Php Security Crash Course - 1 - Introduction

  • May 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Php Security Crash Course - 1 - Introduction as PDF for free.

More details

  • Words: 535
  • Pages: 13
http://www.sektioneins.de

PHP Security Crash Course Stefan Esser <[email protected]>

June 2009 - Amsterdam

Who I am?

Stefan Esser



from Cologne / Germany



Informationsecurity since 1998



PHP Core Developer since 2001



Month of PHP Bugs and Suhosin



Head of Research and Development at SektionEins GmbH

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  2

Agenda

• Introduction • Security Problems and Solutions • XSS • CSRF • SQL Injection • Session Management • PHP Code Inclusion / Evaluation

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  3

Part I Introduction

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  4

Introduction

• Input to web-applications can be arbitrary manipulated • Many security problems arise from misplaced trust in user input - but not all

• malfunction in case of •

unexpected variables



unexpected data-types



unexpected lengths



unexpected characters / ranges

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  5

Mantra

Filter Input and Escape Output

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  6

What is Input? (I)

• $_GET - URL variables • $_POST - form data • $_COOKIE - cookies • $_REQUEST - mixture of GPC (unknown source) • $_FILES - uploaded files • $_SERVER - HTTP headers / URL / querystring • $_ENV - environment

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  7

What is Input? (II)

➡ don‘t forget other inputs like • result of database queries • result of shell commands • result of web services • or results of other external data sources

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  8

What is Filtering?

• removing all unknown / unexpected variables • removing illegal input • casting to expected data-types • removing illegal characters • cutting overlong input

• attention: repairing illegal input can be dangerous • Mantra does not make a difference to validation

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  9

What is Validation?

• Validation of user input against expected • data-types • lengths • characters / ranges

• Blocking / Ignoring illegal input

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  10

What is Output?

• every output of the web-application • HTML, JSON, ... • HTTP headers

• but also over communication with subsystems • Database • UNIX Shell (-commands) • Filesystem (filenames)

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  11

What is Escaping?

• „escaping“ wrongly used in the Mantra • „escaping“ normally means disarming subsystem specific meta characters

• Mantra means every kind of preparation for output

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  12

Questions ?

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  13

Related Documents