="delete_user"> <input type="submit" value="Delete User" name="submit"> </form> </body> </html> <?php $type = $_REQUEST['type']; switch ($type) { case 'delete_user': $user_id = $_REQUEST['user_id']; // delete user echo "user deleted successfully :)"; break; default: break; } ?> handler.php Attack •http://localhost/auth/handler.php?user_id=1&type=delete_user
Authentication Bypass – Fix • add proper user validation :p <?php include 'util.php'; if (!isLoggedIn()) { echo 'Not Authorized'; die(); } $type = $_REQUEST['type']; switch ($type) { case 'delete_user': $user_id = $_REQUEST['user_id']; // check $user_id == $_user->user_id // delete user echo "user deleted successfully :)"; break; default: break; } ?> handler_fixed.php
Cross Site Scripting (XSS)
Cross Site Scripting (XSS) – Vulnerable Code search.php <?php $query = $_GET['q']; $user_id = $_GET['user_id']; echo "You searched for ".$query; ?> <br> <script type="text/javascript"> var user = '<?php echo $user_id?>'; </script> http://localhost/xss/search.php?user_id=1%27;alert(1);//&q=test http://localhost/xss/search.php?user_id=1q=<script>alert(1)</script> Attack http://localhost/xss/search.php?user_id=1&q=9 dragon chinese Expected Input
Cross Site Scripting (XSS) – Fix • filter user inputs • use htmlspecialchars,htmlentities,strip_tags,filter_var & is_numeric search_fixed.php <?php $query = htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8'); $user_id = filter_var($_GET['user_id'], FILTER_VALIDATE_INT); echo "You searched for ".$query; ?> <script type="text/javascript"> var user = '<?php echo $user_id ?>'; </script>
Cross Site Scripting (XSS) – Functions • print • echo • printf • sprintf • var_dump • print_r
Cross Site Request Forgery (CSRF)
Cross Site Request Forgery – Vulnerable Code • Missing CSRF token in post data • Using $_GET or $_REQUEST instead of $_POST in data update Vulnerable Scenario update_user.php <?php $name = $_REQUEST['name']; $about = $_REQUEST['about']; $username = $_REQUEST['username']; // update user info ?> attck.html <!DOCTYPE html> <html> <body> <img src="http://localhost/csrf/update_user.php?name=YouHaveBeenHackedByVinoth" alt="You Have Been Hacked :(" height="0" width="0"/> </body> </html>
Cross Site Request Forgery – Fix <?php $name = $_POST['name']; $about = $_POST['about']; $username = $_POST['username']; if($_SESSION['csrf_token'] != $_POST['csrf_token']){ echo 'Wrong Token'; } // update user info ?> update_user_fixed.php • avoid $_REQUEST and $_GET for getting post information • use CSRF Token for post data
References • https://github.com/vinothzomato/zpwned • Information & Samples • https://www.exploit-db.com/papers/12871/ • http://stackoverflow.com/questions/3115559/exploitable-php- functions • http://www.php-security.org/2010/05/20/mops-submission-07-our- dynamic-php/index.html
Secure PHP Coding - Part 2

Recommended

Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Vinoth Kumar
 
On secure application of PHP wrappers
On secure application of PHP wrappersOn secure application of PHP wrappers
On secure application of PHP wrappersPositive Hack Days
 
New in php 7
New in php 7New in php 7
New in php 7Vic Metcalfe
 
Getting up & running with zend framework
Getting up & running with zend frameworkGetting up & running with zend framework
Getting up & running with zend frameworkSaidur Rahman
 
Getting up and running with Zend Framework
Getting up and running with Zend FrameworkGetting up and running with Zend Framework
Getting up and running with Zend FrameworkMohammad Shoriful Islam Ronju
 
ZendFramework2 & Symfony2
ZendFramework2 & Symfony2ZendFramework2 & Symfony2
ZendFramework2 & Symfony2Wesley Victhor Mendes
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Sumy PHP User Grpoup
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 

Recommended

Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Vinoth Kumar
 
On secure application of PHP wrappers
On secure application of PHP wrappersOn secure application of PHP wrappers
On secure application of PHP wrappersPositive Hack Days
 
New in php 7
New in php 7New in php 7
New in php 7Vic Metcalfe
 
Getting up & running with zend framework
Getting up & running with zend frameworkGetting up & running with zend framework
Getting up & running with zend frameworkSaidur Rahman
 
Getting up and running with Zend Framework
Getting up and running with Zend FrameworkGetting up and running with Zend Framework
Getting up and running with Zend FrameworkMohammad Shoriful Islam Ronju
 
ZendFramework2 & Symfony2
ZendFramework2 & Symfony2ZendFramework2 & Symfony2
ZendFramework2 & Symfony2Wesley Victhor Mendes
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Sumy PHP User Grpoup
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
News of the Symfony2 World
News of the Symfony2 WorldNews of the Symfony2 World
News of the Symfony2 WorldFabien Potencier
 
PHP Basics and Demo HackU
PHP Basics and Demo HackUPHP Basics and Demo HackU
PHP Basics and Demo HackUAnshu Prateek
 
Pyramid REST
Pyramid RESTPyramid REST
Pyramid RESTŁukasz Oleś
 
Perl5i
Perl5iPerl5i
Perl5iMarcos Rebelo
 
Symfony 2.0 on PHP 5.3
Symfony 2.0 on PHP 5.3Symfony 2.0 on PHP 5.3
Symfony 2.0 on PHP 5.3Fabien Potencier
 
Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Oleg Zinchenko
 
Cakefest 2010: API Development
Cakefest 2010: API DevelopmentCakefest 2010: API Development
Cakefest 2010: API DevelopmentAndrew Curioso
 
REST in practice with Symfony2
REST in practice with Symfony2REST in practice with Symfony2
REST in practice with Symfony2Daniel Londero
 
Perl basics for Pentesters
Perl basics for PentestersPerl basics for Pentesters
Perl basics for PentestersSanjeev Kumar Jaiswal
 
Action Controller Overview, Season 2
Action Controller Overview, Season 2Action Controller Overview, Season 2
Action Controller Overview, Season 2RORLAB
 
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQUA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQMichelangelo van Dam
 
Rest API in my experience
Rest API in my experienceRest API in my experience
Rest API in my experiencetamim-subeen
 
Fatc
FatcFatc
FatcWade Arnold
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Action View Form Helpers - 1, Season 2
Action View Form Helpers - 1, Season 2Action View Form Helpers - 1, Season 2
Action View Form Helpers - 1, Season 2RORLAB
 
Example-driven Web API Specification Discovery
Example-driven Web API Specification DiscoveryExample-driven Web API Specification Discovery
Example-driven Web API Specification DiscoveryJavier Canovas
 
Zendcon 09
Zendcon 09Zendcon 09
Zendcon 09Wade Arnold
 
Es.next
Es.nextEs.next
Es.nextIgnacio Gil
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesAlireza Aghamohammadi
 

More Related Content

What's hot

News of the Symfony2 World
News of the Symfony2 WorldNews of the Symfony2 World
News of the Symfony2 WorldFabien Potencier
 
PHP Basics and Demo HackU
PHP Basics and Demo HackUPHP Basics and Demo HackU
PHP Basics and Demo HackUAnshu Prateek
 
Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Oleg Zinchenko
 
Cakefest 2010: API Development
Cakefest 2010: API DevelopmentCakefest 2010: API Development
Cakefest 2010: API DevelopmentAndrew Curioso
 
REST in practice with Symfony2
REST in practice with Symfony2REST in practice with Symfony2
REST in practice with Symfony2Daniel Londero
 
Action Controller Overview, Season 2
Action Controller Overview, Season 2Action Controller Overview, Season 2
Action Controller Overview, Season 2RORLAB
 
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQUA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQMichelangelo van Dam
 
Rest API in my experience
Rest API in my experienceRest API in my experience
Rest API in my experiencetamim-subeen
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Action View Form Helpers - 1, Season 2
Action View Form Helpers - 1, Season 2Action View Form Helpers - 1, Season 2
Action View Form Helpers - 1, Season 2RORLAB
 
Example-driven Web API Specification Discovery
Example-driven Web API Specification DiscoveryExample-driven Web API Specification Discovery
Example-driven Web API Specification DiscoveryJavier Canovas
 

What's hot (19)

News of the Symfony2 World
News of the Symfony2 WorldNews of the Symfony2 World
News of the Symfony2 World
 
PHP Basics and Demo HackU
PHP Basics and Demo HackUPHP Basics and Demo HackU
PHP Basics and Demo HackU
 
Pyramid REST
Pyramid RESTPyramid REST
Pyramid REST
 
Perl5i
Perl5iPerl5i
Perl5i
 
Symfony 2.0 on PHP 5.3
Symfony 2.0 on PHP 5.3Symfony 2.0 on PHP 5.3
Symfony 2.0 on PHP 5.3
 
Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)
 
Cakefest 2010: API Development
Cakefest 2010: API DevelopmentCakefest 2010: API Development
Cakefest 2010: API Development
 
REST in practice with Symfony2
REST in practice with Symfony2REST in practice with Symfony2
REST in practice with Symfony2
 
Perl basics for Pentesters
Perl basics for PentestersPerl basics for Pentesters
Perl basics for Pentesters
 
Action Controller Overview, Season 2
Action Controller Overview, Season 2Action Controller Overview, Season 2
Action Controller Overview, Season 2
 
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQUA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
 
Rest API in my experience
Rest API in my experienceRest API in my experience
Rest API in my experience
 
Fatc
FatcFatc
Fatc
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
 
Action View Form Helpers - 1, Season 2
Action View Form Helpers - 1, Season 2Action View Form Helpers - 1, Season 2
Action View Form Helpers - 1, Season 2
 
Example-driven Web API Specification Discovery
Example-driven Web API Specification DiscoveryExample-driven Web API Specification Discovery
Example-driven Web API Specification Discovery
 
Zendcon 09
Zendcon 09Zendcon 09
Zendcon 09
 
Es.next
Es.nextEs.next
Es.next
 

Similar to Secure PHP Coding - Part 2

Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesAlireza Aghamohammadi
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code HardeningOdoo
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php confHash Lin
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswanivvaswani
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
JWT - Sécurisez vos APIs
JWT - Sécurisez vos APIsJWT - Sécurisez vos APIs
JWT - Sécurisez vos APIsAndré Tapia
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 

Similar to Secure PHP Coding - Part 2 (20)

Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Angular js security
Angular js securityAngular js security
Angular js security
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilities
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Owasp & php
Owasp & phpOwasp & php
Owasp & php
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code Hardening
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php conf
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwords
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
JWT - Sécurisez vos APIs
JWT - Sécurisez vos APIsJWT - Sécurisez vos APIs
JWT - Sécurisez vos APIs
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Secure PHP Coding - Part 2

  • 1. Secure PHP Coding – Part II
  • 2. Types of Security Vulnerabilities 1. Remote File Inclusion (RFI) 2. Local File Inclusion (LFI) 3. Local File Disclosure/Download 4. Remote File Upload 5. Remote Command Execution 6. Remote Code Execution (RCE) 7. Authentication Bypass/Insecure Permissions 8. Cross Site Scripting (XSS) 9. Cross Site Request Forgery (CSRF)
  • 3. Types of Security Vulnerabilities 1. Remote File Inclusion (RFI) 2. Local File Inclusion (LFI) 3. Local File Disclosure/Download 4. Remote File Upload 5. Remote Command Execution 6. Remote Code Execution (RCE) 7. Authentication Bypass/Insecure Permissions 8. Cross Site Scripting (XSS) 9. Cross Site Request Forgery (CSRF)
  • 5. Remote Code Execution – Vulnerable Codes Evaluating eval() <?php $title = $_GET['title']; eval('echo Welcome '.$title.';'); // assert() also vulnerable ?> Regular Expression <?php $string = $_GET['string']; print preg_replace('/^(.*)/e', 'strtoupper(1)', $string); ?> Attack http://localhost/rce/to_upper.php?string=phpinfo() Attack http://localhost/rce/display_title.php?title=vinoth;phpinfo(); Expected Input Expected Input http://localhost/rce/display_title.php?title=vinoth http://localhost/rce/to_upper.php?string=lowerstring
  • 6. Remote Code Execution – Vulnerable Codes Dynamic Variables <?php foreach ($_GET as $key => $value) { $$key = $value; } //extract($_GET); //parse_str($_GET); function isLoggedIn(){ return $_SESSION['isLoggedIn']; } if (isLoggedIn()) { echo "You are logged in :)"; } else{ echo "you are not logged in :("; die(); } ?> Attack http://localhost/rce/user.php?_SESSION[isLoggedIn]=true Expected Input http://localhost/rce/user.php?name=vinoth
  • 7. Remote Code Execution – Vulnerable Codes Dynamic Functions <?php $callback = $_GET['callback']; $arguments = $_GET['arguments']; function callback($args){ echo 'function called with arguments'; } $callback($arguments); // $func = new ReflectionFunction($callback); $func->invoke($arguments); also same // create_function also vulnerable create_function('$foobar', "echo $foobar;"); ?> Attack http://localhost/rce/callback.php?callback=phpinfo&arguments=1 Expected Input http://localhost/rce/callback.php?callback=callback&arguments=args
  • 8. Remote Code Execution – Fix • Don't allow any special character like "(",")","``"&";" etc • Never create ($$, extract & parse_str()) dynamic variables from $_POST, $_GET or $_REQUEST • Validate callback with array of allowed callback <?php $callbacks = array('callback', 'another_callback'); $callback = $_GET['callback']; $arguments = $_GET['arguments']; function callback($args){ echo 'function called with arguments'; } if (in_array($callback, $callbacks)) { $callback($arguments); } ?> callback_fixed.php <?php $title = preg_replace("/[^A-Za-z0-9_]/","",$_GET['title']); eval('echo Welcome'.$title.';'); ?> display_title_fixed.php to_upper_fixed.php <?php $string = $_GET['string']; print preg_replace('/^(.*)/e', 'strtoupper("1")', $string); ?>
  • 9. Remote Code Execution – Functions • eval • Assert • preg_replace // with /e in regex • create_function • functions with callbacks for example (array_map, usort, ob_start & preg_replace_callback etc) • $$, extract & parse_str with one parameter • dynamic function • ReflectionFunction • unserialize
  • 11. Authentication Bypass – Vulnerable Scenarios • Validation of user permissions in View Page & missing user validation in handler page • Improper validation of id parameter index.php <?php include 'util.php'; if (!isLoggedIn()) { echo 'Not Authorized'; die(); } ?> <!DOCTYPE html> <html> <body> <p>Welcome Admin</p> <form action="handler" method="post"> <input type="text" name="user_id"> <input type="hidden" name="type" value="delete_user"> <input type="submit" value="Delete User" name="submit"> </form> </body> </html> <?php $type = $_REQUEST['type']; switch ($type) { case 'delete_user': $user_id = $_REQUEST['user_id']; // delete user echo "user deleted successfully :)"; break; default: break; } ?> handler.php Attack •http://localhost/auth/handler.php?user_id=1&type=delete_user
  • 12. Authentication Bypass – Fix • add proper user validation :p <?php include 'util.php'; if (!isLoggedIn()) { echo 'Not Authorized'; die(); } $type = $_REQUEST['type']; switch ($type) { case 'delete_user': $user_id = $_REQUEST['user_id']; // check $user_id == $_user->user_id // delete user echo "user deleted successfully :)"; break; default: break; } ?> handler_fixed.php
  • 14. Cross Site Scripting (XSS) – Vulnerable Code search.php <?php $query = $_GET['q']; $user_id = $_GET['user_id']; echo "You searched for ".$query; ?> <br> <script type="text/javascript"> var user = '<?php echo $user_id?>'; </script> http://localhost/xss/search.php?user_id=1%27;alert(1);//&q=test http://localhost/xss/search.php?user_id=1q=<script>alert(1)</script> Attack http://localhost/xss/search.php?user_id=1&q=9 dragon chinese Expected Input
  • 15. Cross Site Scripting (XSS) – Fix • filter user inputs • use htmlspecialchars,htmlentities,strip_tags,filter_var & is_numeric search_fixed.php <?php $query = htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8'); $user_id = filter_var($_GET['user_id'], FILTER_VALIDATE_INT); echo "You searched for ".$query; ?> <script type="text/javascript"> var user = '<?php echo $user_id ?>'; </script>
  • 16. Cross Site Scripting (XSS) – Functions • print • echo • printf • sprintf • var_dump • print_r
  • 17. Cross Site Request Forgery (CSRF)
  • 18. Cross Site Request Forgery – Vulnerable Code • Missing CSRF token in post data • Using $_GET or $_REQUEST instead of $_POST in data update Vulnerable Scenario update_user.php <?php $name = $_REQUEST['name']; $about = $_REQUEST['about']; $username = $_REQUEST['username']; // update user info ?> attck.html <!DOCTYPE html> <html> <body> <img src="http://localhost/csrf/update_user.php?name=YouHaveBeenHackedByVinoth" alt="You Have Been Hacked :(" height="0" width="0"/> </body> </html>
  • 19. Cross Site Request Forgery – Fix <?php $name = $_POST['name']; $about = $_POST['about']; $username = $_POST['username']; if($_SESSION['csrf_token'] != $_POST['csrf_token']){ echo 'Wrong Token'; } // update user info ?> update_user_fixed.php • avoid $_REQUEST and $_GET for getting post information • use CSRF Token for post data
  • 20. References • https://github.com/vinothzomato/zpwned • Information & Samples • https://www.exploit-db.com/papers/12871/ • http://stackoverflow.com/questions/3115559/exploitable-php- functions • http://www.php-security.org/2010/05/20/mops-submission-07-our- dynamic-php/index.html