Introduction To Web Application Security in PHP

Security is Big And Often Difficult PHP doesn’t make it any easier

What we’ll cover What do we mean by security? Application Security Code Configuration OWASP OWASP Top Ten SQL Injection XSS Configuration

Application Security Security in the SDLC as opposed to network security or data security or physical security

Security in Code and in Deployment For our purposes we’ll just stick to this:

OWASP An authority in Web Application Security

Open Web Application Security Project Really, many projects are “under” OWASP OWASP Top Ten ESAPI Development Guide Cheat Sheets Do not bring to exam Testing Guide More

OWASP Top Ten – Top Web Application Security Issues Based on the statistics of a number of scanning tools

OWASP Top – A1 InjectionA1 Injection SQL Injection is the variant of this that we’ll cover here

SQL Injection Confusing the DBMS between logic (written by the developer) and data (provided by the user)

A common query: $query = "SELECT * FROM user WHERE username = '". $_POST["username"]. "' AND password = '". $_POST["password"]. "';";

The intention $query = "SELECT * FROM user WHERE username = 'sue' AND password = 'secret';";

What if $_POST[“username”] is actually SQL Code The vulnerability:

' OR 1 = 1 # Let’s try this:

An SQL Injection $query = "SELECT * FROM user WHERE username = '' OR 1 = 1 #' AND password = '';”;

How to protect our code? Use Prepared Statements (available in all modern languages)

Prepared Statements $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); $stmt- >execute(array($_POST["username"], $_POST["password"]));

The Intention $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); $stmt->execute(array("sue", ”secret"));

The Exploit Foiled $stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?"); $stmt->execute(array("' OR 1 = 1 #", "")); // the logic is clearly separated // in our code and in transmission // to our database

Hence Why We Learned PDOPDO

OWASP Top – A3 XSSA3 XSS Cross Site Scripting

Three Variants of XSS 1.Reflected XSS 2.Stored XSS 3.DOM based XSS

Cross Site Scripting Confusing the browser between the application’s HTML (structure) and Data.

Commonly Used Display Code

The Intended Result sue

What if $_GET[“username”] is actually HTML and JavaScript? The vulnerability:

alert("Hello World") Let’s try this:

Display Code With Injection alert('hello world’) " ?>

Display Code With Injection alert('hello world')

Reflected XSS The vulnerability is exploited only in response to a specific request. Example p?data=%3Cscript%3Ealert(%22hello%20wo rld%22)%3Cscript%3E

Stored XSS Submit request with XSS payload (ex. a blog comment with XSS in the body) Web app stores the comment in Database (with unencoded XSS Code) Victim views the stored data (ex. view a blog post which shows comments) XSS Code is executed by the victim’s browser.

DOM Based XSS Also known as Type 0 XSS Out of the scope of this course Basically, tricking JavaScript to write out code

Protecting from XSS Encode user inputs

htmlentites() $foo = “ ”; $foo = htmlentities($foo, ENT_QUOTES | ENT_HTML5); print $foo; # <script>

html_entity_decode() foo = "<script>"; $foo = html_entity_decode($foo, ENT_QUOTES | ENT_HTML5); print $foo; # " ”

When to encode? Before reflecting Before displaying information you just received Choose either before you persist or after then be consistent. Better yet do both but watch out for double encodingdouble encoding

Configuration Your app is not secure if it’s running on a vulnerable server or otherwise deployed insecurely.

This is a topic in itself Sources to look at: Google et al.

Simple Good Things To Do

Use PHP as Module not CGI

Patch! Your software is only as secure as your latest security patch

Hide your fingerprints ng.phphttp:// ng.php core.html#servertokenshttp://httpd.apache.org/docs/current/mod/ core.html#servertokens

Disable dangerous functions Disable dangerous functions ( eval() ) eval()