You have an RFID system to secure library materials, but what about web applications implemented by your library? This session provides an introduction on how you can secure your PHP web applications in order to prevent a potential hacker attack.

1. To be Hacked
or
not to be Hacked!
Vincci Kwong and Gary Browning
Indiana University South Bend
Indiana Library Federation Annual Conference
October 22, 2013

2. https://www.youtube.com/watch?v=lw7dt0AhXXI
2013 ILF Annual Conference
October 22, 2013

3. What are Web Applications?
2013 ILF Annual Conference
October 22, 2013

4. What is PHP?
• A server-side scripting language
designed for web development
• Open source programming language
• Powering over 80% of all websites
• PHP code is as secure as the
programmer writes it
2013 ILF Annual Conference
October 22, 2013

5. Why hack web applications?
•
•
•
•
•
•
•
•
Stealing sensitive information
Defacement
Planting malware
Deceit
Blackmail
Link Spam
Worms
Phishing
2013 ILF Annual Conference
October 22, 2013

6. Why secure web applications?
• Everyone can touch web applications!
• It is hard to secure!!!
2013 ILF Annual Conference
October 22, 2013

7. Am I being hacked?
•
•
•
•
Check your server access logs
Look for recently modified files
Look for files that shouldn’t be there
Scan through your files
2013 ILF Annual Conference
October 22, 2013

8. Top 10 security issues for web
applications
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Injection
Broken authentication and session management
Cross site scripting (XSS)
Insecure direct object references
Security misconfiguration
Sensitive data exposure
Missing function level access control
Cross site request forgeries (CSFR)
Using known vulnerable components
Unvalidated redirects and forwards
2013 ILF Annual Conference
October 22, 2013

9. What can I do?
• Write secure code!!
• Use PHP Security Cheat Sheet
• Use a web application scanner
2013 ILF Annual Conference
October 22, 2013

10. Writing Secure Code
•
•
•
•
•
•
Do not trust visitors to your website
Understand Register Globals
Error messages
SQL Injections
File Manipulation
XSS
2013 ILF Annual Conference
October 22, 2013

11. Register Globals
• Feature removed as of PHP 5.4.0 !!!! 
• Variables from HTML forms were injected
into code automatically
• Remember, PHP does not require
variable initialization
2013 ILF Annual Conference
October 22, 2013

12. Example: Misuse with
register_globals = on
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
2013 ILF Annual Conference
October 22, 2013

13. Example: Misuse with
register_globals = on
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
2013 ILF Annual Conference
October 22, 2013

14. SQL Injections
SQL injection is a code injection technique,
used to attack data driven applications, in
which malicious SQL statements are
inserted into an entry field for execution
(e.g. to dump the database contents to the
attacker). ...
http://en.wikipedia.org/wiki/SQL_injection
2013 ILF Annual Conference
October 22, 2013

15. Example: SQL Injection
$proceed = mysql_query("SELECT
Username, Password, AccessLVL FROM Users WHERE Username
= '".$_POST['username']."' and Password =
'".$_POST['password']."'");
From a web form, someone inputs the following:
USERNAME: ' OR 1=1 #
2013 ILF Annual Conference
October 22, 2013

16. Example: SQL Injection
$proceed = mysql_query("SELECT Username, Password,
AccessLVL FROM Users WHERE Username =
'".$_POST['username']."' and Password = '".$_POST['password']."'");
SQL Query:
SELECT Username, Password, AccessLVL FROM Users WHERE
Username = ’’ OR 1=1 #’ and Password = ’’
2013 ILF Annual Conference
October 22, 2013

17. Example: SQL Injection
$proceed = mysql_query("SELECT Username, Password, AccessLVL
FROM Users WHERE Username = '".$_POST['username']."' and
Password = '".$_POST['password']."'");
SQL Query:
SELECT Username, Password, AccessLVL FROM Users WHERE
Username = ’’ OR 1=1 #’ and Password = ’’
This will return the entire list of usernames and passwords !!!!
Fix this using mysql_real_escape_string or
mysqli_real_escape_string
2013 ILF Annual Conference
October 22, 2013

18. File Manipulation
some.web.address/index.php?index.html
2013 ILF Annual Conference
October 22, 2013

19. File Manipulation
some.web.address/index.php?.htaccess
2013 ILF Annual Conference
October 22, 2013

20. XSS
(imagine the following code in your index.php file)
<?php
$name = $_GET['name'];
echo "Welcome $name<br>";
echo "<a href="http://librarysite.org/">Click to visit</a>";
?>
If someone entered the following on a web form, what would happen?
guest<script>alert('attacked')</script>
2013 ILF Annual Conference
October 22, 2013

21. XSS
Would you trust this URL if you saw the link on a website (assume you are
familiar with ‘mytrustedsite.org’?
mytrustedsite.org/index.php?name=<script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-realtrustedsite.com/";}</script>
2013 ILF Annual Conference
October 22, 2013

22. XSS
Would you trust this URL if you saw the link on a website (assume you are
familiar with ‘mytrustedsite.org’?
mytrustedsite.org/index.php?name=%3c%73%63%72%69%70%74%3e%77
%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75
%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e
%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65
%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%6
1%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%2
2%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%7
3%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69
%70%74%3e
2013 ILF Annual Conference
October 22, 2013

23. Web Application Scanners
https://www.owasp.org/index.php/Category:
Vulnerability_Scanning_Tools
Contains a list of Open Source and
Commercial products
2013 ILF Annual Conference
October 22, 2013

24. It’s not in the Top 10, but…
• Unvalidated inputs
2013 ILF Annual Conference
October 22, 2013

25. Reporting a hacked site!
• Why do you think the website is being hacked?
• What on the website is looking unusual? Did you
clear your browser’s cache?
• Are you being redirected to another website? If
yes, note URL of the site.
• Were you being asked to provide confidential
information?
• Do patrons report receiving unusual email from
the library?
• When did it happen?
2013 ILF Annual Conference
October 22, 2013

26. Emergency contact list
•
•
•
•
Library IT personnel
Director/Dean of the Library
Vendors
Patrons
2013 ILF Annual Conference
October 22, 2013

27. Resources
• PHP Security Cheat Sheet https://www.owasp.org/index.php/PHP_S
ecurity_Cheat_Sheet
• PHP Security Guide http://phpsec.org/projects/guide/
• Securing PHP Web Applications http://www.amazon.com/Securing-PHPApplications-TriciaBallad/dp/0321534344
2013 ILF Annual Conference
October 22, 2013

28. Questions?
Feel free to contact us at
• Vincci Kwong
• Email: vkwong@iusb.edu
• Phone: 574-520-4444
• Gary Browning
• Email: gary@iusb.edu
• Phone: 574-520-5516
2013 ILF Annual Conference
October 22, 2013