1 / 43

Introduction To Web Application Security in PHP

Introduction To Web Application Security in PHP. Security is Big And Often Difficult. PHP doesn’t make it any easier. What we’ll cover. What do we mean by security? Application Security Code Configuration OWASP OWASP Top Ten SQL Injection XSS Configuration. Application Security.

haru
Download Presentation

Introduction To Web Application Security in PHP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction To Web Application Security in PHP

  2. Security is Big And Often Difficult PHP doesn’t make it any easier

  3. What we’ll cover • What do we mean by security? • Application Security • Code • Configuration • OWASP • OWASP Top Ten • SQL Injection • XSS • Configuration

  4. Application Security Security in the SDLC as opposed to network security or data security or physical security

  5. For our purposes we’ll just stick to this: Security in Code and in Deployment

  6. OWASP An authority in Web Application Security

  7. Open Web Application Security Project • Really, many projects are “under” OWASP • OWASP Top Ten • ESAPI • Development Guide • Cheat Sheets • Do not bring to exam • Testing Guide • More

  8. Based on the statistics of a number of scanning tools OWASP Top Ten – Top Web Application Security Issues

  9. OWASP Top 10-2013 – A1 Injection SQL Injection is the variant of this that we’ll cover here

  10. SQL Injection Confusing the DBMS between logic (written by the developer) and data (provided by the user)

  11. A common query: • $query = "SELECT * FROM user WHERE username = '" . $_POST["username"] . "' AND password = '" . $_POST["password"] . "';";

  12. The intention • $query = "SELECT * FROM user WHERE username = 'sue' AND password = 'secret';";

  13. The vulnerability: What if $_POST[“username”] is actually SQL Code

  14. Let’s try this: ' OR 1 = 1 #

  15. An SQL Injection $query = "SELECT * FROM user WHERE username = '' OR 1 = 1 #' AND password = '';”;

  16. How to protect our code? Use Prepared Statements (available in all modern languages)

  17. Prepared Statements • $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); • $stmt->execute(array($_POST["username"], $_POST["password"]));

  18. The Intention • $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); • $stmt->execute(array("sue", ”secret"));

  19. The Exploit Foiled • $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); • $stmt->execute(array("' OR 1 = 1 #", "")); • // the logic is clearly separated • // in our code and in transmission • // to our database

  20. Hence Why We Learned PDO

  21. Cross Site Scripting OWASP Top 10-2013 – A3 XSS

  22. Three Variants of XSS • Reflected XSS • Stored XSS • DOM based XSS

  23. Confusing the browser between the application’s HTML (structure) and Data. Cross Site Scripting

  24. Commonly Used Display Code • <div><?php print $_GET["username"] ?></div>

  25. The Intended Result • <div>sue</div>

  26. The vulnerability: What if $_GET[“username”] is actually HTML and JavaScript?

  27. Let’s try this: <script>alert("Hello World")</script>

  28. Display Code With Injection • <div><?php print "<script>alert('hello world’)</script>" ?></div>

  29. Display Code With Injection • <div><script>alert('hello world')</script></div>

  30. Reflected XSS • The vulnerability is exploited only in response to a specific request. • Example • http://vulnerable.example.org/index.php?data=%3Cscript%3Ealert(%22hello%20world%22)%3Cscript%3E

  31. Stored XSS

  32. DOM Based XSS • Also known as Type 0 XSS • Out of the scope of this course • Basically, tricking JavaScript to write out code

  33. Protecting from XSS Encode user inputs

  34. htmlentites() • $foo = “<script>”; • $foo = htmlentities($foo, ENT_QUOTES | ENT_HTML5); • print $foo; # &lt;script&gt;

  35. html_entity_decode() • foo = "&lt;script&gt;"; • $foo = html_entity_decode($foo, ENT_QUOTES | ENT_HTML5); • print $foo; # "<script>”

  36. When to encode? • Before reflecting • Before displaying information you just received • Choose either before you persist or after then be consistent. • Better yet do both but watch out for double encoding

  37. Configuration • Your app is not secure if it’s running on a vulnerable server or otherwise deployed insecurely.

  38. This is a topic in itself • Sources to look at: • http://php.net/manual/en/security.php • http://www.phptherightway.com/ • Google et al.

  39. Simple Good Things To Do

  40. Use PHP as Module not CGI

  41. Patch! Your software is only as secure as your latest security patch

  42. Hide your fingerprints • http://www.php.net/manual/en/security.hiding.php • http://httpd.apache.org/docs/current/mod/core.html#servertokens

  43. Disable dangerous functions(eval())

More Related