Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

Published byGervase Harrington Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier."— Presentation transcript:

1 Introduction To Web Application Security in PHP

2 Security is Big And Often Difficult PHP doesn’t make it any easier

3 What we’ll cover What do we mean by security? Application Security Code Configuration OWASP OWASP Top Ten SQL Injection XSS Configuration

4 Application Security Security in the SDLC as opposed to network security or data security or physical security

5 Security in Code and in Deployment For our purposes we’ll just stick to this:

6 OWASP An authority in Web Application Security

7 Open Web Application Security Project Really, many projects are “under” OWASP OWASP Top Ten ESAPI Development Guide Cheat Sheets Do not bring to exam Testing Guide More

8 OWASP Top Ten – Top Web Application Security Issues Based on the statistics of a number of scanning tools

9 OWASP Top 10-2013 – A1 InjectionA1 Injection SQL Injection is the variant of this that we’ll cover here

10 SQL Injection Confusing the DBMS between logic (written by the developer) and data (provided by the user)

11 A common query: $query = "SELECT * FROM user WHERE username = '". $_POST["username"]. "' AND password = '". $_POST["password"]. "';";

12 The intention $query = "SELECT * FROM user WHERE username = 'sue' AND password = 'secret';";

13 What if $_POST[“username”] is actually SQL Code The vulnerability:

14 ' OR 1 = 1 # Let’s try this:

15 An SQL Injection $query = "SELECT * FROM user WHERE username = '' OR 1 = 1 #' AND password = '';”;

16 How to protect our code? Use Prepared Statements (available in all modern languages)

17 Prepared Statements $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); $stmt- >execute(array($_POST["username"], $_POST["password"]));

18 The Intention $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); $stmt->execute(array("sue", ”secret"));

19 The Exploit Foiled $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); $stmt->execute(array("' OR 1 = 1 #", "")); // the logic is clearly separated // in our code and in transmission // to our database

20 Hence Why We Learned PDOPDO

21 OWASP Top 10-2013 – A3 XSSA3 XSS Cross Site Scripting

22 Three Variants of XSS 1.Reflected XSS 2.Stored XSS 3.DOM based XSS

23 Cross Site Scripting Confusing the browser between the application’s HTML (structure) and Data.

24 Commonly Used Display Code

25 The Intended Result sue

26 What if $_GET[“username”] is actually HTML and JavaScript? The vulnerability:

27 alert("Hello World") Let’s try this:

28 Display Code With Injection alert('hello world’) " ?>

29 Display Code With Injection alert('hello world')

30 Reflected XSS The vulnerability is exploited only in response to a specific request. Example http://vulnerable.example.org/index.ph p?data=%3Cscript%3Ealert(%22hello%20wo rld%22)%3Cscript%3E

31 Stored XSS Submit request with XSS payload (ex. a blog comment with XSS in the body) Web app stores the comment in Database (with unencoded XSS Code) Victim views the stored data (ex. view a blog post which shows comments) XSS Code is executed by the victim’s browser.

32 DOM Based XSS Also known as Type 0 XSS Out of the scope of this course Basically, tricking JavaScript to write out code

33 Protecting from XSS Encode user inputs

34 htmlentites() $foo = “ ”; $foo = htmlentities($foo, ENT_QUOTES | ENT_HTML5); print $foo; # <script>

35 html_entity_decode() foo = "<script>"; $foo = html_entity_decode($foo, ENT_QUOTES | ENT_HTML5); print $foo; # " ”

36 When to encode? Before reflecting Before displaying information you just received Choose either before you persist or after then be consistent. Better yet do both but watch out for double encodingdouble encoding

37 Configuration Your app is not secure if it’s running on a vulnerable server or otherwise deployed insecurely.

38 This is a topic in itself Sources to look at: http://php.net/manual/en/security.php http://www.phptherightway.com/ Google et al.

39 Simple Good Things To Do

40 Use PHP as Module not CGI

41 Patch! Your software is only as secure as your latest security patch

42 Hide your fingerprints http://www.php.net/manual/en/security.hidi ng.phphttp://www.php.net/manual/en/security.hidi ng.php http://httpd.apache.org/docs/current/mod/ core.html#servertokenshttp://httpd.apache.org/docs/current/mod/ core.html#servertokens

43 Disable dangerous functions Disable dangerous functions ( eval() ) eval()

Download ppt "Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Multiple Tiers in Action

Multiple Tiers in Action
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
NETWORK CENTRIC COMPUTING (With included EMBEDDED SYSTEMS)

NETWORK CENTRIC COMPUTING (With included EMBEDDED SYSTEMS)

Similar presentations

Ads by Google