PHP Top 5 from the Open Web Application Security Project - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

PHP Top 5 from the Open Web Application Security Project

Description:

Persistent Attacker stores malicious content in victim database ... note: Even better code would check for length, type and syntax if the input ... – PowerPoint PPT presentation

Number of Views:238
Avg rating:3.0/5.0
Slides: 23
Provided by: AllenB59
Category:

less

Transcript and Presenter's Notes

Title: PHP Top 5 from the Open Web Application Security Project


1
PHP Top 5from the Open Web Application Security
Project
  • Presented By
  • Mike Morrison
  • Systems Security Analyst
  • University of Missouri-Columbia

2
PHP Trivia
  • Name the Danish-Canadian programmer credited with
    creating PHP.
  • Rasmus Lerdorf (1994)

3
Overview
  • Past Techniques Misconceptions
  • The Top 5
  • QA

4
Past Techniques Misconceptions
  • What is the cure for vulnerable PHP apps?
  • Firewalls/IDS/IPS can not be relied on
  • Input validation is the key
  • Know your PHP configuration
  • Only through code reviews and ensuring that code
    is tested for security flaws can the risk of
    attack be reduced.

5
Past Techniques Misconceptions
  • safe_mode
  • Tests for UID/GID restricts system()
  • Many believe if this is enabled PHP is locked
    down
  • Majority of PHP vulnerabilities bypass safe_mode
  • Removed from PHP 6!

6
Past Techniques Misconceptions
  • addslashes() / magic_quotes
  • Does not prevent all SQL injection attacks
  • Use safer mechanisms like PDO or
    mysql_real_escape_string
  • PDO requires PHP 5.1 or greater
  • Removed from PHP 6!

7
1 Remote Code Execution
  • Most widespread issue since 2004
  • Hackers are able to execute processes on the end
    system.
  • Causes
  • Insufficient validation
  • Use of PHP wrappers
  • Poor privilege management

8
1 Remote Code Execution
  • Vulnerable Functions
  • See Code Example

9
1 Remote Code Execution

10
1 Remote Code Execution
  • Countermeasures
  • Server-side white list input validation!
  • Limit use of dynamic inputs to vulnerable
    functions
  • Review code for file operations
  • Disable allow_url_fopen in php.ini
  • For now Enable safe_mode restrictions and set
    open_basedir restrictions

11
2 Cross-Site Scripting
  • Three Types of XSS
  • Reflected Attacker provides link containing
    malicious content (primary form of phishing via
    e-mail)
  • Persistent Attacker stores malicious content in
    victim database
  • DOM Uses victim sites JavaScript code to
    reflect XSS attack

12
2 Cross-Site Scripting
  • Causes
  • Insufficient validation
  • Systems with register_globals turned on are more
    at risk
  • See Code Example (Reflected XSS)

13
2 Cross-Site Scripting

note Even better code would check for length,
type and syntax if the input does not pass all
checks the application should display a generic
error and die.
14
2 Cross-Site Scripting
  • Countermeasures
  • Server-side white list input/output
    validation!(check for length, type, syntax)
  • Properly initialize inputs and other variables
  • Turn off register_globals
  • Use htmlentities() to scrub data bound for
    browser
  • Obtain input directly from correct location
    (_POST, _GET, etc.)
  • Remove canned apps known to be vulnerable

15
3 SQL Injection
  • Causes
  • Insufficient validation
  • Countermeasures
  • Use PHP 5.1 PHP Data Objects (PDO)
  • Use MySQLi or PEARDB parameterized statements
  • At very least use a function like
    mysql_real_escape_string

16
3 SQL Injection

See longer example on OWASP Top 5 page which
uses PHP Data Objects (PDO)
17
4 PHP Configuration
  • Secure PHP configuration standards are an ongoing
    debate
  • Improperly configured PHP can expose system to
    unnecessary risk
  • Rule of thumb if youre not using it turn it
    off

18
4 PHP Configuration
  • Best Practices
  • Disable the following (php.ini or .htaccess)
  • Enable and correctly configure safe_mode and
    open_basedir (Beware, safe_mode isnt exactly
    safe!)
  • Upgrade to PHP 5
  • Stay informed, visit OWASP often!

19
5 File System Attacks
  • Types
  • Local file inclusion (/etc/passwd, conf files,
    logs)
  • Local session tampering(usually looking at files
    in /tmp)
  • Local file upload injection(primarily a
    vulnerability in attachment handling)

20
5 File System Attacks
  • Check your code
  • Are user inputs included in any file operations?
  • Are there variables involved in the operation
    that were not initialized?
  • Is register_globals enabled?
  • If so you may be at risk

21
5 File System Attacks
  • Countermeasures
  • Server-side white list input validation!(check
    for length, type, syntax)
  • Properly initialize inputs and other variables
  • Move secrets and logs out of web root
  • Make scripts compatible with safe_mode
    restrictions and/or use suPHP, PHPsuExec or
    php_suexec
  • Configure SELinux

22
  • For the PHP Top 5 Wiki and other OWASP
    information seehttp//www.owasp.org/index.php/PHP
    _Top_5
  • For the Security Awareness Website visit
  • http//iatservices.missouri.edu/security/make-it-s
    afe/
  • To report network vulnerabilities or incidents
    email abuse_at_missouri.edu
  • For questions about the information in this
    presentation or to join the PHP Birds of a
    Feather you may email
  • morrisonm_at_missouri.edu
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "PHP Top 5 from the Open Web Application Security Project" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!