Chapters 12, 13, 14

Ryne McCall

(a little) Security

Regular expressions

Unicode (maybe)

Security

Security

spectrummore

secure

more

usable

Security ==

Laziness

OWASP top ten•A1-Injection

•A2-Broken Authentication and Session Management

•A3-Cross-Site Scripting (XSS)

•A4-Insecure Direct Object References

•A5-Security Misconfiguration

•A6-Sensitive Data Exposure

•A7-Missing Function Level Access Control

•A8-Cross-Site Request Forgery (CSRF)

•A9-Using Components with Known Vulnerabilities

•A10-Unvalidated Redirects and Forwards

OWASP PHP

cheat sheet [link]

Regular expressions

Agenda

•What are they?

•Best practices

•Problems

History

–Larry Wall

“...we saw how everyone borrowed Perl

5 compatible regular expressions, and

we figured - well, you know, they're a

real big mess, and we're sorry, but

we're changing them now, now that

you've just borrowed them.”

What are they?

PCRE functions•preg_filter — Perform a regular expression search and replace

•preg_grep — Return array entries that match the pattern

•preg_last_error — Returns the error code of the last PCRE regex

execution

•preg_match_all — Perform a global regular expression match

•preg_match — Perform a regular expression match

•preg_quote — Quote regular expression characters

•preg_replace_callback — Perform a regular expression search and

replace using a callback

•preg_replace — Perform a regular expression search and replace

•preg_split — Split string by a regular expression

PCRE functions•preg_filter — Perform a regular expression search and replace

•preg_grep — Return array entries that match the pattern

•preg_last_error — Returns the error code of the last PCRE regex

execution

•preg_match_all — Perform a global regular expression match

•preg_match — Perform a regular expression match

•preg_quote — Quote regular expression characters

•preg_replace_callback — Perform a regular expression search and

replace using a callback

•preg_replace — Perform a regular expression search and replace

•preg_split — Split string by a regular expression

preg_matchint preg_match (

string $pattern ,

string $subject

[, array &$matches]

)

/………/

/………/

/app/A. foo

B. bar

C. apple

D. app

/app/A. foo

B. bar

C. apple

D. app

/a|b/A. a

B. b

C. ab

D. x

/a|b/A. a

B. b

C. ab

D. x

/a+/A. a

B. aaa

C. baaab

D. b

/a+/A. a

B. aaa

C. baaab

D. b

/a*/A. a

B. aaa

C. baaab

D. b

/a*/A. a

B. aaa

C. baaab

D. b

/^app$/A. foo

B. bar

C. apple

D. app

/^app$/A. foo

B. bar

C. apple

D. app

/^ab?c$/A. aac

B. abc

C. ac

D. acc

/^ab?c$/A. aac

B. abc

C. ac

D. acc

/^a.c$/A. aac

B. abc

C. ac

D. acc

/^a.c$/A. aac

B. abc

C. ac

D. acc

/^(?!(?:(?:\\x22?\\x5C[\\x00-

\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-

\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-

\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x2 2(?:[\\x01-

\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-

\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-

\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-

\\x7F]|(?:\\x5C[\\x00-\ \x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-

9]+(?:-+[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-+[a-z0-

9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-

9][:\\]]){7,})(?:[a-f0-9]{1,4}(?: :[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-

9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-

9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-

9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9 ])|(?:1[0-9]{2})|(?:[1-9]?[0-

9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD

/[[:alpha:]]/ or /[A-Za-z]/A. a

B. b

C. c

D. -

/[[:alpha:]]/ or /[A-Za-z]/A. a

B. b

C. c

D. -

/^[[:alpha:]]+\d*$/A. abc123

B. a

C. ~abc123~

D. 123abc

/^[[:alpha:]]+\d*$/A. abc123

B. a

C. ~abc123~

D. 123abc

/a{2,4}/A. a

B. aa

C. aaaa

D. b

/a{2,4}/A. a

B. aa

C. aaaa

D. b

/^([[:alpha:]]\d)+[[:alpha:]]*$/

A. a0

B. a0xyz

C. 0a1b

D. a0b1xyz

/^([[:alpha:]]\d)+[[:alpha:]]*$/

A. a0

B. a0xyz

C. 0a1b

D. a0b1xyz

/(\d{3})-(\d{3})-(\d{4})/

Best practices

– Jamie Zawinski

“Some people, when

confronted with a problem,

think "I know, I'll use regular

expressions." Now they have

two problems.”

/good text/A. good text; evil text

B. evil text good text

C. good text'; evil text

D. good text

/good text/A. good text; evil text

B. evil text good text

C. good text'; evil text

D. good text

phone-number.php

Problems

Thanks