1. PREVENTING XSS & CSRF
Dave Ross • Suburban Chicago PHP & Web Development Meetup

2. 2½ years ago
http://www.slideshare.net/csixty4/intro-to-php-security

3. REALITY CHECK

4. “More than half of identity theft
cases are inside jobs”
Judith Collins, Associate Criminal Justice Professor @ Michigan State University
“who recently completed a study of 1,037 such cases”

5. THE WEB IS STILL
A NASTY PLACE

6. BROWSER SECURITY IS
BETTER

7. PHP IS BETTER

8. REGISTER_GLOBALS IS
DEPRECATED IN 5.3.0

9. THREATS:

10. XSS - CROSS SITE SCRIPTING

11. NON-PERSISTENT XSS

12. PARAMETERS ECHOED
BACK TO THE USER

13. <IMG SRC=”HTTP://SEARCH.AMAZON.COM?S=
<SCRIPT>ALERT(‘TEST’);</SCRIPT>” />

14. PERSISTENT XSS

15. INJECT <IFRAME> &
<SCRIPT> INTO CONTENT

16. BLOG COMMENTS,
FORUM POSTS

17. STRIP OUT TAGS

18. I RECOMMEND REMOVING
TAGS ON DISPLAY, NOT SAVE

19. CSRF - CROSS-SITE REQUEST
FORGERY

20. <IMG SRC=”HTTP://TWITTER.COM/POST?TEXT=I’M A BIG FAT DORK” />

21. USE A NONCE.

22. HTTP://HA.CKERS.ORG/XSS.HTML

23. HTTP://WWW.CGISECURITY.COM/CSRF-FAQ.HTML