A Security Analysis of the PHP language By Jonas Heineson Mattias Österberg.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Server-Side vs. Client-Side Scripting Languages

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Computer Security and Penetration Testing

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Web Application Security

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Prevent Cross-Site Scripting (XSS) attack

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

A Framework for Automated Web Application Security Evaluation

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

A Security Review Process for Existing Software Applications

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Attacks Against Database By: Behnam Hossein Ami RNRN i { }

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Cross Site Scripting and its Issues By Odion Oisamoje.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

PHP and Web Application Security An overview of various attacks that can affect web based applications (focusing on PHP) and how to counteract them Dominic.

Group 18: Chris Hood Brett Poche

Web Application Security

Security of Digital Signatures

TOPIC: Web Security (Part-4)

World Wide Web policy.

Penetration Test Debrief

Static Detection of Cross-Site Scripting Vulnerabilities

Example – SQL Injection

Michael Robertson Yuta Takayama Google Closure Tools.

A Security Review Process for Existing Software Applications

Marking Scheme for Semantic-aware Web Application Security

AppExchange Security Certification

Lecture 2 - SQL Injection

Chapters 5 & 6 of Web security. pp

Web Security CS 136 Computer Security Peter Reiher March 11, 2010

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Presentation transcript:

A Security Analysis of the PHP language By Jonas Heineson Mattias Österberg

The PHP language ● Common script language for web applications ● Platform independent ● Runs on the Zend VM ● The Zend VM is implemented in C

PHP Vulnerabilities ● Different versions, different distributions ● Open source gives good security ● Top 5 vulnerabilities investigated ●

Security Bypass ● Ability to pass restrictions set by code ● Goal is to get access to restricted information ● Information gained depends on the vulnerable function

Security Bypass; Example attack ● Vulnerable mail packages ● mb_send_mail() ● safe_mode, open_basedir ● imap_open, _body, _list, _creat box, _delet box

System Access ● Attack with highest gain ● Goal is to be able to run arbitrary code with the same privileges as the local user ● Always existed in top of vulnerability top 5 ● Mostly based around buffer overflows

Cross Site Scripting ● Embedded scripts ● Retrieve confidential information, manipulate cookies, execute arbitrary code on end user ● Server not compromised – used as a tool ● Solution: Validate user input

Cross Site Scripting; Example include(“modules/$name/$file.php”); e=[hostile_javascript]&fid=2 Generates Error: Warning: Failed opening 'modules/XForum/.php' for inclusion (include_path=´´) in /home/foo/htdocs/modules.php on line 27 Error message prints the offending filename and the browser then parses the javascript (part of the filename), i.e. executes the script on the viewers computer

Denial of Service ● Most DoS attacks targets badly implemented library functions ● An example; specially crafted JPEG image (changed image header) gets called by getimagesize(), which call php_handle_jpeg() and php_handle_iff() ● Causes an infinite loop, which consume all CPU resources ● Solution: Don't use vulnerable functions, apply patches frequently

Results ● Problem is in most cases unvalidated user input ● Different injection attacks ● Example: changed to ● When vulnerabilities in PHP are discovered, patches are quick to appear ● PHP is mostly no more insecure than its user