Php security common 2011
-
Upload
kevin-schroeder -
Category
Technology
-
view
1.599 -
download
0
description
Transcript of Php security common 2011
![Page 1: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/1.jpg)
©All rights reserved. Zend Technologies, Inc.
PHP and Web-Based SecurityKevin Schroeder
Zend Technologies
![Page 2: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/2.jpg)
©All rights reserved. Zend Technologies, Inc.
About Kevin
Past: Programming/Sys Admin
Current: Technology Evangelist/Author/Composer
@kpschrade
![Page 3: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/3.jpg)
©All rights reserved. Zend Technologies, Inc.
Obligatory Plug
Mike will be talking about
OOP tomorrow at 8:00
Room 101A
![Page 4: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/4.jpg)
©All rights reserved. Zend Technologies, Inc.
The key themes for this year’s ZendCon are:
Cloud Computing
Mobile and User Experience
Enterprise and Professional PHP
![Page 5: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/5.jpg)
©All rights reserved. Zend Technologies, Inc.
Disclaimer
Do not use anything you learn here for nefarious
purposes
But if you do, I want to hear about it
![Page 6: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/6.jpg)
©All rights reserved. Zend Technologies, Inc.
Why be concerned about security?
• Your job/reputation depends on it
• You may provide access to your own private data
• You may provide access to others private data
• You may allow someone to impersonate another (identity theft)
• You may take the blame for another person’s attack (remote code injection)
• You may be prone to service attacks
![Page 7: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/7.jpg)
©All rights reserved. Zend Technologies, Inc.
Why’s the web so dangerous?
• It’s open
Lots of bad code out there
There are lots of bad people out there
Many servers set up by inexperienced sys admins
Or someone simply forgot to filter a variable
• Many people think they are immune/not a target
Security not taken seriously
Insufficient time or resources to take security into consideration
Stored information not considered important enough to secure
![Page 8: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/8.jpg)
©All rights reserved. Zend Technologies, Inc.
What are the rules?
• Always use multiple methods of security
Validating a login is not enough
• The principle of least privileges
• Initialize all variables
• Cast variables when appropriate
• Don’t store sensitive data in the web tree
• Filter all data
• Don’t rely on hidden form variables.
![Page 9: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/9.jpg)
©All rights reserved. Zend Technologies, Inc.
What are the rules?
• And last, but not least. No matter how much they cry. No matter how much they beg…
Never, ever, trust your users.
![Page 10: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/10.jpg)
©All rights reserved. Zend Technologies, Inc.
What are the rules?
Validate Input Filter Output
![Page 11: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/11.jpg)
©All rights reserved. Zend Technologies, Inc.
Basic types of attacks• SQL Injection
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (XSRF)
• File Inclusion
• Information Dissemination
• Command Injection
• Remote Code Injection
• Session Hijacking
• Session Fixation
• Cookie Forging
![Page 12: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/12.jpg)
©All rights reserved. Zend Technologies, Inc.
SQL Injection
Injects arbitrary code into SQL statements
![Page 13: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/13.jpg)
©All rights reserved. Zend Technologies, Inc.
SQL Injection
Injects arbitrary code into SQL statements
![Page 14: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/14.jpg)
©All rights reserved. Zend Technologies, Inc.
SQL Injection
• Cast to (int) whenever possible
• Use prepared statements if possible
• If prepared statements are not available escape everything using database-specific escaping functions
• Validate data (ctype_*, preg_*, Zend_Filter_*)
• Only give your database user the permissions it needs.
![Page 15: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/15.jpg)
©All rights reserved. Zend Technologies, Inc.
Cross Site Scripting (XSS)
Makes your browser execute code from a trusted site
![Page 16: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/16.jpg)
©All rights reserved. Zend Technologies, Inc.
Cross Site Scripting (XSS) – Non Persistent
Exploits user’s trust in the site
Bad guy identifies a vulnerable website and sends you a link with the vulnerability in the URL
You click on that link
Your browser executes bad guy’s code
![Page 17: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/17.jpg)
©All rights reserved. Zend Technologies, Inc.
Cross Site Scripting (XSS) - Persistent
Exploits user’s trust in the site
Bad guy posts code on a website
You request the page on the website
Your browser executes bad guy’s code
![Page 18: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/18.jpg)
©All rights reserved. Zend Technologies, Inc.
Cross Site Scripting (XSS)
• Always escape user data (htmlentities, htmlspecialchars, strip_tags)
• Use Zend_Form for handling forms
• Employ a whitelist for places where HTML input is required (!)
• Use ctype_digit and ctype_alnum for simple fields like names or phone numbers
• Don’t limit validation to Javascript
![Page 19: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/19.jpg)
©All rights reserved. Zend Technologies, Inc.
Cross Site Request Forgery (XSRF)
Exploits the site’s trust in the user
You log on to a vulnerable web site and establish trust
You visit a bad web site
Bad website tells your browser to submit a page to vulnerable web site
![Page 20: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/20.jpg)
©All rights reserved. Zend Technologies, Inc.
Cross Site Request Forgery (XSRF)
• Use a site that relies on a user’s identity
• Exploit the website’s trust in that user
• Trick the user’s browser into sending HTTP requests
Cause the user’s browser to execute an action or retrieve data on your behalf on that site
![Page 21: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/21.jpg)
©All rights reserved. Zend Technologies, Inc.
Cross Site Request Forgery (XSRF)
• Use tokens that expire during sensitive operations
• Use Zend_Form and Zend_Form_Element_Hash
• Force session timeouts
![Page 22: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/22.jpg)
©All rights reserved. Zend Technologies, Inc.
File Inclusion
Includes files in the request that were not intended
![Page 23: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/23.jpg)
©All rights reserved. Zend Technologies, Inc.
File Inclusion
• Google – inurl:page=home.php
• Don’t use dynamically included files
• If you must dynamically include files, validate them
![Page 24: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/24.jpg)
©All rights reserved. Zend Technologies, Inc.
Information Dissemination
Giving the user more information than they should ever have
![Page 25: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/25.jpg)
©All rights reserved. Zend Technologies, Inc.
Information Dissemination
• Turn off display_errors
• Don’t have a public phpinfo page (Google search – inurl:phpinfo.php)
![Page 26: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/26.jpg)
©All rights reserved. Zend Technologies, Inc.
Command Injection
Used to execute arbitrary programs or inject arbitrary data on your server
![Page 27: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/27.jpg)
©All rights reserved. Zend Technologies, Inc.
Command Injection
• Don’t use exec, system, popen, shell_exec, etc. in your program
• If you need to use those functions use hard coded values. Do not trust a variable or anything defined in another file
• If you need to have user input always use escapeshellargs and escapeshellcmd
![Page 28: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/28.jpg)
©All rights reserved. Zend Technologies, Inc.
Remote Code Injection
Runs an attacker’s PHP code on your system
![Page 29: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/29.jpg)
©All rights reserved. Zend Technologies, Inc.
Remote Code Injection
• Never use unchecked/unfiltered data in require|include(|_once)
• Set allow_url_include to false
• If you must make remote requests always filter any user provided data
• Use eval() judiciously
![Page 30: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/30.jpg)
©All rights reserved. Zend Technologies, Inc.
Session Hijacking
An attacker takes over control of a user session
• Often used in conjunction with XSS
• Attacker retrieves a user’s session ID and uses it as their own
• Can be used in conjunction with document.cookie
![Page 31: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/31.jpg)
©All rights reserved. Zend Technologies, Inc.
Session Hijacking
• Use htmlentities, htmlspecialchars or strip_tags to disable JavaScript or image-based attacks
• Use session_regenerate_id(true)
• Validate a session against an IP address
Note that this should be used to generate an alert, not restrict a user’s access
![Page 32: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/32.jpg)
©All rights reserved. Zend Technologies, Inc.
Session Fixation
Sets a user session ID to the same as an attacker’s session ID
![Page 33: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/33.jpg)
©All rights reserved. Zend Technologies, Inc.
Session Fixation
• Difficult to guard against
• Use session_regenerate_id(true)
before logging in
periodically in a user’s session
if the domain in the HTTP_REFERER doesn’t match the current domain
None of these are foolproof, but they limit the ability of an attacker to fixate a session
• Disable the use of the session ID in the URL
Still able to change the session ID using JavaScript, though
![Page 34: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/34.jpg)
©All rights reserved. Zend Technologies, Inc.
Cookie Forging
Forging cookie data used to determine permissions or access
![Page 35: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/35.jpg)
©All rights reserved. Zend Technologies, Inc.
Cookie Forging
• Don’t use cookies to determine access/authentication
• Use the session handler
• If you must use cookies, encrypt contents with a server-side key
![Page 36: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/36.jpg)
©All rights reserved. Zend Technologies, Inc.
Miscellaneous good ideas
• Turn display_errors off
• Do not use register_globals
• Keep as much code and data out of the public code tree (htdocs/wwwroot) as possible
• Use a whitelist approach when dealing with HTML
• Don’t have predictable resource locations
• i.e http://mysite/phpinfo.php
![Page 37: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/37.jpg)
©All rights reserved. Zend Technologies, Inc.
What about buffer overflows and such
• Very few of those weaknesses occur in PHP
• When they do they are usually in extension interfaces or the extensions themselves, not PHP
• Disable all unused streams, extensions, filters, etc.
![Page 38: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/38.jpg)
©All rights reserved. Zend Technologies, Inc.
Follow us!Zend Technologies
http://twitter.com/zend
http://twitter.com/kpschrade (me!)
![Page 39: Php security common 2011](https://reader035.fdocuments.in/reader035/viewer/2022062418/55491ec9b4c905a54c8b6bca/html5/thumbnails/39.jpg)
©All rights reserved. Zend Technologies, Inc.
Get more information and examples at eschrade.com…