Php security
Click here to load reader
-
Upload
akash-mahajan -
Category
Technology
-
view
3.021 -
download
1
description
Transcript of Php security
PHP Security
Akash Mahajan | akashm.comThat Web Application Security Guy
This talk isn’t about security• This is about data in the web applications• How does it flow• Where does it come from?• Where does it end up?
• This is about configuration of web applications• Do files requires some special permissions?• Why does your upload folder have 0777?
@makash | akashm.com - That Web Application Security Guy
Web Apps look like this – 3 tierW
eb
Clie
nts • Call them
browsers, user-agents etc.
• Web clients talk & requests in HTTP
Web
Serv
ers • Call them
web servers, application servers etc.
• Web Servers talk and reply in HTTP
Data
Sto
re • Database server. Flatfiles
• Serves data requests from the web server.
• NO HTTP
@makash | akashm.com - That Web Application Security Guy
Data View of A Web App in Use
@makash | akashm.com - That Web Application Security Guy
Web Client controls everything that it has received as part of the request.
Data Stor
e
Web Server• TCP Port 80• HTTP
Protocol• PHP
Interpreter
• Trusted Code running on the server
Untrusted Data
Data you can’t trust• Good data for a login page• Username – foo• Password – bar
• Bad data for a login page• Username – foo’ OR 1=1;--• Password – bar’ OR 1=1;--
• Good data for a comment• This is a nice comment
• Bad data for a comment• This is an
XSS</textarea><script>alert(document.cookie);</script>
@makash | akashm.com - That Web Application Security Guy
Data you need to protect• Clear text passwords for a username
[email protected]• Password is 123456• Data thief steals the entire database and has
reusable account details• http://somebank.cxm/account-details.php?id=123
4• Did you check that only user with id 1234 can see
this?• What if the attacker stole the session cookie of
user with id 1234
@makash | akashm.com - That Web Application Security Guy
Where all is data coming from• GET Requests• AJAX Requests
• POST Requests• HTML Form Data
• Cookies Stored with values• HTTP Headers• File Uploads• External data sources
@makash | akashm.com - That Web Application Security Guy
Job of your trusted code• Trusted code should remain trusted.• Based on the validation we can classify data as
tainted/bad or un-tainted/good.• Only after that the data which is good data for the
application should be processed.
@makash | akashm.com - That Web Application Security Guy
I am a developer, not a hacker• Agreed you are not a person bent on breaking the
app, but• Data from requests which is displayed in the browser
passes through your trusted code. Injecting HTML/JS is XSS• Data from the browser getting stored in the database• Injecting SQL in such requests which are sent to the
database is SQL Injection.• Data stored in cookies which are used for authentication
can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF
@makash | akashm.com - That Web Application Security Guy
What are we protecting?
The Web Server
Web Application Code
User Data
@makash | akashm.com - That Web Application Security Guy
Again, what are we protecting?• We are protecting the web application. • From all kinds of injections• From unauthorized requests which originate at the user
end
• We are protecting the user information, users have entrusted us with.
• We are protecting the underlying server and the connected database from malicious commands which come through our trusted code.
@makash | akashm.com - That Web Application Security Guy
What about configuration• Assume your web application allows users to
upload pictures• Then there are 3 image formats used – jpg, png, gif• The filename of the image is also untrusted data. • Files can have an extension which makes it look like an
image• Images can have code embedded which can execute if
requested using a GET
@makash | akashm.com - That Web Application Security Guy
What about configuration• All your web server needs is write permission for the user
it is running as. • This is because files are uploaded to a temp directory
where can’t be called for execution• It is your PHP code which copies them to a folder inside
document root• Why does the upload folder have execute permissions?• Your web application needs to connect to the database.
But why does the connection code need to be inside the document root?
@makash | akashm.com - That Web Application Security Guy
@makash | akashm.com - That Web Application Security Guy
Questions?• Any questions• About me• Akash Mahajan ( google me )• That Web Application Security Guy• null Founder and Bangalore Chapter Lead
(http://null.co.in)• Web Security Consultant• @makash on Twitter || http://akashm.com• Presentations : http://www.slideshare.net/akashm