ABC of Securing PHP code
Dr. Tarique Sani
C.T.O. SANIsoft
Nagpur, India
ABC of Securing PHP code
Why, Who, What is this talk about?
● PHP very popular, Easily learned – Weekend
● Designers usually not aware of security
● New and Intermediate PHP programmers
and PHP trolls
● Outline the most common security issues
seen in web applications
● Simple solutions for each of them in PHP
ABC of Securing PHP code
What this talk is not...
● This is not a comprehensive guide
● This is not a talk on cracking security flaw
● Will not talk about specific software flaws
● This is not about PHP installation or server
configuration
ABC of Securing PHP code
OWASP - Top Ten
● Unvalidated Parameters ● Command Injection
● Broken Access Control ● Error Handling Problems
● Broken Account and ● Insecure use of
Session Management cryptography
● XSS Flaws ● Remote Admin Flaws
● Buffer Overflows ● Server Misconfiguration
.http://www.owasp.org
ABC of Securing PHP code
Unvalidated Parameters
● What are they and why are they harmful
function Send($sendmail = "/usr/sbin/sendmail") {
if ($this->form == "") {
$fp = popen ($sendmail."-i".$this->to, "w");
} else {
$fp = popen ($sendmail."-i -f".
$this->from." ".$this->to, "w");
}
}
● dummy@dummy.com badguy@evil_host.com alert(document.cookie);
● Solution!
– .htmlspecialchars(), strip_tags(), utf8_decode()
.http://www.cgisecurity.com/articles/xss-faq.txt
ABC of Securing PHP code
Command Injection
● What is it?
– exec(), system(), passthru(), backtick operator
● Solutions
– escapeshellcmd()
– escapeshellarg()
– realpath()
– addslashes()
ABC of Securing PHP code
Error Handling problems
● Error output can display sensitive info
– Eg: Warning: access denied for user:
tarique@localhost (using password: NO)
● Solution
– die statements
– log_errors = On
– display_errors = Off
ABC of Securing PHP code
Insecure use of Cryptography
● Not directly PHP scripting related
● Use mcrypt functions
● Store the keys and salt securely
ABC of Securing PHP code
Remote Administration Flaws
● Not directly PHP scripting related
● SSL connection to prevent sniffing of
passwords and content
● Change default passwords of third party tools
● Remove install files
● Admin tools on a different server than the
public server
ABC of Securing PHP code
Web and Application Server config
● Not directly PHP scripting related
● safe_mode
● safe_mode commands
ABC of Securing PHP code
Conclusion
● This is just scratch on tip of the iceberg
● Ensuring security in PHP is simple and very
effective
● Keeping abreast with PHP development pays
Discuss more at
in-phpug@yahoogroups.com
ABC of Securing PHP code