1 / 22

PHP Security

PHP Security. Ryan Dunn Jason Pack. Outline. PHP Overview Common Security Issues Advanced Security Issues Easiest Ways to Secure PHP? Examples. PHP Overview. Originally designed as a small set of Perl scripts by Rasmus Lerdorf in 1994

miyoko
Download Presentation

PHP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PHP Security Ryan Dunn Jason Pack

  2. Outline • PHP Overview • Common Security Issues • Advanced Security Issues • Easiest Ways to Secure PHP? • Examples

  3. PHP Overview • Originally designed as a small set of Perl scripts by Rasmus Lerdorf in 1994 • PHP is now a server-side, HTML-embedded, cross-platform scripting language • The most deployed server-side scripting language, running on around 9 of the 37 million domains in a April 2002 Netcraft survey. • PHP's own figures show PHP usage (measured on a per-domain basis) growing at around 5% per month.

  4. PHP Popularity

  5. PHP Security Overview • PHP interpreter has potential to access the entire host • By default, PHP makes all variables globally accessible by name, including session variables and cookies

  6. Common Security Issues • GET vs. POST • Buffer Overflows • SQL Injections • Disabling PHP Error Messages • Validating the Session • Included Files Extension • Comments in HTML Source

  7. GET vs. POST (1) • GET – data is passed by appending the variable/value pair to the URL • Truncated after 8,192 characters • Even SSL will not encrypt data • Raw HTTP Transmission: GET /process.php?yourname=fred+smith&email=fred@nowhere.com HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)Host: www.fluffygerbils.comConnection: keep-alive

  8. GET vs. POST (2) • POST – variables sent in body of URL request • No size limit • SSL will encrypt the data

  9. GET vs. POST (3) • POST Raw HTTP Transmission: POST /process.php HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, */*Accept-Language: en-usContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)Host: www.fluffygerbils.comContent-Length: 94Pragma: no-cacheConnection: keep-aliveyourname=fred+smithemail=fred@nowhere.comcomment=I+have+no+comment

  10. Buffer Overflows • No runtime memory allocation • No pointers • Thus, no buffer overflows created by PHP code • Overflows limited to PHP interpreter and its extensions • Stay on top of PHP updates to avoid issues

  11. SQL Injections • PHP programmers often take user input directly to construct SQL queries • Malicious users can exploit this by entering “; malicious SQL code” in the $username field mysql_db_query ($DB, "SELECT something FROM table WHERE name=$username");

  12. Disabling PHP Error Messages • By default, PHP will dump error messages to the client’s browser • Error messages can contain sensitive information

  13. Validating the Session • Store status variables as session variable or a cookie • Session variables are less likely to be compromised since they are stored on the server

  14. Included Files Extension • A common PHP practice is to name included files with the ‘.inc’ extension • Malicious users can access the entire file’s content through a direct reference in the URL • Apache does not know to encode ‘.inc’ files even though they are PHP scripts, so it displays it in plain text

  15. Comments in HTML Source • Commenting code is important, but beginning PHP programmers may put sensitive information in their comments for debugging purposes • If placed improperly these comments could be output in HTML source code

  16. Advanced Security Issues • Superglobals • Encrypted Scripting • Safe Mode

  17. Superglobals (1) • Superglobals are pre-defined arrays that store variable/value pairs • There are 9 different arrays • $_GET[…] $_SERVER[…] • $_POST[…] $_FILES[…] • $_COOKIE[…] $_ENV[…] • $_REQUEST[…] $_SESSION[…] • $_GLOBAL[…]

  18. Superglobals (2) • Superglobals are useful because you know the value in the variable was obtained from a specific source • For Example: • $_POST[username] • vs. • $username

  19. Encrypted Scripting • It is possible to sniff the packets exchanged between the browser and the server • PHP provides no method to encrypt the transmission of the data (but the data itself can be encrypted) • Installing SSL on Apache allows your transmission to be encrypted

  20. Safe Mode • PHP safe mode makes it so that it can only execute scripts in a restricted environment • Execution of scripts is restricted to defined directories • Scripts cannot call programs outside defined directories • Provides “damage control” if application is compromised

  21. Easiest Ways to Secure PHP? • Never trust user input! • Look beyond application’s intended use • Stay current on PHP updates/syntax • Be aware of PHP’s scope • NEVER TRUST USER INPUT!!!

  22. References • http://www.oreilly.com/catalog/phppr/chapter/php_pkt.html • http://en.wikipedia.org/wiki/Php • http://www.faqs.org/docs/gazette/superglobals.html • http://www.sklar.com/page/article/owasp-top-ten • http://www.developer.com/lang/print.php/918141 & /922871 • http://www.onlamp.com/lpt/a/4045 • http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/

More Related