Date post: | 27-Mar-2016 |
Category: |
Documents |
Upload: | bryce-gray |
View: | 231 times |
Download: | 0 times |
Who is this handsome guy?
Dave Ross● BS in Computer Science● Eight years development experience● Six years e-commerce experience● Currently working as a PHP developer
Reality Check
“ More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases.”
- Judith Collins, associate criminal justice prof. at Michigan State University.
Source: http://www.dallasnews.com/sharedcontent/dws/bus/personalfinance/stories/060605dnbusidtheft.11c0c6694.html
Not Insecure By Nature
FACT: Almost all PHPprograms are writtenfor the web.
The web is a nasty place.
Not Insecure By Nature
FACT: PHP is free andeasy to learn.
PHP is attractive to amateurs who don't have training or experience in security
Not Insecure By Nature
FACT: register_globalsis evil
What is this, 2001?(Disabled by default since PHP 4.1.0 -- December, 2001)
Common Attack Vectors● Validation circumvention● Code injection● SQL injection● Cookie injection● Mail forms● Cross-site Scripting (XSS)
(This is NOT a complete list by ANY means)
Validation Circumvention● Application might not be
expecting invalid data● Goal is to make the application
blow up in an interesting way● Put application in an invalid state?● Reveal debugging info (database pw)?
Validation Circumvention● Validation on the client side is
good for the user● Validation on the server side is
good for security
Who says you can't do both?
Validation Circumvention
PHP provides functions forinterrogating values
● is_int(), is_float(), is_bool(),is_finite()
● intval(), floatval(), doubleval()● strlen(), strpos()
Code Injection
Don't use parameters asparameters to something else(directly)
$filename = $_REQUEST['message'];
$message = file_get_contents($filename);
print $message;
This is ok: http://example.com/myscript.php?message=hello.txt
But what if I do this?: http://example.com/myscript.php?message=passwords.cfg
Code Injection
This is especially importantfor includes
$module = $_REQUEST['module'];
include(“lib/$module”);
This is ok: http://example.com/cms?module=login.php
But what if I do this?: http://example.com/cms?module=../passwords.ini
Code Injection
Make sure the value is oneyou expected, if not...ERROR!
$requestedModule = $_REQUEST['module'];
switch($requestedModule)
{
case “login”:
$module = “login”; break;case “logout”:
$module = “logout”; break;default:
$module = “error”;}
SQL Injection
Kind of the same thing, butusing SQL
$numChildren = $_REQUEST['children'];
$query = “UPDATE users SET children = $numChildrenWHERE userID = 4”;
$res = mysql_query($query);
This is ok: http://example.com/user.php?children=2.5
But what if I do this?: http://example.com/user.php?children=2.5;DELETE FROM users;
SQL Injection
PHP offers some functionsto help prevent this attack:
● addslashes()● mysql_real_escape_string()● PEAR_MDB2 prepared statements
Cookie Injection
Cookies are just files full of namesand values.
i.e. SESSION=18tsd338,username=dave
What if I changed my username to “admin”?What if I set a cookie value “admin=true”?
Mail Forms
Spammers don't know themeaning of “shame”
● Few mail servers are“open relays” anymore
● Exploit the way PHP talks tomail servers
● Add their own mail headers (To:, Bcc:) or entirely new messages
Mail Forms● Look for the magic string
“\r\n\r\n” in any parameter youpass to mail()(except the actual message)
● Be sure email addresses areformatted correctly – usepreg_match()
● See June, 2007 issue ofPHP|Architect
Cross-site Scripting
If I can include HTML or a scriptin a page, I can make your browserpass a request to another site.
<img src=”http://myspace.com?action=deleteMyAccount&really=yesPlease”width=”0” height=”0” />
Cross-site ScriptingNonce (n); the present, or immediate, occasion or purpose
(origin: Middle English, 1150-1200)
Cryptographic Nonce: A bit or string only used once.
● Put a hidden value in a form andremember it (put it in their session).
● PHP function uniqid()● When the user submits that form,
make sure the nonce matcheswhat you sent them.
● Someone has to submit that same form (or know the nonce) for a valid request.
Tools● PHPSecAudit
http://developer.spikesource.com/projects/phpsecaudit/
● Web Developer ToolbarsFirefox: http://chrispederick.com/work/web-developer/
Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038
(Just google “IE7 web developer toolbar”)
● Firebughttp://www.getfirebug.com/
PHPSecAuditAnalyzing file: ./test.php . . . . . .
The followings are function calls that need input sanitization:
I. 1
./test.php: 12, HIGH: exec
Context: exec($module);
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
Web Developer Toolbars● View details about a page (HTML,
CSS, Cookies, Javascript)● View/change things you normally
can't (CSS, Cookies, password fields)
Tools(Write these URLs down!)
● PHPSecAudithttp://developer.spikesource.com/projects/phpsecaudit/
● Web Developer ToolbarsFirefox: http://chrispederick.com/work/web-developer/
Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038
(Just google “IE7 web developer toolbar”)
● Firebughttp://www.getfirebug.com/
Going Forward● Read PHP blogs/publications
– blog.php-security.org– PHP|Architect– Open Web Application Security
Project (OWASP)– www.php.net/manual/en/security.php
● PLAY! “What if I change this value?”● Don't say “I'll go back and make
it secure later.” Later never comes.