O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

PHP Security

43.946 visualizações

Publicada em

Mugdha & Anish - PHP Security

Publicada em: Economia e finanças
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • Great Slide.
    Check this interactive PHP reference as well:
    http://phplibrary.info
    I can't code without it!
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • wow .....enjoyable.
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • i love it. thank you.
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

PHP Security

  1. 1. . Training Presented By : Anish & Mugdha Value One InfoTech Pvt. Ltd.
  2. 2. . Training <ul><li>Importance of PHP Security </li></ul><ul><li>Concerns of PHP Security </li></ul><ul><ul><ul><ul><ul><li>Input Validation </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cross-Site Scripting </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>SQL Injection </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Code Injection </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Session Security </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Shared Hosting </li></ul></ul></ul></ul></ul>Topics of Discussion
  3. 3. . Training <ul><li>PHP is widely used language for web applications </li></ul><ul><li>PHP is making headway into enterprise as well as corporate </li></ul><ul><li>markets. </li></ul><ul><li>Most effective & often overlooked measure to prevent malicious </li></ul><ul><li>users </li></ul><ul><li>PHP applications often end up working with sensitive data. </li></ul>Importance of PHP Security
  4. 4. . Training INPUT VALIDATION
  5. 5. . Training <ul><li>All user inputs are unreliable and can’t be trusted. </li></ul><ul><li>Need for validating any user input before use : </li></ul><ul><ul><ul><li>Unexpected Modification by the user </li></ul></ul></ul><ul><ul><ul><li>Intentional attempt to gain unauthorized access to the </li></ul></ul></ul><ul><ul><ul><li>application </li></ul></ul></ul><ul><ul><ul><li>Attempt to crash the application by the malicious users </li></ul></ul></ul>Input Validation
  6. 6. . Training <ul><li>Most common source of vulnerabilities in PHP applications. </li></ul><ul><li>Any input parameters are translated to variables :- </li></ul><ul><li>?foo=bar >> $foo = “bar”; </li></ul><ul><li>No way to determine the input source. </li></ul><ul><ul><ul><li>Prioritized sources like cookies can overwrite GET values. </li></ul></ul></ul><ul><li>When register global is set ON, un-initialized variables can be “injected” via user inputs. </li></ul>Register Globals
  7. 7. . Training <ul><li>Disable register_globals in PHP.ini ( Disabled by-default as of PHP 4.2.0 ) </li></ul><ul><li>Alternative to Register Global : SUPER GLOBALS </li></ul><ul><ul><li>$_GET – data from get requests. </li></ul></ul><ul><ul><li>$_POST – post request data. </li></ul></ul><ul><ul><li>$_COOKIE – cookie information. </li></ul></ul><ul><ul><li>$_FILES – uploaded file data. </li></ul></ul><ul><ul><li>$_SERVER – server data </li></ul></ul><ul><ul><li>$_ENV – environment variables </li></ul></ul><ul><ul><li>$_REQUEST – mix of GET, POST, COOKIE </li></ul></ul>Solutions To Register Globals
  8. 8. . Training <ul><li>Type sensitive validation conditions. </li></ul><ul><ul><li>Because input is always a string, type sensitive compare to a Boolean or an integer will always fail. </li></ul></ul><ul><li>Example </li></ul><ul><li>if ($authorized === TRUE) </li></ul><ul><li>{ </li></ul><ul><ul><li>// LOGIN SUCCESS </li></ul></ul><ul><ul><li>} </li></ul></ul>Contd…
  9. 9. . Training <ul><li>Code with error_reporting set to E_ALL. </li></ul><ul><ul><li>Allows you to see warnings about the use of un-initialized </li></ul></ul><ul><ul><li>variables. </li></ul></ul><ul><li>Use of constants </li></ul><ul><ul><li>Created via define() function </li></ul></ul><ul><ul><li>Once set, remains defined until end of request </li></ul></ul><ul><ul><li>Can be made case-insensitive to avoid accidental access to a </li></ul></ul><ul><ul><li>different datum caused by case variance. </li></ul></ul>Contd…
  10. 10. . Training <ul><li>Suffers from the loss of data problem, caused when the same parameter is provided by multiple input sources. </li></ul><ul><li>PHP.ini: variables_order = GPCS (Last data source has highest priority) </li></ul><ul><li>Example </li></ul><ul><ul><li>echo $_GET['id']; // 1 </li></ul></ul><ul><ul><ul><li>echo $_COOKIE['id']; // 2 </li></ul></ul></ul><ul><ul><ul><li>echo $_REQUEST['id']; // 2 </li></ul></ul></ul><ul><li>Use the input method-specific superglobals intead of $_REQUEST </li></ul>Cons of $ REQUEST
  11. 11. . Training <ul><li>All data passed to PHP (GET/POST/COOKIE) ends up being a string. Using strings where integers are needed is not only inefficient but also dangerous. </li></ul><ul><li>Casting is a simple and very efficient way to ensure that variables contain numeric values. </li></ul><ul><li>Example of floating point number validation </li></ul><ul><li>if (!empty($_GET['price'])) { </li></ul><ul><li>$price = (float) $_GET['price']; </li></ul><ul><li>} else $price = 0; </li></ul>Numeric Data Validation
  12. 12. . Training <ul><li>PHP comes with a ctype, extension that offers a very quick mechanism for validating string content. </li></ul><ul><ul><ul><li>if (!ctype_alnum($_GET['login'])) { </li></ul></ul></ul><ul><ul><ul><li>echo &quot;Only A-Za-z0-9 are allowed.&quot;; </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><ul><li>if (!ctype_alpha($_GET['captcha'])) { </li></ul></ul></ul><ul><ul><ul><li>echo &quot;Only A-Za-z are allowed.&quot;; </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><ul><li>if (!ctype_xdigit($_GET['color'])) { </li></ul></ul></ul><ul><ul><ul><li>echo &quot;Only hexadecimal values are allowed&quot;; </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul>String Validation
  13. 13. . Training <ul><li>What are Magic Quotes ?? </li></ul><ul><li>Problems associated with it !! </li></ul><ul><li>How to deal with it ?? </li></ul>Using Magic Quotes
  14. 14. . Training XSS
  15. 15. . Training <ul><li>Cross Site Scripting (XSS) is a situation where by attacker injects HTML code, which is then displayed on the page without further validation. </li></ul><ul><ul><li>Can lead to embarrassment </li></ul></ul><ul><ul><li>Session take-over </li></ul></ul><ul><ul><li>Password theft </li></ul></ul><ul><ul><li>User tracking by 3rd parties </li></ul></ul>Cross Site Scripting (XSS)
  16. 16. . Training <ul><li>Prevention of XSS is as simple as filtering input data via one of </li></ul><ul><li>the following: </li></ul><ul><ul><li>htmlspecialchars() </li></ul></ul><ul><ul><li> Encodes ‘, “, <, >, & </li></ul></ul><ul><ul><li>htmlentities() </li></ul></ul><ul><ul><li> Convert anything that there is HTML entity for. </li></ul></ul><ul><ul><li>strip_tags() </li></ul></ul><ul><ul><li> Strips anything that resembles HTML tag. </li></ul></ul><ul><ul><li>Tag allowances in strip_tags() are dangerous, because attributes of those tags are not being validated in any way. </li></ul></ul>Preventing XSS
  17. 17. . Training <ul><li>$str = strip_tags($_POST['message']); </li></ul><ul><li>// encode any foreign & special chars </li></ul><ul><li>$str = htmlentities($str); </li></ul><ul><li>// strip tags can be told to &quot;keep&quot; certain tags </li></ul><ul><li>$str = strip_tags($_POST['message'], '<b><p><i><u>'); </li></ul><ul><li>// tag allowance problems </li></ul><ul><ul><ul><li><u onmouseover=&quot;alert('JavaScript is allowed');&quot;> </li></ul></ul></ul><ul><ul><ul><li><b style=&quot;font-size: 500px&quot;>Lot's of text</b> </li></ul></ul></ul><ul><ul><ul><li></u> </li></ul></ul></ul>Preventing XSS
  18. 18. . Training SQL Injection
  19. 19. . Training <ul><li>SQL injection is similar to XSS, in the fact that not validated data </li></ul><ul><li>is being used. But in this case this data is passed to the database. </li></ul><ul><ul><li>Arbitrary query execution </li></ul></ul><ul><ul><ul><li>Removal of data. </li></ul></ul></ul><ul><ul><ul><li>Modification of existing values. </li></ul></ul></ul><ul><ul><ul><li>Denial of service. </li></ul></ul></ul><ul><ul><ul><li>Arbitrary data injection. </li></ul></ul></ul><ul><li>// consider this query, it will delete all records from users </li></ul><ul><li>$name = “mugdha’; DELETE FROM users;”; </li></ul><ul><li>mysql_query(“SELECT * FROM users WHERE name =’{$name}’”); </li></ul>SQL Injection
  20. 20. . Training <ul><li>If your database extension offers a specific escaping function then always use it; instead of other methods </li></ul><ul><ul><li>MySQL </li></ul></ul><ul><ul><ul><li>mysql_escape_string() </li></ul></ul></ul><ul><ul><ul><li>mysql_real_escape_string() </li></ul></ul></ul><ul><ul><li>PostgreSQL </li></ul></ul><ul><ul><ul><li>pg_escape_string() </li></ul></ul></ul><ul><ul><ul><li>pg_escape_bytea() </li></ul></ul></ul><ul><ul><li>SQLite </li></ul></ul><ul><ul><ul><li>sqlite_escape_string() </li></ul></ul></ul>SQL Escaping
  21. 21. . Training SQL Escaping in Practice <ul><li>// undo magic_quotes_gpc to avoid double escaping </li></ul><ul><li>if (get_magic_quotes_gpc()) { </li></ul><ul><li>$_GET['name'] = stripslashes($_GET['name']; </li></ul><ul><li>$_POST['binary'] = stripslashes($_GET['binary']); </li></ul><ul><li>} </li></ul><ul><li>$name = pg_escape_string($_GET['name']); </li></ul><ul><li>$binary = pg_escape_bytea($_POST['binary']); </li></ul><ul><li>pg_query($db, &quot;INSERT INTO tbl (name,image) </li></ul><ul><li>VALUES('{$name}', '{$image}')&quot;); </li></ul>
  22. 22. . Training <ul><li>When un-quoted integers are passed to SQL queries, escaping functions won’t save you, since there are no special chars to escape. </li></ul><ul><li>http://example.com/db.php?id=0;DELETE%20FROM%20users </li></ul><ul><li><?php </li></ul><ul><ul><li>$id = sqlite_escape_string($_GET['id']); </li></ul></ul><ul><ul><li>// $id is still 0;DELETE FROM users </li></ul></ul><ul><ul><li>sqlite_query($db,&quot;SELECT * FROM users WHERE id={$id}&quot;); </li></ul></ul><ul><ul><li>// Bye Bye user data... </li></ul></ul><ul><li>?> </li></ul>Escaping Shortfall
  23. 23. . Training <ul><li>Prepared statements are a mechanism to secure and optimize execution of repeated queries. </li></ul><ul><li>Works by making SQL “compile” the query and then substitute in the changing values for each execution. </li></ul><ul><ul><li>Increased performance, one compile vs one per query. </li></ul></ul><ul><ul><li>Better security, data is “type set” will never be evaluated as </li></ul></ul><ul><ul><li>separate query. </li></ul></ul><ul><ul><li>Supported by most database systems. </li></ul></ul><ul><li>MySQL users will need to use version 4.1 or higher. </li></ul><ul><li>SQLite extension does not support this either. </li></ul>Prepared Statements
  24. 24. . Training <ul><li><?php </li></ul><ul><li>$data = &quot;Here is some text to index&quot;; </li></ul><ul><li>pg_query($db, &quot;PREPARE my_stmt (text) AS </li></ul><ul><li>INSERT INTO search_idx (word) VALUES($1)&quot;); </li></ul><ul><li>foreach (explode(&quot; &quot;, $data) as $word) { // no is escaping needed </li></ul><ul><li>pg_query($db, &quot;EXECUTE my_stmt({$word})&quot;); </li></ul><ul><li>} </li></ul><ul><li>// de-allocte the prepared statement </li></ul><ul><li>pg_query($db, &quot;DEALLOCATE my_stmt&quot;); </li></ul><ul><li>?> </li></ul><ul><li>Unless explicitly removed, prepared statements “stay alive” </li></ul><ul><li>between persistent connections. </li></ul>Prepared Statements
  25. 25. . Training Code Injection
  26. 26. . Training <ul><li>Code Injection is the execution of arbitrary local or remote code. </li></ul><ul><li>The two of the most common sources of code injection are: </li></ul><ul><ul><li>Dynamic paths/files used in require/include statements </li></ul></ul><ul><ul><li>eval(): A major source of code injection is the improper validation of eval(). </li></ul></ul>Code Injection
  27. 27. . Training <ul><li>Avoid using dynamic or relative paths/files in your code. Although somewhat less convenient; always use full paths, defined by constants, which will prevent attacks like these: </li></ul><ul><li><?php </li></ul><ul><ul><li>//dynamic path </li></ul></ul><ul><ul><li>$_GET['path'] = ‘http://bad_site.org’; </li></ul></ul><ul><ul><li>include &quot;{$_GET['path']}/header.inc&quot;; </li></ul></ul><ul><ul><li>//dynamic file </li></ul></ul><ul><ul><li>$_GET[‘interface’] = ‘../../../../../etc/passwd’; </li></ul></ul><ul><li>require‘home/mbr/profile/templates_c/interfaces/’.$_GET[‘interface’]; </li></ul><ul><li>?> </li></ul><ul><li>There are some other ways to secure include or require calls... </li></ul>Code Injection Prevention
  28. 28. . Training <ul><li>work with a white-list of acceptable values. </li></ul><ul><li>//create an array of acceptable file names </li></ul><ul><ul><li>$tmpl = array(); </li></ul></ul><ul><ul><li>foreach(glob(&quot;templates/*.tmpl&quot;) as $v) { </li></ul></ul><ul><ul><li>$tmpl[md5($v)] = $v; </li></ul></ul><ul><ul><li>} </li></ul></ul><ul><ul><li>if (isset($tmpl[$_GET['path']])) { </li></ul></ul><ul><ul><li>$fp = fopen($tmpl[$_GET['path']], &quot;r&quot;); </li></ul></ul><ul><ul><li>} </li></ul></ul>Code Injection Prevention
  29. 29. . Training Session Security
  30. 30. . Training <ul><li>Sessions are a common tool for user tracking across a web site. </li></ul><ul><li>For the duration of a visit, the session is effectively the user’s identity. </li></ul><ul><li>If an active session can be obtained by 3rd party, it can assume the identity of the user who’s session was compromised. </li></ul>Session Security
  31. 31. . Training <ul><li>To prevent session id theft, the id can be altered on every request, invalidating old values. </li></ul><ul><ul><li><?php </li></ul></ul><ul><ul><ul><li>session_start(); </li></ul></ul></ul><ul><ul><ul><li>if (!empty($_SESSION)) { // not a new session </li></ul></ul></ul><ul><ul><ul><li>session_regenerate_id(TRUE); // make new session id </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><li>?> </li></ul></ul><ul><li>Because the session changes on every request, the “back” button </li></ul><ul><li>in a browser will no longer work, as it will make a request with </li></ul><ul><li>the old session id. </li></ul>Securing Session ID
  32. 32. . Training <ul><li>Another session security technique is to compare the browser signature headers. </li></ul><ul><ul><li>session_start(); </li></ul></ul><ul><ul><li>$chk = @md5( </li></ul></ul><ul><ul><ul><ul><li>$_SERVER['HTTP_ACCEPT_CHARSET'] . </li></ul></ul></ul></ul><ul><ul><ul><ul><li>$_SERVER['HTTP_ACCEPT_ENCODING'] . </li></ul></ul></ul></ul><ul><ul><ul><ul><li>$_SERVER['HTTP_ACCEPT_LANGUAGE'] . </li></ul></ul></ul></ul><ul><ul><ul><ul><li>$_SERVER['HTTP_USER_AGENT']); </li></ul></ul></ul></ul><ul><ul><li>if (empty($_SESSION)) </li></ul></ul><ul><ul><li>$_SESSION['key'] = $chk; </li></ul></ul><ul><ul><li>else if ($_SESSION['key'] != $chk) </li></ul></ul><ul><ul><li>session_destroy(); </li></ul></ul>Session Validation
  33. 33. . Training <ul><li>By default PHP sessions are stored as files inside the common / </li></ul><ul><li>tmp directory. </li></ul><ul><li>This often means any user on the system could see active sessions and “acquire” them or even modify their content. </li></ul><ul><li>Solutions? </li></ul><ul><ul><ul><li>Separate session storage directory via </li></ul></ul></ul><ul><ul><ul><li>session.save_path </li></ul></ul></ul><ul><ul><ul><li>Database storage mechanism, mysql, pgsql, oci, sqlite. </li></ul></ul></ul><ul><ul><ul><li>Custom session handler allowing data storage anywhere. </li></ul></ul></ul>Safer Session Storage
  34. 34. . Training Shared Hosting
  35. 35. . Training <ul><li>Most PHP applications run in shared environments where all </li></ul><ul><li>users “share” the same web server instances. </li></ul><ul><li>This means that all files that are involved in serving content must </li></ul><ul><li> be accessible to the web server (world readable). </li></ul><ul><li>Consequently it means that any user could read the content of files of all other users. </li></ul>Shared Hosting
  36. 36. . Training <ul><li>PHP’s solution to this problem are 2 php.ini directives. </li></ul><ul><li>open_basedir – limits file access to one or more specified directories. </li></ul><ul><ul><li>Relatively Efficient. </li></ul></ul><ul><ul><li>Uncomplicated. </li></ul></ul><ul><li>safe_mode – limits file access based on uid/gid of running script </li></ul><ul><li>and file to be accessed. </li></ul><ul><ul><li>Slow and complex approach. </li></ul></ul><ul><ul><li>Can be bypassed with little effort. </li></ul></ul>The PHP Solution
  37. 37. . Training <ul><ul><ul><li>php|architect’s Guide to PHP Security </li></ul></ul></ul><ul><ul><ul><ul><ul><li>By Ilia Alshanetsky </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Essential PHP Security </li></ul></ul></ul><ul><ul><ul><ul><ul><li>By Chris Shiflett </li></ul></ul></ul></ul></ul>References
  38. 38. . Training

×