SlideShare a Scribd company logo

What Is Security

Jason Ragsdale
Jason Ragsdale

The document discusses various aspects of web application security. It covers topics like disabling errors and globals in php.ini, avoiding including files from user input, input validation and filtering, output encoding, cross-site scripting prevention, cross-site request forgery protection, source code protection, code auditing, system security best practices, and using encryption and firewalls. The document provides examples and recommendations for improving security in each of these areas.

TechnologyBusiness
1 of 25
Download to read offline
What is Security? DPUG - September 9th 2008 Jason Ragsdale Wednesday, September 10, 2008 1
A good place to start... php.ini display_errors = Off register_globals = Off open_basedir = .... What about safe_mode?? Wednesday, September 10, 2008 2
Don’t be stupid Never require/include any file based on user input without checking it first. <?php if (isset($_GET[‘page’]) { require $_GET[‘page’]; } ?> URL: script.php?page=/etc/passwd .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Wednesday, September 10, 2008 3
Don’t be stupid... 2 If your solution uses eval().... you are doing it wrong <?php if (isset($_GET[‘input’]) { eval($_GET[‘input’]); } ?> URL: script.php?input=passthru(“cat /etc/passwd”); .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Wednesday, September 10, 2008 4
Input Filtering What is input? Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...) What is a whitelist? “A list of approved or favored items” What is a blacklist? “A list persons who are disapproved of or are to be punished or boycotted” Wednesday, September 10, 2008 5
Input Validation Unfiltered code Example <?php if (isset($_POST[‘username’])) { $username = $_POST[‘username’]; } Wednesday, September 10, 2008 6
Input Validation ctype Example <?php $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } Wednesday, September 10, 2008 7
Input Validation Zend_Filter_Input Example <?php if (isset($_POST[‘username’])) { $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]); } Wednesday, September 10, 2008 8
Input Validation php/filter Example <?php if (isset($_POST[‘username’])) { $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ) ); } Wednesday, September 10, 2008 9
Output Encoding What is output? Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...) htmlentities Example <?php $str = “A ‘quote’ is <b>bold</b>”; //Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str); //Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str, ENT_QUOTES); Wednesday, September 10, 2008 10
Tim Stiles At this point mention XmlWriter and all it’s wonders.... ;) Wednesday, September 10, 2008 11
Database Inputs (or: How I Learned to Stop Worrying and Love the Users) Wednesday, September 10, 2008 12
How do i deal with it? A input filter (whitelist) combined with prepared statements... DONE $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } $sql = “SELECT `username` FROM `users` WHERE `username` = :username”; $sth = $dbh->prepare($sql); $sth->execute(array(‘:username’=> $clean[‘username’])); $username = $sth->fetchColumn(); Wednesday, September 10, 2008 13
XSS (Cross Site Scripting) Example <?php echo “<p> Welcome back, {$_GET[‘username’]}.</p>”; ?> ------ Let’s exploit this ------ <p> Welcome back, <script> ....do something bad here... </script>. </p> Wednesday, September 10, 2008 14
XSS (Cross Site Scripting) If you do the two items we spoke about Input Filtering Output Encoding You most likely are still vulnerable, but it’ll be a lot harder to exploit Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter) Wednesday, September 10, 2008 15
CSRF (Cross Site Request Forgeries) Somewhere on MyFavoriteForum.com: <img src=”bank.com/transfermoney.php? to=me&amount=100.00”> ...if users are logged in, invisible actions can be taken on their behalf, with their authority. Wednesday, September 10, 2008 16
CSRF (Cross Site Request Forgeries) Solutions Sign your forms with a token (MD5 hash with a secret key) Validate the token before processing the data This can be done with Cookie and Session data as well Wednesday, September 10, 2008 17
Protecting Source Code Make sure all code file extensions are blocked from viewing You can remove them from the html root Or block them in the apache config <FilesMatch “.inc$”> order deny, allow deny from all </FilesMatch> Wednesday, September 10, 2008 18
Protecting Source Code Watch for editor backup files too! .file.php.tmp file.php~ etc... Or don’t edit code on production boxes. Wednesday, September 10, 2008 19
Code Auditing Set a standard for your team (and yes a team can be a single person) Input Filtering Methods Output Encoding Methods Database Access Methods Search code security points (echo, print...) Enforce these methods Wednesday, September 10, 2008 20
Code Auditing Default to Secure. Make being unsecure obvious and auditable YAHOO_GET_RAW( “blah” ) Wednesday, September 10, 2008 21
System Security Your website is only as secure as the server/network is it hosted on Perform regular package updates Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases Wednesday, September 10, 2008 22
Firewalls & Access Control Only allow access to ports that you need to 80 - Web 443 - SSL 22 - SSH Wednesday, September 10, 2008 23
Misc... Signed Data (MD5) Encrypted passwords in the DB Config Files outside DOCROOT Secret keys outside code, in config files If it’s customer data USE SSL Wednesday, September 10, 2008 24
Q&A Wednesday, September 10, 2008 25

Recommended

Tulsa techfest2010 security
Tulsa techfest2010 securityTulsa techfest2010 security
Tulsa techfest2010 security
Jason Ragsdale
 
Php 101: PDO
Php 101: PDOPhp 101: PDO
Php 101: PDO
Jeremy Kendall
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secrets
smueller_sandsmedia
 
PHP Data Objects
PHP Data ObjectsPHP Data Objects
PHP Data Objects
Wez Furlong
 
Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2
Fabien Potencier
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
Fabien Potencier
 
Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3
Fabien Potencier
 
php plus mysql
php plus mysqlphp plus mysql
php plus mysql
Jayson de Leon
 

Recommended

Tulsa techfest2010 security
Tulsa techfest2010 securityTulsa techfest2010 security
Tulsa techfest2010 security
Jason Ragsdale
 
Php 101: PDO
Php 101: PDOPhp 101: PDO
Php 101: PDO
Jeremy Kendall
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secrets
smueller_sandsmedia
 
PHP Data Objects
PHP Data ObjectsPHP Data Objects
PHP Data Objects
Wez Furlong
 
Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2Unit and Functional Testing with Symfony2
Unit and Functional Testing with Symfony2
Fabien Potencier
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
Fabien Potencier
 
Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3Dependency Injection with PHP and PHP 5.3
Dependency Injection with PHP and PHP 5.3
Fabien Potencier
 
php plus mysql
php plus mysqlphp plus mysql
php plus mysql
Jayson de Leon
 
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Fabien Potencier
 
dcs plus Catalogue 2015
dcs plus Catalogue 2015dcs plus Catalogue 2015
dcs plus Catalogue 2015
dcs plus
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 
Dependency injection - phpday 2010
Dependency injection - phpday 2010Dependency injection - phpday 2010
Dependency injection - phpday 2010
Fabien Potencier
 
Unittests für Dummies
Unittests für DummiesUnittests für Dummies
Unittests für Dummies
Lars Jankowfsky
 
Dependency Injection IPC 201
Dependency Injection IPC 201Dependency Injection IPC 201
Dependency Injection IPC 201
Fabien Potencier
 
Dependency Injection with PHP 5.3
Dependency Injection with PHP 5.3Dependency Injection with PHP 5.3
Dependency Injection with PHP 5.3
Fabien Potencier
 
PhpUnit - The most unknown Parts
PhpUnit - The most unknown PartsPhpUnit - The most unknown Parts
PhpUnit - The most unknown Parts
Bastian Feder
 
jQuery secrets
jQuery secretsjQuery secrets
jQuery secrets
Bastian Feder
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
Valentine Dianov
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Mail.ru Group
 
Php unit the-mostunknownparts
Php unit the-mostunknownpartsPhp unit the-mostunknownparts
Php unit the-mostunknownparts
Bastian Feder
 
Php
PhpPhp
Php
Linh Tran
 
Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8
PrinceGuru MS
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
Sébastien Prunier
 
zinno
zinnozinno
zinno
guest6a7933
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
PrinceGuru MS
 
Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010
Fabien Potencier
 
PHP 5.4
PHP 5.4PHP 5.4
PHP 5.4
Federico Damián Lozada Mosto
 
Tulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalabilityTulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalability
Jason Ragsdale
 
Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010
Jason Ragsdale
 
Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009
Jason Ragsdale
 

More Related Content

What's hot

Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Fabien Potencier
 
dcs plus Catalogue 2015
dcs plus Catalogue 2015dcs plus Catalogue 2015
dcs plus Catalogue 2015
dcs plus
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 
Dependency injection - phpday 2010
Dependency injection - phpday 2010Dependency injection - phpday 2010
Dependency injection - phpday 2010
Fabien Potencier
 
Unittests für Dummies
Unittests für DummiesUnittests für Dummies
Unittests für Dummies
Lars Jankowfsky
 
Dependency Injection IPC 201
Dependency Injection IPC 201Dependency Injection IPC 201
Dependency Injection IPC 201
Fabien Potencier
 
Dependency Injection with PHP 5.3
Dependency Injection with PHP 5.3Dependency Injection with PHP 5.3
Dependency Injection with PHP 5.3
Fabien Potencier
 
PhpUnit - The most unknown Parts
PhpUnit - The most unknown PartsPhpUnit - The most unknown Parts
PhpUnit - The most unknown Parts
Bastian Feder
 
jQuery secrets
jQuery secretsjQuery secrets
jQuery secrets
Bastian Feder
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
Valentine Dianov
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Mail.ru Group
 
Php unit the-mostunknownparts
Php unit the-mostunknownpartsPhp unit the-mostunknownparts
Php unit the-mostunknownparts
Bastian Feder
 
Php
PhpPhp
Php
Linh Tran
 
Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8
PrinceGuru MS
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
Sébastien Prunier
 
zinno
zinnozinno
zinno
guest6a7933
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
PrinceGuru MS
 
Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010
Fabien Potencier
 
PHP 5.4
PHP 5.4PHP 5.4
PHP 5.4
Federico Damián Lozada Mosto
 

What's hot (19)

Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
Decouple Your Code For Reusability (International PHP Conference / IPC 2008)
 
dcs plus Catalogue 2015
dcs plus Catalogue 2015dcs plus Catalogue 2015
dcs plus Catalogue 2015
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
 
Dependency injection - phpday 2010
Dependency injection - phpday 2010Dependency injection - phpday 2010
Dependency injection - phpday 2010
 
Unittests für Dummies
Unittests für DummiesUnittests für Dummies
Unittests für Dummies
 
Dependency Injection IPC 201
Dependency Injection IPC 201Dependency Injection IPC 201
Dependency Injection IPC 201
 
Dependency Injection with PHP 5.3
Dependency Injection with PHP 5.3Dependency Injection with PHP 5.3
Dependency Injection with PHP 5.3
 
PhpUnit - The most unknown Parts
PhpUnit - The most unknown PartsPhpUnit - The most unknown Parts
PhpUnit - The most unknown Parts
 
jQuery secrets
jQuery secretsjQuery secrets
jQuery secrets
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
 
Php unit the-mostunknownparts
Php unit the-mostunknownpartsPhp unit the-mostunknownparts
Php unit the-mostunknownparts
 
Php
PhpPhp
Php
 
Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8Corephpcomponentpresentation 1211425966721657-8
Corephpcomponentpresentation 1211425966721657-8
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
 
zinno
zinnozinno
zinno
 
Php tips-and-tricks4128
Php tips-and-tricks4128Php tips-and-tricks4128
Php tips-and-tricks4128
 
Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010Symfony2 - WebExpo 2010
Symfony2 - WebExpo 2010
 
PHP 5.4
PHP 5.4PHP 5.4
PHP 5.4
 

Viewers also liked

Tulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalabilityTulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalability
Jason Ragsdale
 
Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010
Jason Ragsdale
 
Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009
Jason Ragsdale
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And Scalability
Jason Ragsdale
 
Test Driven Development - 09/2009
Test Driven Development - 09/2009Test Driven Development - 09/2009
Test Driven Development - 09/2009
Jason Ragsdale
 
Yii Introduction
Yii IntroductionYii Introduction
Yii Introduction
Jason Ragsdale
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
Jason Ragsdale
 
Yii Framework
Yii FrameworkYii Framework
Yii Framework
Jason Ragsdale
 

Viewers also liked (8)

Tulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalabilityTulsa tech fest 2010 - web speed and scalability
Tulsa tech fest 2010 - web speed and scalability
 
Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010Caching: A Guided Tour - 10/12/2010
Caching: A Guided Tour - 10/12/2010
 
Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009Test Driven Development - Tulsa TechFest 2009
Test Driven Development - Tulsa TechFest 2009
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And Scalability
 
Test Driven Development - 09/2009
Test Driven Development - 09/2009Test Driven Development - 09/2009
Test Driven Development - 09/2009
 
Yii Introduction
Yii IntroductionYii Introduction
Yii Introduction
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
 
Yii Framework
Yii FrameworkYii Framework
Yii Framework
 

Similar to What Is Security

international PHP2011_Bastian Feder_The most unknown Parts of PHPUnit
international PHP2011_Bastian Feder_The most unknown Parts of PHPUnitinternational PHP2011_Bastian Feder_The most unknown Parts of PHPUnit
international PHP2011_Bastian Feder_The most unknown Parts of PHPUnit
smueller_sandsmedia
 
Lithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate FrameworksLithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate Frameworks
Nate Abele
 
Php unit the-mostunknownparts
Php unit the-mostunknownpartsPhp unit the-mostunknownparts
Php unit the-mostunknownparts
Bastian Feder
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
Mahmud Ahsan
 
Php Security
Php SecurityPhp Security
Php Security
guest7cf35c
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
Michelangelo van Dam
 
Unit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBeneluxUnit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBenelux
Michelangelo van Dam
 
Legacy applications - 4Developes konferencja, Piotr Pasich
Legacy applications - 4Developes konferencja, Piotr PasichLegacy applications - 4Developes konferencja, Piotr Pasich
Legacy applications - 4Developes konferencja, Piotr Pasich
Piotr Pasich
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
Daily notes
Daily notesDaily notes
Daily notes
meghendra168
 
Design Patterns avec PHP 5.3, Symfony et Pimple
Design Patterns avec PHP 5.3, Symfony et PimpleDesign Patterns avec PHP 5.3, Symfony et Pimple
Design Patterns avec PHP 5.3, Symfony et Pimple
Hugo Hamon
 
Unit testing zend framework apps
Unit testing zend framework appsUnit testing zend framework apps
Unit testing zend framework apps
Michelangelo van Dam
 
PHP Security
PHP SecurityPHP Security
PHP Security
manugoel2003
 
Php security3895
Php security3895Php security3895
Php security3895
PrinceGuru MS
 
Turbo Charged Test Suites
Turbo Charged Test SuitesTurbo Charged Test Suites
Turbo Charged Test Suites
Curtis Poe
 
Bag Of Tricks From Iusethis
Bag Of Tricks From IusethisBag Of Tricks From Iusethis
Bag Of Tricks From Iusethis
Marcus Ramberg
 
Magento Attributes - Fresh View
Magento Attributes - Fresh ViewMagento Attributes - Fresh View
Magento Attributes - Fresh View
Alex Gotgelf
 
The Zen of Lithium
The Zen of LithiumThe Zen of Lithium
The Zen of Lithium
Nate Abele
 
TestFest - Respect\Validation 1.0
TestFest - Respect\Validation 1.0TestFest - Respect\Validation 1.0
TestFest - Respect\Validation 1.0
Henrique Moody
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 

Similar to What Is Security (20)

international PHP2011_Bastian Feder_The most unknown Parts of PHPUnit
international PHP2011_Bastian Feder_The most unknown Parts of PHPUnitinternational PHP2011_Bastian Feder_The most unknown Parts of PHPUnit
international PHP2011_Bastian Feder_The most unknown Parts of PHPUnit
 
Lithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate FrameworksLithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate Frameworks
 
Php unit the-mostunknownparts
Php unit the-mostunknownpartsPhp unit the-mostunknownparts
Php unit the-mostunknownparts
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
 
Php Security
Php SecurityPhp Security
Php Security
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
 
Unit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBeneluxUnit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBenelux
 
Legacy applications - 4Developes konferencja, Piotr Pasich
Legacy applications - 4Developes konferencja, Piotr PasichLegacy applications - 4Developes konferencja, Piotr Pasich
Legacy applications - 4Developes konferencja, Piotr Pasich
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Daily notes
Daily notesDaily notes
Daily notes
 
Design Patterns avec PHP 5.3, Symfony et Pimple
Design Patterns avec PHP 5.3, Symfony et PimpleDesign Patterns avec PHP 5.3, Symfony et Pimple
Design Patterns avec PHP 5.3, Symfony et Pimple
 
Unit testing zend framework apps
Unit testing zend framework appsUnit testing zend framework apps
Unit testing zend framework apps
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Php security3895
Php security3895Php security3895
Php security3895
 
Turbo Charged Test Suites
Turbo Charged Test SuitesTurbo Charged Test Suites
Turbo Charged Test Suites
 
Bag Of Tricks From Iusethis
Bag Of Tricks From IusethisBag Of Tricks From Iusethis
Bag Of Tricks From Iusethis
 
Magento Attributes - Fresh View
Magento Attributes - Fresh ViewMagento Attributes - Fresh View
Magento Attributes - Fresh View
 
The Zen of Lithium
The Zen of LithiumThe Zen of Lithium
The Zen of Lithium
 
TestFest - Respect\Validation 1.0
TestFest - Respect\Validation 1.0TestFest - Respect\Validation 1.0
TestFest - Respect\Validation 1.0
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
 

Recently uploaded

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 

Recently uploaded (20)

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 

What Is Security

  • 1. What is Security? DPUG - September 9th 2008 Jason Ragsdale Wednesday, September 10, 2008 1
  • 2. A good place to start... php.ini display_errors = Off register_globals = Off open_basedir = .... What about safe_mode?? Wednesday, September 10, 2008 2
  • 3. Don’t be stupid Never require/include any file based on user input without checking it first. <?php if (isset($_GET[‘page’]) { require $_GET[‘page’]; } ?> URL: script.php?page=/etc/passwd .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Wednesday, September 10, 2008 3
  • 4. Don’t be stupid... 2 If your solution uses eval().... you are doing it wrong <?php if (isset($_GET[‘input’]) { eval($_GET[‘input’]); } ?> URL: script.php?input=passthru(“cat /etc/passwd”); .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Wednesday, September 10, 2008 4
  • 5. Input Filtering What is input? Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...) What is a whitelist? “A list of approved or favored items” What is a blacklist? “A list persons who are disapproved of or are to be punished or boycotted” Wednesday, September 10, 2008 5
  • 6. Input Validation Unfiltered code Example <?php if (isset($_POST[‘username’])) { $username = $_POST[‘username’]; } Wednesday, September 10, 2008 6
  • 7. Input Validation ctype Example <?php $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } Wednesday, September 10, 2008 7
  • 8. Input Validation Zend_Filter_Input Example <?php if (isset($_POST[‘username’])) { $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]); } Wednesday, September 10, 2008 8
  • 9. Input Validation php/filter Example <?php if (isset($_POST[‘username’])) { $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ) ); } Wednesday, September 10, 2008 9
  • 10. Output Encoding What is output? Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...) htmlentities Example <?php $str = “A ‘quote’ is <b>bold</b>”; //Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str); //Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str, ENT_QUOTES); Wednesday, September 10, 2008 10
  • 11. Tim Stiles At this point mention XmlWriter and all it’s wonders.... ;) Wednesday, September 10, 2008 11
  • 12. Database Inputs (or: How I Learned to Stop Worrying and Love the Users) Wednesday, September 10, 2008 12
  • 13. How do i deal with it? A input filter (whitelist) combined with prepared statements... DONE $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } $sql = “SELECT `username` FROM `users` WHERE `username` = :username”; $sth = $dbh->prepare($sql); $sth->execute(array(‘:username’=> $clean[‘username’])); $username = $sth->fetchColumn(); Wednesday, September 10, 2008 13
  • 14. XSS (Cross Site Scripting) Example <?php echo “<p> Welcome back, {$_GET[‘username’]}.</p>”; ?> ------ Let’s exploit this ------ <p> Welcome back, <script> ....do something bad here... </script>. </p> Wednesday, September 10, 2008 14
  • 15. XSS (Cross Site Scripting) If you do the two items we spoke about Input Filtering Output Encoding You most likely are still vulnerable, but it’ll be a lot harder to exploit Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter) Wednesday, September 10, 2008 15
  • 16. CSRF (Cross Site Request Forgeries) Somewhere on MyFavoriteForum.com: <img src=”bank.com/transfermoney.php? to=me&amount=100.00”> ...if users are logged in, invisible actions can be taken on their behalf, with their authority. Wednesday, September 10, 2008 16
  • 17. CSRF (Cross Site Request Forgeries) Solutions Sign your forms with a token (MD5 hash with a secret key) Validate the token before processing the data This can be done with Cookie and Session data as well Wednesday, September 10, 2008 17
  • 18. Protecting Source Code Make sure all code file extensions are blocked from viewing You can remove them from the html root Or block them in the apache config <FilesMatch “.inc$”> order deny, allow deny from all </FilesMatch> Wednesday, September 10, 2008 18
  • 19. Protecting Source Code Watch for editor backup files too! .file.php.tmp file.php~ etc... Or don’t edit code on production boxes. Wednesday, September 10, 2008 19
  • 20. Code Auditing Set a standard for your team (and yes a team can be a single person) Input Filtering Methods Output Encoding Methods Database Access Methods Search code security points (echo, print...) Enforce these methods Wednesday, September 10, 2008 20
  • 21. Code Auditing Default to Secure. Make being unsecure obvious and auditable YAHOO_GET_RAW( “blah” ) Wednesday, September 10, 2008 21
  • 22. System Security Your website is only as secure as the server/network is it hosted on Perform regular package updates Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases Wednesday, September 10, 2008 22
  • 23. Firewalls & Access Control Only allow access to ports that you need to 80 - Web 443 - SSL 22 - SSH Wednesday, September 10, 2008 23
  • 24. Misc... Signed Data (MD5) Encrypted passwords in the DB Config Files outside DOCROOT Secret keys outside code, in config files If it’s customer data USE SSL Wednesday, September 10, 2008 24