Security Basics in PHP – Page 1 of 42CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: More Topics in PHP Reading:

  • Published on
    21-Dec-2015

  • View
    215

  • Download
    0

Embed Size (px)

Transcript

<ul><li> Slide 1 </li> <li> Security Basics in PHP Page 1 of 42CSCI 2910 Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: More Topics in PHP Reading: Williams &amp; Lane pp. 377-397 </li> <li> Slide 2 </li> <li> Security Basics in PHP Page 2 of 42CSCI 2910 Client/Server-Side Programming Today's Goals Server-side applications open up a number of possibilities for malicious attacks This lecture provides an overview of security along with only a few of the measures that can be taken to guard against attacks. All responsible web programmers must continually familiarize themselves with both the modes of attack and the means by which to protect themselves and their data. </li> <li> Slide 3 </li> <li> Security Basics in PHP Page 3 of 42CSCI 2910 Client/Server-Side Programming Quick Facts Randal Schwartz -- Barney the Dinosaur Complexity of browsers and servers have opened up a number of other opportunities, i.e., every new feature opens up new vulnerabilities Many blogs, forums, search engines, and e- businesses display other user's form input to third party clients. Scripts and get-method forms can be disguised as simple links making unsuspecting clients vulnerable. </li> <li> Slide 4 </li> <li> Security Basics in PHP Page 4 of 42CSCI 2910 Client/Server-Side Programming Problems with User Input You have no control over a user's form input. Scripts must examine all input to prevent unintentional characters from causing erroneous execution malicious input from breaching security Always validate form input by: cleaning it up to verify acceptable strings or using it to drive assignment of hard-coded values. Typically, JavaScript on the client side is used for form validation, but we need to do more on the server-side. Attackers could create forms that simulate input from legitimate forms. </li> <li> Slide 5 </li> <li> Security Basics in PHP Page 5 of 42CSCI 2910 Client/Server-Side Programming Escape Characters It's a good idea to use trim() to remove excess white space from user input Be sure to control the escape character '\' so unwanted white space is removed Remove unwanted double slashes with stripslashes(); Prevent PHP control characters from entering form data using addslashes(). addslashes() escapes single quote ('), double quote ("), backslash (\) and NULL. addslashes() works the same as Magic Quotes, a process that automatically escapes incoming data. </li> <li> Slide 6 </li> <li> Security Basics in PHP Page 6 of 42CSCI 2910 Client/Server-Side Programming Validating Form Data Although the HTML form might have JavaScript used at the form to validate data, it is a good idea to validate form data at the server side too. Validating HTML form data: prevents erroneous output is critical to security is not to be trusted entirely To eliminate confusion, all forms should indicate to user which fields are required and, where applicable, the format and type of information a field is expecting. </li> <li> Slide 7 </li> <li> Security Basics in PHP Page 7 of 42CSCI 2910 Client/Server-Side Programming Methods to Validate Form Data isset() tests if a variable has a value. if (isset($var)) { // $var has a value. } else { // $var does not have a value. } Unfortunately, isset() will return a true if the variable is set to an empty string. </li> <li> Slide 8 </li> <li> Security Basics in PHP Page 8 of 42CSCI 2910 Client/Server-Side Programming Methods to Validate Form Data (continued) To avoid empty strings, use the string function strlen(). $input = stripslashes($_POST['name']); if (strlen($input) &gt; 0) { // User input a value. } else { // User did not input a value } </li> <li> Slide 9 </li> <li> Security Basics in PHP Page 9 of 42CSCI 2910 Client/Server-Side Programming Did the User Input a Number? To test if a submitted value is a number, use the is_numeric() function. is_numeric() returns a boolean true if the value is a number. </li> <li> Slide 10 </li> <li> Security Basics in PHP Page 10 of 42CSCI 2910 Client/Server-Side Programming Hidden Form Elements Hidden form elements can be used to pass data to a PHP script without allowing the user to see it. This can be used to identify the form that requested the page or passing other constants to the server side script. Never use hidden elements to store secure information as the HTML can be viewed by the client. </li> <li> Slide 11 </li> <li> Security Basics in PHP Page 11 of 42CSCI 2910 Client/Server-Side Programming Verifying the Client $_SERVER['HTTP_REFERER'] returns the address of the page that referred the user to this script. $_SERVER['REQUEST_METHOD'] returns the method of the form used to refer the user to this script. $_SERVER['REMOTE_ADDR'] returns the IP address of machine originating request. Can use this to limit which machines have access to your PHP script. </li> <li> Slide 12 </li> <li> Security Basics in PHP Page 12 of 42CSCI 2910 Client/Server-Side Programming HTTP Headers HyperText Transfer Protocol (HTTP) is the protocol that defines how servers and clients communicate. When a browser requests a Web page, it receives a series of HTTP headers containing information about the transaction. PHP's built-in function header() allows a server- side script to provide a custom header. These headers can be used for authentication </li> <li> Slide 13 </li> <li> Security Basics in PHP Page 13 of 42CSCI 2910 Client/Server-Side Programming HTTP Headers (continued) Since PHP sends output to the client as it is generated, and since headers must be sent before the HTML file itself, the header() function must be executed before the script outputs anything. Failure to do this results in an error message to the user. To avoid this, use the headers_sent() function, which checks whether or not data has been sent to the Web browser. if (!headers_sent()) header ("Location: http://www.url.com/a.php"); else echo "Unable to redirect you."; </li> <li> Slide 14 </li> <li> Security Basics in PHP Page 14 of 42CSCI 2910 Client/Server-Side Programming HTTP Headers Redirect The most common example of headers is to redirect the browser from the current page to another. Example: header ("Location: http://www.url.com/page.php"); http://www.url.com/page.php A redirect should be the last thing to occur on the current page since the browser will soon be leaving it. Therefore, this line should be followed by a call to the exit() function in order to stop execution of the script. </li> <li> Slide 15 </li> <li> Security Basics in PHP Page 15 of 42CSCI 2910 Client/Server-Side Programming Sticky Forms If a user needs to be returned to a form, e.g., they have forgotten to input required data, it's nice to have the fields that they have already entered pre-filled for the new form. Remember that form elements in HTML can have preset values. For example: </li> <li> Slide 16 Presetting other form elements: Use checked="checked" to preset a checkbox Use selected="selected" to pre-select an option in a select element To preset the value of a textarea, place the value between the... tags"&gt; </li><li> Security Basics in PHP Page 16 of 42CSCI 2910 Client/Server-Side Programming Sticky Forms (continued) Use the valid values returned in $_GET and $_POST to preset those values. For example: " /&gt; Presetting other form elements: Use checked="checked" to preset a checkbox Use selected="selected" to pre-select an option in a select element To preset the value of a textarea, place the value between the... tags </li> <li> Slide 17 </li> <li> Security Basics in PHP Page 17 of 42CSCI 2910 Client/Server-Side Programming Security Issues Allowing the client to execute scripts and access databases on a server opens up vulnerabilities not inherent in client-side applications. Security has become the most important design issue in web application development. It must be addressed in your designs. </li> <li> Slide 18 </li> <li> Security Basics in PHP Page 18 of 42CSCI 2910 Client/Server-Side Programming Identifying the Threats (Source: Laws, Michaele, Course Notes PHP4/ PHP Part4_lecture.doc) Four types of threats to server side applications Access to or modification of sensitive data User permissions (who sees what) What to store, what not to store Encoding data sent to server using SSL Loss or destruction of data Deleting a table Loss of a server due to a destructive event, e.g., natural disaster </li> <li> Slide 19 </li> <li> Security Basics in PHP Page 19 of 42CSCI 2910 Client/Server-Side Programming Identifying the Threats (continued) (Source: Laws, Michaele, Course Notes PHP4/ PHP Part4_lecture.doc) Denial of Service Crashing the computer Filling up HDD Generating multiple processes, using up memory Causing hardware failure on server by manipulating device drivers Flooding network with traffic Malicious Code Injection SQL Injection Cross Site Scripting (XSS) </li> <li> Slide 20 </li> <li> Security Basics in PHP Page 20 of 42CSCI 2910 Client/Server-Side Programming You Don't Want to Become the Reason for Articles Like This (Source: Swartz, Jon, USA Today, Posted 2/18/2003 5:07 PM) Hackers Get Credit Card Numbers By Jon Swartz, USA TODAY SAN FRANCISCO Intruders broke into a computer system and accessed more than 5.6 million credit card account numbers from Visa, MasterCard and American Express in what is believed to be the largest security breach of its kind. The suspected hackers cracked the security of a company that processes transactions for merchants, the credit card associations said Tuesday. They wouldn't identify the company attacked or say when or how the hackers got to the accounts, which includes about 3.4 million from Visa and 2.2 million from MasterCard. </li> <li> Slide 21 </li> <li> Security Basics in PHP Page 21 of 42CSCI 2910 Client/Server-Side Programming Warning (Source: Laws, Michaele, Course Notes PHP4/ PHP Part4_lecture.doc) "The following information is never to be used with malicious intent, or to show off. It is understood that to write secure code, one must comprehend what makes code insecure and how or why it is insecure. Use of techniques discussed in class without prior approval of all parties involved will result in termination from the CS department, and possible discipline measures from the university and/or local authorities." </li> <li> Slide 22 </li> <li> Security Basics in PHP Page 22 of 42CSCI 2910 Client/Server-Side Programming Inserting PHP Using Form Inputs Forms with text input may be used to insert PHP code. Example: Client could attempt to insert a script using a first name such as: confirm("Gotcha!"); </li> <li> Slide 23 </li> <li> Security Basics in PHP Page 23 of 42CSCI 2910 Client/Server-Side Programming Inserting PHP Using Form Inputs (continued) On a poorly configured server, the PHP code that would be executed would allow the pop-up: Okay, so this may not be that malicious, but there are other things a hacker could do. For example, a hacker could use this method to insert JavaScript code to access server or client data. </li> <li> Slide 24 </li> <li> Security Basics in PHP Page 24 of 42CSCI 2910 Client/Server-Side Programming Cross Site Scripting (Source: Laws, Michaele, Course Notes PHP4/ PHP Part4_lecture.doc) "[Cross Site Scripting] is when a web site displays user input in the browser that has not been properly sanitized. Cross site scripting can be used to steal cookies, compromise data integrity and trick users into submitting information to a hacker. An unauthorized user can modify data in the URL string to insert damaging HTML into the processing script, and send the user to a bogus site (cross site)." </li> <li> Slide 25 </li> <li> Security Basics in PHP Page 25 of 42CSCI 2910 Client/Server-Side Programming Cross Site Scripting (continued) Basically, the problem occurs when a hacker manages to trick a client into clicking on a link that has a URL modified to insert malicious code into the processing script. For example, if the first_name element of the preceding form and associated script were set to: alert(document.cookie) then a JavaScript function would be executed. While an alert box is not that malicious, giving a hacker the ability to insert JavaScript into a client's page puts the clients cookies and other information at risk of being sent to the hacker through what might appear to be an innocent link. </li> <li> Slide 26 </li> <li> Security Basics in PHP Page 26 of 42CSCI 2910 Client/Server-Side Programming SQL Injection Many database queries require user input to identify records. In particular, user names and passwords can be exploited to gain access to other data. SQL injection inserts PHP SQL functions through form inputs to gain unauthorized access to protected information. </li> <li> Slide 27 </li> <li> Security Basics in PHP Page 27 of 42CSCI 2910 Client/Server-Side Programming Sample HTML Login Form userid: password: </li> <li> Slide 28 "&gt; </li><li> Security Basics in PHP Page 28 of 42CSCI 2910 Client/Server-Side Programming Sample PHP Login Script Invalid userid or password. "); mysql_close($db); }?&gt; </li> <li> Slide 29 </li> <li> Security Basics in PHP Page 29 of 42CSCI 2910 Client/Server-Side Programming Valid Operation If the user were to enter a user name of "abcde" and password of "12345", the PHP script would perform the following SQL query: Select * from members where username='abcde and password=12345 </li> <li> Slide 30 </li> <li> Security Basics in PHP Page 30 of 42CSCI 2910 Client/Server-Side Programming Malicious Operation If the user entered a user name of or = (including the single quotation marks) and a password of or = (including the single quotation marks), the PHP script would perform the following SQL query: Select * from members where username= or = and password = or = This will return all records, and the user will be allowed access to the system. </li> <li> Slide 31 </li> <li> Security Basics in PHP Page 31 of 42CSCI 2910 Client/Server-Side Programming Options One option to solve this problem is to create a function that will strip characters that could be used by hackers. It is important when enrolling valid users to include this code to properly format a user's name for use in the database. It might also be beneficial to use this function to limit the length of the client's input. </li> <li> Slide 32 </li> <li> Security Basics in PHP Page 32 of 42CSCI 2910 Client/Server-Side Programming Function clean() function clean($input, $maxlength) { $input = substr($input,0,$maxlength); $input = EscapeShellCmd($input); $input = htmlspecialchars($input,ENT_QUOTES); return $input; } $userid = clean($_POST['userid'],10); $pwd = clean($_POST ['pwd'],15); </li> <li> Slide 33 ^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.""&gt; </li><li> Security Basics in PHP Page 33 of 42CSCI 2910 Client/Server-Side Programming Function escapeshellcmd() (Source: http://us3.php.net/manual/en/fun...</li></ul>

Recommended

View more >