introduction to web application security in php. security is big and often difficult php doesn’t...
TRANSCRIPT
What we’ll cover
• What do we mean by security?• Application Security• Code• Configuration
• OWASP• OWASP Top Ten
• SQL Injection• XSS• Configuration
Application SecuritySecurity in the SDLC as opposed to network security or data security or physical security
Open Web Application Security Project
• Really, many projects are “under” OWASP• OWASP Top Ten• ESAPI• Development Guide• Cheat Sheets• Do not bring to exam
• Testing Guide• More
OWASP Top Ten – Top Web Application Security Issues
Based on the statistics of a number of scanning tools
OWASP Top 10-2013 – A1 InjectionSQL Injection is the variant of this that we’ll cover here
SQL InjectionConfusing the DBMS between logic (written by the developer) and data (provided by the user)
A common query:
$query = "SELECT * FROM user WHERE username = '" . $_POST["username"] . "' AND password = '" . $_POST["password"] . "';";
Prepared Statements
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array($_POST["username"], $_POST["password"]));
The Intention
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("sue", ”secret"));
The Exploit Foiled
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("' OR 1 = 1 #", ""));// the logic is clearly separated // in our code and in transmission// to our database
OWASP Top 10-2013 – A3 XSS
Cross Site Scripting
Reflected XSS
The vulnerability is exploited only in response to a specific request.Example
http://vulnerable.example.org/index.php?data=%3Cscript%3Ealert(%22hello%20world%22)%3Cscript%3E
Stored XSS
Submit request with XSS payload (ex. a blog comment with XSS in the body)
Web app stores the comment in Database (with unencoded XSS Code)
Victim views the stored data (ex. view a blog post which shows comments)
XSS Code is executed by the victim’s browser.
DOM Based XSS
• Also known as Type 0 XSS• Out of the scope of this course• Basically, tricking JavaScript to write
out code
htmlentites()
$foo = “<script>”;$foo = htmlentities($foo, ENT_QUOTES | ENT_HTML5);print $foo; # <script>
html_entity_decode()
foo = "<script>";$foo = html_entity_decode($foo, ENT_QUOTES | ENT_HTML5);print $foo; # "<script>”
When to encode?
• Before reflecting• Before displaying information you just
received
• Choose either before you persist or after then be consistent.• Better yet do both but watch out for
double encoding
Configuration
Your app is not secure if it’s running on a vulnerable server or otherwise deployed insecurely.
This is a topic in itself
• Sources to look at:• http://php.net/manual/en/security.php• http://www.phptherightway.com/• Google et al.
Hide your fingerprints
• http://www.php.net/manual/en/security.hiding.php
• http://httpd.apache.org/docs/current/mod/core.html#servertokens
Disable dangerous functions (eval())