Jeff Channell - Secure PHP Coding Practices

2,197 views

Published on

In his presentation "Secure PHP Coding Practices," Jeff Channell will outline common security mistakes made by developers when creating PHP applications. Focusing on Joomla! in particular, attendees will learn the basics of how to prevent various hacking techniques such as Cross Site Scripting (XSS), SQL Injections, and Remote & Local Code Execution. Afterwards, a short Q&A session will be held.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,197
On SlideShare
0
From Embeds
0
Number of Embeds
115
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Jeff Channell - Secure PHP Coding Practices

  1. 1. Secure PHP Coding Practices @jeffchannell
  2. 2. Why Should I Care? <ul><li>Loss of reputation (to you as a developer)
  3. 3. Financial Loss
  4. 4. Disclosure of Information
  5. 5. Damage to other sites </li></ul>
  6. 6. Basic Guidelines Trust Nothing <ul><li>Escape for the occasion
  7. 7. Understand different exploitation techniques </li></ul>
  8. 8. Who is this guy? <ul><li>Web developer with Anything Digital </li></ul><ul><li>Security researcher
  9. 9. Discovered numerous vulnerabilities, primarily in Joomla! extensions </li></ul>
  10. 10. Common Vulnerability Types <ul><li>Information Disclosure
  11. 11. SQL Injection
  12. 12. Code Execution
  13. 13. Cross Site Scripting (XSS)
  14. 14. Cross Site Request Forgery (CSRF) </li></ul>
  15. 15. Information Disclosure <ul><li>Reveals non-public information
  16. 16. Cannot be used by itself to gain access
  17. 17. Useful to an attacker
  18. 18. Generally involves absolute paths to files (Path Disclosure)
  19. 19. Error reporting generally includes paths
  20. 20. MySQL errors </li></ul>
  21. 21. SQL Injection <ul><li>Caused by passing user-supplied input directly into an SQL query
  22. 22. Allows an attacker to alter the query
  23. 23. Does not always divulge information directly (known as “Blind Injection”) </li></ul>
  24. 24. SQL Injection – Example 1 $id = JRequest::getVar( 'id' ); $query = 'SELECT id, title FROM #__foobar WHERE id = ' . $id ; $db = JFactory::getDbo(); $db ->setQuery( $query ); $results = $db ->loadObject();
  25. 25. SQL Injection – Example 1 <ul><li>User input is concatenated with the query </li></ul>
  26. 26. SQL Injection – Example 1 <ul><li>User input is concatenated with the query
  27. 27. A malicious user can exploit this using the following request: </li></ul>index.php?option=com_foobar&id= 0 union select 1,2
  28. 28. SQL Injection – Example 1 <ul><li>User input is concatenated with the query
  29. 29. A malicious user can exploit this using the following request: </li></ul>index.php?option=com_foobar&id= 0 union select 1,2 <ul><li>This causes the query to become: </li></ul>SELECT id, title FROM #__foobar WHERE id = 0 union select 1,2
  30. 30. SQL Injection – Example 1 $id = JRequest::get Int ( 'id' ); $query = 'SELECT id, title FROM #__foobar WHERE id = ' . $id ; $db = JFactory::getDbo(); $db ->setQuery( $query ); $results = $db ->loadObject();
  31. 31. SQL Injection – Example 2 $title = JRequest::getVar( 'title' ); $query = 'SELECT id, title FROM #__foobar WHERE title = '' . $title . ''' ; $db = JFactory::getDbo(); $db ->setQuery( $query ); $results = $db ->loadObject();
  32. 32. SQL Injection – Example 2 <ul><li>A malicious user can exploit this using the following request: </li></ul>index.php?option=com_foobar&title= ' union select 1,2 -- '
  33. 33. SQL Injection – Example 2 <ul><li>A malicious user can exploit this using the following request: </li></ul>index.php?option=com_foobar&title= ' union select 1,2 -- ' <ul><li>This causes the query to become: </li></ul>SELECT id, title FROM #__foobar WHERE title = ' ' union select 1,2 -- ' '
  34. 34. SQL Injection – Example 2 <ul><li>A malicious user can exploit this using the following request: </li></ul>index.php?option=com_foobar&title= ' union select 1,2 -- ' <ul><li>This causes the query to become: </li></ul>SELECT id, title FROM #__foobar WHERE title = ' ' union select 1,2 -- ' ' <ul><li>MySQL uses a double dash (--) or a pound (#) to denote a comment, which allows an attacker to remove the ending of the query </li></ul>
  35. 35. SQL Injection – Example 2 $db = JFactory::getDbo(); $title = $db ->Quote( JRequest::get String ( 'title' ) ) ; $query = 'SELECT id, title FROM #__foobar WHERE title = ' . $title ; $db ->setQuery( $query ); $results = $db ->loadObject();
  36. 36. Code Execution <ul><li>User input in code execution methods
  37. 37. File Inclusion </li><ul><li>Local
  38. 38. Remote </li></ul><li>File Uploads </li></ul>
  39. 39. Code Execution <ul><li>shell_exec() / passthru() / etc
  40. 40. escapeshellcmd()
  41. 41. escapeshellarg() </li></ul>
  42. 42. Local File Inclusion <ul><li>User input in include / require statements
  43. 43. Null bytes can be used to end a path prematurely
  44. 44. Only allow known files to be included </li></ul>
  45. 45. Local File Inclusion - Example $view = JRequest:: getString ( 'view' ); require_once JPATH_COMPONENT. '/views/' . $view . '.php' ;
  46. 46. Local File Inclusion - Example <ul><li>User input is passed directly into require_once
  47. 47. A malicious user can use the following request: </li></ul>option=com_foobar&view= ../../../../../../../../../../../proc/self/environ%00 <ul><li>Included file becomes (example): </li></ul>/var/www/components/com_foobar/ views/../../../../../../../../../../../proc/self/environ%00.php <ul><li>This path is resolved as: </li></ul>/proc/self/environ
  48. 48. Local File Inclusion - Example $path = JPATH_COMPONENT. '/views/' ; $files = JFolder::files( $path , '.php$' ); $file = JRequest::getString( 'view' ). '.php' ; if (in_array( $file , $files ) { require_once $path . $file ; } else { JError::raiseError( 500 , JText::_( 'COM_FOOBAR_VIEW_NOT_FOUND' ) ); }
  49. 49. Local File Inclusion - Example <ul><li>/proc/self/environ is not the only file that contains user-provided information </li><ul><li>Apache logs
  50. 50. FTP logs
  51. 51. User-uploaded images </li></ul><li>PHP has been patched to protect against null byte injections as of 5.3.4 </li></ul>
  52. 52. Remote File Inclusion <ul><li>Generally not an issue, depending on PHP configuration (allow_url_include should be disabled) and defined paths like JPATH_ROOT
  53. 53. register_globals and global path variables </li></ul>
  54. 54. File Uploads <ul><li>File extensions </li><ul><li>JFile::getExt();
  55. 55. Proper regular expressions (using $) </li></ul><li>Mimetypes
  56. 56. Don't trust information from $_FILES </li></ul>
  57. 57. Cross Site Scripting (XSS) <ul><li>One of the hardest vulnerabilities to protect against
  58. 58. Javascript is a very flexible language
  59. 59. Browser Implementations
  60. 60. HTML DOM
  61. 61. E4X </li></ul>
  62. 62. Cross Site Scripting (XSS) Preventing XSS in your Joomla! Extension <ul><li>User-supplied input rendered inside a template file can be escaped using $this->escape(); </li></ul><a href = &quot;#&quot; > <?php echo $this ->escape( $this ->item->title); ?> </a>
  63. 63. Cross Site Scripting (XSS) Preventing XSS in your Joomla! Extension <ul><li>Creating HTML outside a template is generally bad practice, but sometimes cannot be avoided
  64. 64. JFilterInput
  65. 65. JFilterOutput
  66. 66. htmlspecialchars();
  67. 67. htmlentities(); </li></ul>
  68. 68. Cross Site Request Forgery <ul><li>Always use session tokens in forms </li></ul><?php echo JHtml::_('form.token'); ?> <ul><li>Always check tokens in controllers before taking any actions </li></ul>JRequest::checkToken() or die('Invalid Token');
  69. 69. Any Questions?

×