[go: up one dir, main page]
Scribd
Upload
187 views13 pages

PHP Web Security: XSS, SQLi, File Uploads

This document summarizes a presentation on secure web app programming in PHP. It discusses common vulnerabilities like cross-site scripting (XSS), SQL injection, and insecure file uploads. It provides mitigation strategies for PHP like sanitizing input, using prepared statements, and secure file handling practices. The presentation encourages following security best practices, using frameworks with secure features, and continuing to learn about new vulnerabilities.

Uploaded by

hmvrulz
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPSX, PDF, TXT or read online on Scribd
187 views13 pages

PHP Web Security: XSS, SQLi, File Uploads

This document summarizes a presentation on secure web app programming in PHP. It discusses common vulnerabilities like cross-site scripting (XSS), SQL injection, and insecure file uploads. It provides mitigation strategies for PHP like sanitizing input, using prepared statements, and secure file handling practices. The presentation encourages following security best practices, using frameworks with secure features, and continuing to learn about new vulnerabilities.

Uploaded by

hmvrulz
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPSX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Secure Web App Programming

in PHP
Akash Mahajan | Web Security Consultant
Speaking at BPU G on 24th April 2010
Akash Mahajan | About Me

 Freelance Web Security Consultant


 Chapter lead for null Bangalore
http://null.co.in
 Author ing 2 chapters of OWASP
Development Guide 2010 ( not alone  )
Akash Mahajan | About Me

 I test, hack, secure web applications, servers.


Consult companies on secure deployments
on AWS etc. http://akashm.com
 Doing PHP programming for a long time
now.
 Been doing application security for 5+ years.
 Used to write IDS sigs for malware and vulns
for 3 years.
Cross Site Scripting - XSS
 Injecting HTML/JavaScript into the site.
 Non-persistent/Reflected/First Order
▪ Script is taken from the request and displayed in the browser directly
▪ example.com/search?q=<script>alert(‘hi’);</script>
▪ Example.com/index.php?lang=path to php shell
 Persistent/Stored/Second Order
▪ First name of a registration form is vuln and the value is stored in the
database
▪ Hello <iframe src=http://f1y.in/0.js></iframe>
 DOM Based
▪ No example, mentioned by Amit Klien in his paper XSS of the Third
Kind
XSS - Mitigation in PHP

 Sanitize all globals ($_GET, $_POST, $_COOKIE)


 Use strip_tags()
 Use inpekt library code.google.com/p/inspekt
 Use OWASP ESAPI http://code.google.com/p/owasp-
esapi-php/
 Escape everything before displaying
 htmlentities(), htmlspeciachars()
 Client headers like user agent can be malicious
as well.
XSS - Mitigation in PHP

 Thumb rule, if its not your data consider it


tainted.
 If you can verify it, consider it trusted.
 After validating it consider it trusted bad/trusted
good.
 White listing helps in verifying good data more
than black listing.
 See examples at xssed.com, null Keeda project.
 Use frameworks like codeigniter and use their
functions.
sqli - SQL Injection

 Allowing SQL to be injected in the database query.


 Most common attack point is the search of any
dynamic website and registration forms. These two
will be definitely talking to the database.
 $sql = "SELECT * FROM table WHERE id = '" .
$_REQUEST['id'] . "'";
 id = ‘ OR 1 UNION ALL SELECT * FROM table;
 Excellent examples http://google.com/search?
q=site:slideshare.net sql injection
 Googledork – “inurl:php?id=“
SQL Injection – Mitigation in PHP

 mysql_real_escape_string()
 $dbquery = sprintf(“SELECT name FROM user WHERE
id=‘%s’”, mysql_real_escape_string(‘id’));
 Parameterized queries
 $res = $query(“SELECT name FROM user WHERE id=?”, $id);
 Standard mysql module in PHP doesn’t allow for
parameterized queries. You need mysqli
 Stored Procedures
 See a kickass example of stored proc used to hack more than
hundred thousand websites
▪ http://www.breach.com/resources/breach-security-labs/alerts/mass-
sql-injection-attack-evolutio
File Uploads

 A lot of webapps add a directory in document


root for storing file uploads and give write access.
 They don’t randomize filenames. So a specially
crafted image file which has PHP code written in
it gets saved there.
 The malicious user is now free to call it using a
GET request and it gets executed.
 http://www.scanit.be/uploads/php-file-
upload.pdf
File Uploads – Mitigation in PHP

 The usual use case is uploading of image files.


 Use getimageinfo() to get the correct mime
type of the file from the file header.
 Generate a random file name
 $rand = time() . substr(md5(microtime()), 0,
rand(5, 12));
 Return $rand and append file extension
 Ideally noexec permission should be set on
the directory where files are copied to.
So where we @?

 At this point you have reasonable ensured that


your PHP web application is not compromised.
 But the user connecting to your website are
vulnerable to session hijacking, CSRF from your
site etc.
 There are work around to the standard PHP
functions like this one for
mysql_real_escape_strings()
 http://shiflett.org/blog/2006/jan/addslashes-versus-
mysql-real-escape-string
Bonus | Don’t be ev!l ;)

 Create A File "Php.ini" In Some Writeable


Folder (777) Then Upload your Shell
 php.ini
safe_mode = OFF
disable_functions = NONE
Thanks for all the fish

 Feel free to email me your questions


 akashmahajan@gmail.c om
 Feel free to text me 99805 27182
 Come attend the monthly null BLR meeting.
It happens on 2nd Saturday of every month at
Frazier Town. The meets start at 10 AM end
by 12:30 PM – 1 PM

You might also like