Presentation is loading. Please wait.

Presentation is loading. Please wait.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Published byJanice Fleming Modified over 8 years ago

Similar presentations

Presentation on theme: "© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies."— Presentation transcript:

1 © All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies

2 © All rights reserved. Zend Technologies, Inc. Disclaimer Do not use anything you learn here for nefarious purposes | 9/19/20159/19/2015

3 © All rights reserved. Zend Technologies, Inc. Why Program Securely? Your job/reputation depends on it You may provide access to your own private data You may provide access to others private data You may allow someone to impersonate another (identity theft) You may take the blame for another person’s attack (remote code injection) You may be prone to service attacks | 9/19/20159/19/2015

4 © All rights reserved. Zend Technologies, Inc. Why’s the web so dangerous? It’s open  Lots of bad code out there  There are lots of bad people out there  Many servers set up by inexperienced sys admins  Or someone simply forgot to filter a variable Many people think they are immune/not a target  Security not taken seriously  Insufficient time or resources to take security into consideration  Stored information not considered important enough to secure | 9/19/20159/19/2015

5 © All rights reserved. Zend Technologies, Inc. What are the rules? Always use multiple methods of security  Validating a login is not enough The principle of least privileges Initialize all variables Cast variables when appropriate Don’t store sensitive data in the web tree Filter all data Don’t rely on hidden form variables. | 9/19/20159/19/2015

6 © All rights reserved. Zend Technologies, Inc. What are the rules? And last, but not least. No matter how much they cry. No matter how much they beg… Never, ever, trust your users. | 9/19/20159/19/2015

7 © All rights reserved. Zend Technologies, Inc. What are the rules? They could be this… | 9/19/20159/19/2015

8 © All rights reserved. Zend Technologies, Inc. What are the rules? But you have no way of being absolutely sure that they aren’t this… Why? Because identity validation is based not on who we are, but what we know. E.g. logins, passwords. If an attacker knows your login, then, as far as the computer is concerned, they are you | 9/19/20159/19/2015

9 © All rights reserved. Zend Technologies, Inc. What are the rules? So what does that mean?  Always filter data coming from the user or leaving your program (such as a database or system call)  Always escape output  Use a whitelist approach to data filtering whenever possible | 9/19/20159/19/2015

10 © All rights reserved. Zend Technologies, Inc. Basic types of attacks SQL Injection Cross Site Scripting (XSS) Cross Site Request Forgery (XSRF) Command Injection Remote Code Injection Session Hijacking Session Fixation Cookie Forging | 9/19/20159/19/2015

11 © All rights reserved. Zend Technologies, Inc. SQL Injection Used to insert data into SQL statements | 9/19/20159/19/2015

12 © All rights reserved. Zend Technologies, Inc. SQL Injection Cast to (int) whenever possible Use prepared statements if possible If prepared statements are not available escape everything using database-specific escaping functions Always validate data (ctype_*, preg_*, Zend_Filter_*) Only give your database user the permissions it needs. Never trust your users | 9/19/20159/19/2015

13 © All rights reserved. Zend Technologies, Inc. Cross Site Scripting (XSS) Used to trick the user | 9/19/20159/19/2015 Evil Doer Victim User Trusted Site (4) User’s Private Data (1) Injection (2) User Request (3) Evil HTML

14 © All rights reserved. Zend Technologies, Inc. Cross Site Scripting (XSS) Always escape user data (htmlentities, htmlspecialchars, strip_tags) Employ a whitelist for places where HTML input is required (!) Use ctype_digit and ctype_alnum for simple fields like names or phone numbers Don’t limit validation to Javascript Never trust your users | 9/19/20159/19/2015

15 © All rights reserved. Zend Technologies, Inc. Cross Site Request Forgery (XSRF) Used to trick the server | 9/19/20159/19/2015 Injection (1) Trusted User (2) User Request (3) User Request (4) Forged Request (5) Forged Request Evil Doer3rd Party Site Victim Site (6) Forged Request Result

16 © All rights reserved. Zend Technologies, Inc. Cross Site Request Forgery (XSRF) Use a site that relies on a user’s identity Exploit the website’s trust in that user Trick the user’s browser into sending HTTP requests  Cause the user’s browser to execute an action or retrieve data on your behalf on that site | 9/19/20159/19/2015

17 © All rights reserved. Zend Technologies, Inc. Cross Site Request Forgery (XSRF) Use tokens that expire during sensitive operations Force session timeouts Never trust your users | 9/19/20159/19/2015

18 © All rights reserved. Zend Technologies, Inc. Command Injection Used to execute programs on your server | 9/19/20159/19/2015

19 © All rights reserved. Zend Technologies, Inc. Command Injection Don’t use exec, system, popen, shell_exec, etc. in your program If you need to use those functions use hard coded values. Do not trust a variable or anything defined in another file If you need to have user input always use escapeshellargs and escapeshellcmd Never trust your users | 9/19/20159/19/2015

20 © All rights reserved. Zend Technologies, Inc. Remote Code Injection Used to run an attacker’s PHP code on your system | 9/19/20159/19/2015

21 © All rights reserved. Zend Technologies, Inc. Remote Code Injection Never use unchecked/unfiltered data in require|include(|_once) Set allow_url_include to false If you must make remote requests always filter any user provided data Use eval() judiciously Never trust your users | 9/19/20159/19/2015

22 © All rights reserved. Zend Technologies, Inc. Session Hijacking Often used in conjunction with XSS Attacker retrieves a user’s session ID and uses it as their own Can be used in conjunction with document.cookie | 9/19/20159/19/2015

23 © All rights reserved. Zend Technologies, Inc. Session Hijacking Use htmlentities, htmlspecialchars or strip_tags to disable JavaScript or image-based attacks Use session_regenerate_id(true) Validate a session against an IP address  Note that this should be used to generate an alert, not restrict a user’s access | 9/19/20159/19/2015

24 © All rights reserved. Zend Technologies, Inc. Session Fixation Used to piggy back on someone’s session by setting the user’s session to the attackers | 9/19/20159/19/2015

25 © All rights reserved. Zend Technologies, Inc. Session Fixation Difficult to guard against Use session_regenerate_id(true)  before logging in  periodically in a user’s session  if the domain in the HTTP_REFERER doesn’t match the current domain  None of these are foolproof, but they limit the ability of an attacker to fixate a session Disable the use of the session ID in the URL  Still able to change the session ID using JavaScript, though | 9/19/20159/19/2015

26 © All rights reserved. Zend Technologies, Inc. Cookie Forging Forging cookies that are used to determine permissions or access | 9/19/20159/19/2015

27 © All rights reserved. Zend Technologies, Inc. Cookie Forging Don’t use cookies. Use the session handler If you must use cookies, encrypt and salt the contents based off of secret information  Do not hash the contents $_COOKIE[‘isAdmin’] = md5(1); –Same for hacker as it is for you | 9/19/20159/19/2015

28 © All rights reserved. Zend Technologies, Inc. Miscellaneous good ideas Turn display_errors off Do not use register_globals Keep as much code and data out of the public code tree (htdocs/wwwroot) as possible Use a whitelist approach when dealing with HTML | 9/19/20159/19/2015

29 © All rights reserved. Zend Technologies, Inc. What about buffer overflows and such Very few of those weaknesses occur in PHP When they do they are usually in extension interfaces or the extensions themselves, not PHP Disable all unused streams, extensions, filters, etc. | 9/19/20159/19/2015

30 © All rights reserved. Zend Technologies, Inc. Concluding Thoughts Never trust your users Always filter your data Security through obscurity IS useful, just don’t bet the farm on it For the full Zend security course check out  http://www.zend.com/education/php_training_courses http://www.zend.com/education/php_training_courses | 9/19/20159/19/2015

31 © All rights reserved. Zend Technologies, Inc. Contact me Kevin Schroeder kevin@zend.com | 9/19/20159/19/2015

Download ppt "© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Webgoat.

Webgoat.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
PHP Security.

PHP Security.
How things can go wrong? How to prevent the disaster? Writing Secure PHP Applications.

How things can go wrong? How to prevent the disaster? Writing Secure PHP Applications.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google