evil code and how to defend against it csci 4300
TRANSCRIPT
![Page 1: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/1.jpg)
Evil Code and how to defend Evil Code and how to defend against itagainst it
CSCI 4300CSCI 4300http://shiflett.org/php-security.pdfhttp://shiflett.org/php-security.pdf
http://phpsec.org/projects/guide/2.htmlhttp://phpsec.org/projects/guide/2.html
![Page 2: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/2.jpg)
![Page 3: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/3.jpg)
Defense against form input attacks: Defense against form input attacks: data filteringdata filtering
![Page 4: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/4.jpg)
Dispatch methodDispatch method
![Page 5: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/5.jpg)
Dispatch script exampleDispatch script example
![Page 6: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/6.jpg)
Spoofed form inputSpoofed form input
![Page 7: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/7.jpg)
Whitelist Input VerificationWhitelist Input Verification
![Page 8: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/8.jpg)
Whitelist Email address verificationWhitelist Email address verification
![Page 9: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/9.jpg)
Simple message boardSimple message board
![Page 10: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/10.jpg)
Message Board AttackMessage Board Attack
![Page 11: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/11.jpg)
Message Board defenseMessage Board defense
• Security tip: use pre-existing PHP functions; they are more efficient and less likely to contain security holes.
![Page 12: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/12.jpg)
Cross-Site Request forgeriesCross-Site Request forgeries
• Victim has authenticated to target site T
• Evil site E forges a privileged request to T
• Forged request succeeds by virtue of victim’s authentication tokens.
![Page 13: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/13.jpg)
Cross-Site Request Forgery Cross-Site Request Forgery exampleexample
• Target site, stox.com:<input type=text name=stock>
<input type=text name=n_shares>
<input type=submit>
• Evil site, evil-hackers.org
<img src=http://stox.com?name=IBM&n_shares=1000000>
![Page 14: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/14.jpg)
CSRF defense: form tokensCSRF defense: form tokens
![Page 15: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/15.jpg)
Database CredentialsDatabase Credentials
• Place db.inc outside of document root, so it cannot be accessed via a URL!
![Page 16: Evil Code and how to defend against it CSCI 4300](https://reader035.vdocuments.us/reader035/viewer/2022062518/5697bf771a28abf838c81349/html5/thumbnails/16.jpg)
SQL injection attackSQL injection attack
• <?php//get $uname and $passwd
...mysql_query (“select * from user where
uname=‘$uname’ and password=‘$passwd’”)
Evil input:Uname = my_unamePasswd= mypassd’; delete from user where
‘a’=‘a’