Post on 26-Dec-2015
PHP Security
Computer Security
overview
Xss , Css
Register_globals
Data Filtering
Sql Injection
Session Fixation
Cross Site Scripting
The goal of the CSS attack is to steal the client cookies, or any other sensitive information,which can identify the client with the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user.
(attention to the sample)
Another sample
Another sample (cont)
Prevent
Register_globals Poor Security
<?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include “Access.php”; } ?>
Login.php?authorized=1
Login.php
RisK
Register_globals Poor Security
<?php include "$path/script.php";?>
RisK
Run.php?path=http%3A%2F%2Fwww.mysite.com%2F%3F
Run.php
<?php include 'http://www.mysite.com/?/script.php';?>
If allow_url_fopen is enabled (which it is by default, even in php.ini recommended),this will include the output of http://www.mysite.com/ just as if it were a local file
Data Filtering
Filtering Examples
The following validates an email address:
<?php $clean = array(); $email_pattern ='/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; }?>
Data Filtering
Filtering Examples
The following example ensures that $_POST['num'] is an integer:
<?php $clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; }?>
The following example ensures that $_POST['num'] is a float:
<?php $clean = array(); if ($_POST['num']==strval(floatval($_POST['num']))) { $clean['num'] = $_POST['num']; }?>
Databases and SQLInput The User_name and Password in file Outside Webroot folder:Test/conn
SetEnv DB_USER " myuser"SetEnv DB_PASS “1234“SetEnv DB_HOST “myhost”
Include this file within httpd.conf as follows: Include “Test/conn"
phpinfo() or print_r($_SERVER).
Be careful not to expose these variables with something like
<?php //db.inc $db =mysql_connect($_SERVER['DB_HOST'],$_SERVER['DB_USER'],$_SERVER['DB_PASS']);
>?
SQL InjectionWHERE Hacking
<?php
//if(isset($_POST['submit'])) {
$db = mysql_connect("localhost", "Hawk","3"); mysql_select_db("user",$db); //echo $db; // echo $_POST['user']; $sql="select * from user where UserName='".$_POST['user']."'"."'and Pass='".$_POST['pass']."'"; //echo $sql; $result=mysql_query($sql); while($row=mysql_fetch_array($result)){ echo "<h4> Name: " . $row["UserName"] . ', ' . $row["Pass"] . "</h4> \n"; }
mysql_close(); // } // else //echo "Nothing"; ?>
SQL Injection
Select * from user where UserName=ym and Pass=2 or 1=1
$sql="select * from user where UserName='".$_POST['user']‘"."'".and Pass='".$_POST['pass'];"'".
select * from user where UserName='ym'and Pass='ym'
select * from user where UserName='ym‘ ;--and Pass'‘=
Injected Select
Prevent
•Using Store Procedures•ctype_alnum — Check for alphanumeric character(s)
•ctype_alpha — Check for alphabetic character(s)
•mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement
Session Fixation
There are three common methods used to obtain by an attacker to valid session identifier:
1. PredictionPrediction refers to guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point in your implementation.
2 .Capture
3. Fixation
Capturing a valid session identifier is the most common type of session attack,and there are numerous approaches. Because session identifiers are typically propagated in cookies or as GET variables, the different approaches focus on attacking these methods of transfer. While there have been a few browser vulnerabilities regarding cookies, these have mostly been Internet Explorer, and cookies are slightly less exposed than GET variables. Thus, for those users who enable cookies, you can provide them with a more secure mechanism.
In the simplest case, a session fixation attack can use a link:<a href="http://host/index.php?PHPSESSID=1234">Click here </a>Or a protocol-level redirect:<?php header(‘Location: http://host/index.php?PHPSESSID=1234’);?>
Session Fixation
<?php session_start(); if (!isset($_SESSION['visits'])) { $_SESSION['visits'] = 1; } else { $_SESSION['visits']++; } echo $_SESSION['visits'];?>
Session Fixation