Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Justin C. Klein Keane

Published byMarjut Niemelä Modified over 5 years ago

Similar presentations

Presentation on theme: "Copyright Justin C. Klein Keane"— Presentation transcript:

1 Copyright Justin C. Klein Keane <justin@madirish.net>
OWASP Philadelphia June 20, 2011 Using PHP for Security Justin C. Klein Keane @MadIrish2600 Copyright Justin C. Klein Keane

2 Copyright Justin C. Klein Keane <justin@madirish.net>
Why PHP PHP is often decried as insecure PHP is definitely the root of swaths of application insecurity PHP was certainly designed as a web application building language So why use PHP for security purposes? Copyright Justin C. Klein Keane

3 Copyright Justin C. Klein Keane <justin@madirish.net>
Advantages of PHP The same things that make PHP popular for development make it good for security PHP is a scripting language Easy to change Easy to learn, readable syntax Good for rapid application development No compiled code Supports object oriented or procedural programming styles Copyright Justin C. Klein Keane

4 Security Considerations
Be mindful that security programs can suffer from flaws as well Flaws in security applications are often more damaging than in other apps Context often allows for greater privilege and more damaging flaws Be mindful to validate input, etc. Most security related PHP apps are thankfully free of user input Copyright Justin C. Klein Keane

5 Copyright Justin C. Klein Keane <justin@madirish.net>
GUI, What GUI? PHP can be used for command line scripts Easily scheduled Can be run with privileges of the web server Can examine or reuse web application components PHP scripts can include a user interface Installed in a web server scripts use browsers for interface Copyright Justin C. Klein Keane

6 Copyright Justin C. Klein Keane <justin@madirish.net>
Developing PHP Robust IDE support Zend studio is the standard PHP Eclipse works great though IDE's designed for local or remote development Good syntax highlighting, debugging, etc. Copyright Justin C. Klein Keane

7 Overlooked Advantages
Database integration Working with database back ends is quick and easy Great for data analysis and reporting Simple OS integration with commands like: shell_exec, syslog, fsocketopen, gethostbyaddr fread/fwrite File system commands chdir, chown, stat, etc. Dynamic includes both local & remote Copyright Justin C. Klein Keane

8 Copyright Justin C. Klein Keane <justin@madirish.net>
Other Nifty Tricks PHP includes a number of libraries that support: Encryption File compression and inflating Working with tape archives Dynamically generating images (graphs, etc.) Sending / receiving Consuming and producing feeds Etc. Copyright Justin C. Klein Keane

9 Copyright Justin C. Klein Keane <justin@madirish.net>
What to use PHP for Offense Penn testing, application exploitation, vulnerability discovery Defense Extending application security Performing application monitoring Managing external tools and applications Building security middleware Copyright Justin C. Klein Keane

10 Copyright Justin C. Klein Keane <justin@madirish.net>
Defensive Use Add custom logging and alerting to existing PHP applications Use PHP to leverage objects and data resources in existing applications Provides great introspection into app state PHP scripts can easily monitor application data layers to look for security problems Often times utilizing existing data connection utilities Copyright Justin C. Klein Keane

11 Copyright Justin C. Klein Keane <justin@madirish.net>
Offensive Use PHP supports AJAX and HTTP requests easily for quick and dirty testing of web application vulnerabilities PHP can be injected into existing applications for hidden trojans PHP can be used to manage other processes and handling output Copyright Justin C. Klein Keane

12 Custom PHP Development
PHP CLI is easy to use PHP scripts can leverage existing resources, even from existing applications OO allows you to write elegant programs that are easy to read and maintain PHP is excellent for handling database data or data in XML formats Copyright Justin C. Klein Keane

13 Copyright Justin C. Klein Keane <justin@madirish.net>
Sample Use Cases Scheduled script checks CMS database for rows in content tables that contain iframe or script tags Script runs NMAP of known assets and logs data in a custom MySQL database Hookworm is a three line PHP trojan that communicates using cookies Script that checks for PHPMyAdmin installations by calling URL's Copyright Justin C. Klein Keane

14 Copyright Justin C. Klein Keane <justin@madirish.net>
Lightning Questions Got a question that will take 10 seconds or less to answer? Copyright Justin C. Klein Keane

Download ppt "Copyright Justin C. Klein Keane"

Similar presentations

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Web Applications Development Using Coldbox Platform Eddie Johnston.

Web Applications Development Using Coldbox Platform Eddie Johnston.
Software Freedom Day 2007 14th September 2007 Asia Pacific Institute of Information Technology Colombo, Sri Lanka. Nazly Ahmed Scripting The Web.

Software Freedom Day th September 2007 Asia Pacific Institute of Information Technology Colombo, Sri Lanka. Nazly Ahmed Scripting The Web.
Tutorial 6 Working with Web Forms

Tutorial 6 Working with Web Forms
Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.

Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.

E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
WHAT IS PHP PHP is an HTML-embedded scripting language primarily used for dynamic Web applications.

WHAT IS PHP PHP is an HTML-embedded scripting language primarily used for dynamic Web applications.
Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.

Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.
PHP and MySQL Week#1  Course Plan.  Introduction to Dynamic Web Content.  Setting Up Development Server Eng. Mohamed Ahmed Black 1.

PHP and MySQL Week#1  Course Plan.  Introduction to Dynamic Web Content.  Setting Up Development Server Eng. Mohamed Ahmed Black 1.
Justin Klein Keane Drupal Training Session 1 Introduction to Drupal.

Justin Klein Keane Drupal Training Session 1 Introduction to Drupal.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
AJAX Chat Analysis and Design Rui Zhao CS5260 2012SPG UCCS.

AJAX Chat Analysis and Design Rui Zhao CS SPG UCCS.

Similar presentations

Ads by Google