introduction to web application security in php
DESCRIPTION
Introduction To Web Application Security in PHP. Security is Big And Often Difficult. PHP doesn’t make it any easier. What we’ll cover. What do we mean by security? Application Security Code Configuration OWASP OWASP Top Ten SQL Injection XSS Configuration. Application Security. - PowerPoint PPT PresentationTRANSCRIPT
Introduction To Web Application Security in PHP
Security is Big And Often DifficultPHP doesn’t make it any easier
What we’ll cover• What do we mean by security?• Application Security
• Code• Configuration
• OWASP• OWASP Top Ten
• SQL Injection• XSS• Configuration
Application SecuritySecurity in the SDLC as opposed to network security or data security or physical security
Security in Code and in Deployment
For our purposes we’ll just stick to this:
OWASPAn authority in Web Application Security
Open Web Application Security Project
• Really, many projects are “under” OWASP• OWASP Top Ten• ESAPI• Development Guide• Cheat Sheets• Do not bring to exam
• Testing Guide• More
OWASP Top Ten – Top Web Application Security Issues
Based on the statistics of a number of scanning tools
OWASP Top 10-2013 – A1 InjectionSQL Injection is the variant of this that we’ll cover here
SQL InjectionConfusing the DBMS between logic (written by the developer) and data (provided by the user)
A common query:
$query = "SELECT * FROM user WHERE username = '" . $_POST["username"] . "' AND password = '" . $_POST["password"] . "';";
The intention
$query = "SELECT * FROM user WHERE username = 'sue' AND password = 'secret';";
What if $_POST[“username”] is actually SQL Code
The vulnerability:
' OR 1 = 1 #Let’s try this:
An SQL Injection
$query = "SELECT * FROM user WHERE username = '' OR 1 = 1 #' AND password = '';”;
How to protect our code?Use Prepared Statements (available in all modern languages)
Prepared Statements
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array($_POST["username"], $_POST["password"]));
The Intention
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("sue", ”secret"));
The Exploit Foiled
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("' OR 1 = 1 #", ""));// the logic is clearly separated // in our code and in transmission// to our database
Hence Why We Learned PDO
OWASP Top 10-2013 – A3 XSS
Cross Site Scripting
Three Variants of XSS1.Reflected XSS2.Stored XSS3.DOM based XSS
Cross Site ScriptingConfusing the browser between the application’s HTML (structure) and Data.
Commonly Used Display Code
<div><?php print $_GET["username"] ?></div>
The Intended Result<div>sue</div>
What if $_GET[“username”] is actually HTML and JavaScript?
The vulnerability:
<script>alert("Hello World")</script>
Let’s try this:
Display Code With Injection
<div><?php print "<script>alert('hello world’)</script>" ?></div>
Display Code With Injection
<div><script>alert('hello world')</script></div>
Reflected XSSThe vulnerability is exploited only in response to a specific request.Example
http://vulnerable.example.org/index.php?data=%3Cscript%3Ealert(%22hello%20world%22)%3Cscript%3E
Stored XSSSubmit request with XSS payload (ex. a blog comment with XSS in the body)
Web app stores the comment in Database (with unencoded XSS Code)
Victim views the stored data (ex. view a blog post which shows comments)
XSS Code is executed by the victim’s browser.
DOM Based XSS • Also known as Type 0 XSS• Out of the scope of this course• Basically, tricking JavaScript to write
out code
Protecting from XSSEncode user inputs
htmlentites()
$foo = “<script>”;$foo = htmlentities($foo, ENT_QUOTES | ENT_HTML5);print $foo; # <script>
html_entity_decode()
foo = "<script>";$foo = html_entity_decode($foo, ENT_QUOTES | ENT_HTML5);print $foo; # "<script>”
When to encode?• Before reflecting• Before displaying information you just
received• Choose either before you persist or
after then be consistent.• Better yet do both but watch out for
double encoding
ConfigurationYour app is not secure if it’s running on a vulnerable server or otherwise deployed insecurely.
This is a topic in itself• Sources to look at:• http://php.net/manual/en/security.php• http://www.phptherightway.com/• Google et al.
Simple Good Things To Do
Use PHP as Module not CGI
Patch!Your software is only as secure as your latest security patch
Hide your fingerprints• http://www.php.net/manual/en/securi
ty.hiding.php• http://httpd.apache.org/docs/current/
mod/core.html#servertokens
Disable dangerous functions (eval())