PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Similar documents
P2_L12 Web Security Page 1

John Coggeshall Copyright 2006, Zend Technologies Inc.

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Security. Philippe Bogaerts

Web basics: HTTP cookies

Application vulnerabilities and defences

CIS 4360 Secure Computer Systems XSS

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP TOP 10. By: Ilia

WEB SECURITY: XSS & CSRF

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CSCE 813 Internet Security Case Study II: XSS

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Vulnerabilities. And The People Who Love Them

Information Security CS 526 Topic 11

Information Security CS 526 Topic 8

Some Facts Web 2.0/Ajax Security

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Combating Common Web App Authentication Threats

SECURE CODING ESSENTIALS

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

PHP is a scripting language that can be embedded into HTML. Estimated 20 million PHP websites as of 2007

Common Websites Security Issues. Ziv Perry

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Secure Coding and Code Review. Berlin : 2012

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Domino Web Server Security

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

CSCD 303 Essential Computer Security Fall 2018

Copyright

Ruby on Rails Secure Coding Recommendations

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Securing PHP Apps. By: Ilia Alshanetsky

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

OWASP Top 10 The Ten Most Critical Web Application Security Risks


CSCD 303 Essential Computer Security Fall 2017

CS 142 Winter Session Management. Dan Boneh

1 About Web Security. What is application security? So what can happen? see [?]

The security of Mozilla Firefox s Extensions. Kristjan Krips

Automatically Checking for Session Management Vulnerabilities in Web Applications

Building Secure PHP Apps

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Application Layer Security

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

CS 155 Project 2. Overview & Part A

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Security. Chapter 10. Concepts and Practices

Web Security Computer Security Peter Reiher December 9, 2014

Web security: an introduction to attack techniques and defense methods

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Security. 1 Introduction. Alex S. 1.1 Authentication

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Tutorial: Web Application Security

CSE 127 Computer Security

Web Security: Vulnerabilities & Attacks

RKN 2015 Application Layer Short Summary

C1: Define Security Requirements

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Project 2: Web Security

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Assignment 6: Web Security

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Unusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.

Web Security II. Slides from M. Hicks, University of Maryland

zend. Number: Passing Score: 800 Time Limit: 120 min.

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CS 161 Computer Security

Exploiting and Defending: Common Web Application Vulnerabilities

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Top 10 Web Application Vulnerabilities

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

SECURING APACHE : ATTACKS ON SESSION MANAGEMENT

exam. Number: Passing Score: 800 Time Limit: 120 min File Version: Zend Certified Engineer

WHY CSRF WORKS. Implicit authentication by Web browsers

Magento Security How to break the code

PHP PERFORMANCE. Principles and Tools. By Kevin Schroeder Technology Evangelist Zend Technologies. Copyright 2007, Zend Technologies Inc.

6.170 Tutorial 7 - Rails Security. Prerequisites. Goals of this tutorial. Resources

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Web Attacks CMSC 414. September 25 & 27, 2017

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web Security. Presented by Pete Freitag ActivSoftware, Inc.

Transcription:

PHP Security Kevin Schroeder Zend Technologies Copyright 2007, Zend Technologies Inc.

Disclaimer Do not use anything you learn here for nefarious purposes

Why Program Securely? Your job/reputation depends on it You may provide access to your own private data You may provide access to others private data You may allow someone to impersonate another (identity theft) You may take the blame for another person s attack (remote code injection) You may be prone to service attacks

Why s the web so dangerous? It s open Lots of bad code out there There are lots of bad people out there Many servers set up by inexperienced sys admins Or someone simply forgot to filter a variable Many people think they are immune/not a target Security not taken seriously Insufficient time or resources to take security into consideration Stored information not considered important enough to secure

What are the rules? Always use multiple methods of security Validating a login is not enough The principle of least privileges Initialize all variables Cast variables when appropriate Don t store sensitive data in the web tree Filter all data Don t rely on hidden form variables.

What are the rules? And last, but not least. No matter how much they cry. No matter how much they beg Never, ever, trust your users.

What are the rules? They could be this

What are the rules? But you have no way of being absolutely sure that they aren t this

What are the rules? So what does that mean? Always filter data coming from the user or leaving your program (such as a database or system call) Always escape output Use a whitelist approach to data filtering whenever possible

Basic types of attacks SQL Injection Cross Site Scripting (XSS) Cross Site Request Forgery (XSRF) Command Injection Remote Code Injection Session Hijacking Session Fixation Cookie Forging

SQL Injection Used to insert data into SQL statements

SQL Injection Code time

SQL Injection Cast to (int) whenever possible Use prepared statements if possible If prepared statements are not available escape everything using database-specific escaping functions Always validate data (ctype_*, preg_*, Zend_Filter_*) Only give your database user the permissions it needs. Never trust your users

Cross Site Scripting (XSS) Used to trick the user Victim User (4) User s Private Data (2) User Request (3) Evil HTML Evil Doer (1) Injection Trusted Site

Cross Site Scripting (XSS) Code Time

Cross Site Scripting (XSS) Always escape user data (htmlentities, htmlspecialchars, strip_tags) Employ a whitelist for places where HTML input is required (!) Use ctype_digit and ctype_alnum for simple fields like names or phone numbers Don t limit validation to Javascript Never trust your users

Cross Site Request Forgery (XSRF) Used to trick the server (2) User Request Victim Site (6) Forged Request Result Trusted User (4) Forged Request (5) Forged Request (3) User Request Evil Doer Injection (1) 3rd Party Site

Cross Site Request Forgery (XSRF) Use a site that relies on a user s identity Exploit the website s trust in that user Trick the user s browser into sending HTTP requests Cause the user s browser to execute an action or retrieve data on your behalf on that site

Cross Site Request Forgery (XSRF) Code Time

Cross Site Request Forgery (XSRF) Use tokens that expire during sensitive operations Force session timeouts Never trust your users

Command Injection Used to execute programs on your server

Command Injection Code Time

Command Injection Don t use exec, system, popen, shell_exec, etc. in your program If you need to use those functions use hard coded values. Do not trust a variable or anything defined in another file If you need to have user input always use escapeshellargs and escapeshellcmd Never trust your users

Remote Code Injection Used to run an attacker s PHP code on your system

Remote Code Injection Code Time

Remote Code Injection Never use unchecked/unfiltered data in require include( _once) Set allow_url_include to false If you must make remote requests always filter any user provided data Use eval() judiciously Never trust your users

Session Hijacking Often used in conjunction with XSS Attacker retrieves a user s session ID and uses it as their own Can be used in conjunction with document.cookie

Session Hijacking Code Time

Session Hijacking Use htmlentities, htmlspecialchars or strip_tags to disable JavaScript-based attacks Use session_regenerate_id(true) Validate a session against an IP address Note that this should be used to generate an alert, not restrict a user s access

Session Fixation Used to piggy back on someone s session by setting the user s session to the attackers

Session Fixation Code Time

Session Fixation Difficult to guard against Use session_regenerate_id(true) before logging in periodically in a user s session if the domain in the HTTP_REFERER doesn t match the current domain None of these are foolproof, but they limit the ability of an attacker to fixate a session Disable the use of the session ID in the URL Still able to change the session ID using JavaScript, though

Cookie Forging Forging cookies that are used to determine permissions or access

Cookie Forging Code Time

Cookie Forging Don t use cookies. Use the session handler If you must use cookies, encrypt the contents Do not hash the contents $_COOKIE[ isadmin ] = md5(1); Same for hacker as it is for you

Miscellaneous good ideas Turn display_errors off Do not use register_globals Keep as much code and data out of the public code tree (htdocs/wwwroot) as possible Use a whitelist approach when dealing with HTML

What about buffer overflows and such Very few of those weaknesses occur in PHP When they do they are usually in extension interfaces or the extensions themselves, not PHP Disable all unused streams, extensions, filters, etc.

Concluding Thoughts Never trust your users Always filter your data Security through obscurity IS useful, just don t bet the farm on it For the full Zend security course check out http://www.zend.com/education/php_training_courses

Obligatory Plug Zendcon September 15-18 Theme High Impact PHP One of the worlds largest gathering of PHP people

Contact me Kevin Schroeder kevin@zend.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback