php security ryan dunn jason pack. outline php overview php overview common security issues common...
Post on 18-Jan-2018
229 Views
Preview:
DESCRIPTION
TRANSCRIPT
PHP SecurityPHP Security
Ryan DunnRyan DunnJason PackJason Pack
OutlineOutline
PHP OverviewPHP Overview Common Security IssuesCommon Security Issues Advanced Security IssuesAdvanced Security Issues Easiest Ways to Secure PHP?Easiest Ways to Secure PHP? ExamplesExamples
PHP OverviewPHP Overview Originally designed as a small set of Perl scripts Originally designed as a small set of Perl scripts
by Rasmus Lerdorf in 1994 by Rasmus Lerdorf in 1994
PHP is now a server-side, HTML-embedded, cross-PHP is now a server-side, HTML-embedded, cross-platform scripting language platform scripting language
The most deployed server-side scripting The most deployed server-side scripting language, running on around 9 of the 37 million language, running on around 9 of the 37 million domains in a April 2002 Netcraft survey. domains in a April 2002 Netcraft survey.
PHP's own figures show PHP usage (measured on PHP's own figures show PHP usage (measured on a per-domain basis) growing at around 5% per a per-domain basis) growing at around 5% per month. month.
PHP PopularityPHP Popularity
PHP Security OverviewPHP Security Overview PHP interpreter has PHP interpreter has
potential to access potential to access the entire hostthe entire host
By default, PHP By default, PHP makes all variables makes all variables globally accessible globally accessible by name, including by name, including session variables session variables and cookiesand cookies
Common Security IssuesCommon Security Issues GET vs. POSTGET vs. POST Buffer OverflowsBuffer Overflows SQL InjectionsSQL Injections Disabling PHP Error MessagesDisabling PHP Error Messages Validating the SessionValidating the Session Included Files ExtensionIncluded Files Extension Comments in HTML SourceComments in HTML Source
GET vs. POST (1)GET vs. POST (1) GET – data is passed by appending the GET – data is passed by appending the
variable/value pair to the URL variable/value pair to the URL • Truncated after 8,192 charactersTruncated after 8,192 characters• Even SSL will not encrypt dataEven SSL will not encrypt data
Raw HTTP Transmission:Raw HTTP Transmission:GET /process.php?yourname=fred+smith&email=fred@nowhere.com HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)Host: www.fluffygerbils.comConnection: keep-alive
GET vs. POST (2)GET vs. POST (2) POST – variables sent in body of URL POST – variables sent in body of URL
requestrequest• No size limitNo size limit• SSL SSL willwill encrypt the data encrypt the data
GET vs. POST (3)GET vs. POST (3) POST Raw HTTP Transmission:POST Raw HTTP Transmission:POST /process.php HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, */*Accept-Language: en-usContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)Host: www.fluffygerbils.comContent-Length: 94Pragma: no-cacheConnection: keep-alive
yourname=fred+smithemail=fred@nowhere.comcomment=I+have+no+comment
Buffer OverflowsBuffer Overflows No runtime memory allocationNo runtime memory allocation No pointersNo pointers Thus, no buffer overflows created by PHP Thus, no buffer overflows created by PHP
codecode
Overflows limited to PHP interpreter and Overflows limited to PHP interpreter and its extensionsits extensions
Stay on top of PHP updates to avoid issuesStay on top of PHP updates to avoid issues
SQL InjectionsSQL Injections PHP programmers often take user PHP programmers often take user
input directly to construct SQL queriesinput directly to construct SQL queries
Malicious users can exploit this by Malicious users can exploit this by entering “; malicious SQL code” in the entering “; malicious SQL code” in the $username field$username field
mysql_db_query ($DB, "SELECT something FROM table WHERE name=$username");
Disabling PHP Error MessagesDisabling PHP Error Messages
By default, PHP will dump error By default, PHP will dump error messages to the client’s browsermessages to the client’s browser
Error messages can contain sensitive Error messages can contain sensitive informationinformation
Validating the SessionValidating the Session
Store status variables as session Store status variables as session variable or a cookievariable or a cookie
Session variables are less likely to be Session variables are less likely to be compromised since they are stored compromised since they are stored on the serveron the server
Included Files ExtensionIncluded Files Extension A common PHP practice is to name A common PHP practice is to name
included files with the ‘.inc’ extensionincluded files with the ‘.inc’ extension Malicious users can access the entire Malicious users can access the entire
file’s content through a direct file’s content through a direct reference in the URLreference in the URL
Apache does not know to encode ‘.inc’ Apache does not know to encode ‘.inc’ files even though they are PHP files even though they are PHP scripts, so it displays it in plain textscripts, so it displays it in plain text
Comments in HTML SourceComments in HTML Source Commenting code is important, but Commenting code is important, but
beginning PHP programmers may put beginning PHP programmers may put sensitive information in their sensitive information in their comments for debugging purposescomments for debugging purposes
If placed improperly these comments If placed improperly these comments could be output in HTML source codecould be output in HTML source code
Advanced Security IssuesAdvanced Security Issues
SuperglobalsSuperglobals
Encrypted ScriptingEncrypted Scripting
Safe ModeSafe Mode
Superglobals (1)Superglobals (1) Superglobals are pre-defined arrays Superglobals are pre-defined arrays
that store variable/value pairsthat store variable/value pairs There are 9 different arraysThere are 9 different arrays
• $_GET[…]$_GET[…] $_SERVER[…] $_SERVER[…] • $_POST[…]$_POST[…] $_FILES[…] $_FILES[…] • $_COOKIE[…]$_COOKIE[…] $_ENV[…]$_ENV[…]• $_REQUEST[…]$_REQUEST[…] $_SESSION[…]$_SESSION[…]• $_GLOBAL[…] $_GLOBAL[…]
Superglobals (2)Superglobals (2) Superglobals are useful because you Superglobals are useful because you
know the value in the variable was know the value in the variable was obtained from a specific sourceobtained from a specific source
• For Example:For Example: $_POST[username] $_POST[username] vs.vs. $username$username
Encrypted ScriptingEncrypted Scripting It is possible to sniff the packets It is possible to sniff the packets
exchanged between the browser and exchanged between the browser and the serverthe server
PHP provides no method to encrypt PHP provides no method to encrypt the transmission of the data (but the the transmission of the data (but the data itself can be encrypted)data itself can be encrypted)
Installing SSL on Apache allows your Installing SSL on Apache allows your transmission to be encryptedtransmission to be encrypted
Safe ModeSafe Mode PHP safe mode makes it so that it PHP safe mode makes it so that it
can only execute scripts in a can only execute scripts in a restricted environmentrestricted environment• Execution of scripts is restricted to Execution of scripts is restricted to
defined directoriesdefined directories• Scripts cannot call programs outside Scripts cannot call programs outside
defined directoriesdefined directories Provides “damage control” if Provides “damage control” if
application is compromised application is compromised
Easiest Ways to Secure PHP?Easiest Ways to Secure PHP? NeverNever trust user input! trust user input! Look beyond application’s intended Look beyond application’s intended
useuse Stay current on PHP updates/syntaxStay current on PHP updates/syntax Be aware of PHP’s scopeBe aware of PHP’s scope
NEVER TRUST USER INPUT!!!NEVER TRUST USER INPUT!!!
ReferencesReferences http://www.oreilly.com/catalog/phppr/chapter/php_pkt.htmlhttp://www.oreilly.com/catalog/phppr/chapter/php_pkt.html
http://en.wikipedia.org/wiki/Phphttp://en.wikipedia.org/wiki/Php
http://www.faqs.org/docs/gazette/superglobals.htmlhttp://www.faqs.org/docs/gazette/superglobals.html
http://www.sklar.com/page/article/owasp-top-tenhttp://www.sklar.com/page/article/owasp-top-ten
http://www.developer.com/lang/print.php/918141 & /922871http://www.developer.com/lang/print.php/918141 & /922871
http://www.onlamp.com/lpt/a/4045http://www.onlamp.com/lpt/a/4045
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
top related