Jeff Channell - Secure PHP Coding Practices
- 1. Secure PHP Coding Practices @jeffchannell
- 2. Why Should I Care? Loss of reputation (to you as a developer)
- 5. Damage to other sites
- 6. Basic Guidelines Trust Nothing Escape for the occasion
- 7. Understand different exploitation techniques
- 8. Who is this guy? Web developer with Anything Digital Security researcher
- 9. Discovered numerous vulnerabilities, primarily in Joomla! extensions
- 10. Common Vulnerability Types Information Disclosure
- 11. SQL Injection
- 12. Code Execution
- 13. Cross Site Scripting (XSS)
- 14. Cross Site Request Forgery (CSRF)
- 15. Information Disclosure Reveals non-public information
- 16. Cannot be used by itself to gain access
- 17. Useful to an attacker
- 18. Generally involves absolute paths to files (Path Disclosure)
- 19. Error reporting generally includes paths
- 20. MySQL errors
- 21. SQL Injection Caused by passing user-supplied input directly into an SQL query
- 22. Allows an attacker to alter the query
- 23. Does not always divulge information directly (known as “Blind Injection”)
- 24. SQL Injection – Example 1 $id = JRequest::getVar( 'id' ); $query = 'SELECT id, title FROM #__foobar WHERE id = ' . $id ; $db = JFactory::getDbo(); $db ->setQuery( $query ); $results = $db ->loadObject();
- 25. SQL Injection – Example 1 User input is concatenated with the query
- 26. SQL Injection – Example 1 User input is concatenated with the query
- 27. A malicious user can exploit this using the following request: index.php?option=com_foobar&id= 0 union select 1,2
- 28. SQL Injection – Example 1 User input is concatenated with the query
- 29. A malicious user can exploit this using the following request: index.php?option=com_foobar&id= 0 union select 1,2 This causes the query to become: SELECT id, title FROM #__foobar WHERE id = 0 union select 1,2
- 30. SQL Injection – Example 1 $id = JRequest::get Int ( 'id' ); $query = 'SELECT id, title FROM #__foobar WHERE id = ' . $id ; $db = JFactory::getDbo(); $db ->setQuery( $query ); $results = $db ->loadObject();
- 31. SQL Injection – Example 2 $title = JRequest::getVar( 'title' ); $query = 'SELECT id, title FROM #__foobar WHERE title = \'' . $title . '\'' ; $db = JFactory::getDbo(); $db ->setQuery( $query ); $results = $db ->loadObject();
- 32. SQL Injection – Example 2 A malicious user can exploit this using the following request: index.php?option=com_foobar&title= ' union select 1,2 -- '
- 33. SQL Injection – Example 2 A malicious user can exploit this using the following request: index.php?option=com_foobar&title= ' union select 1,2 -- ' This causes the query to become: SELECT id, title FROM #__foobar WHERE title = ' ' union select 1,2 -- ' '
- 34. SQL Injection – Example 2 A malicious user can exploit this using the following request: index.php?option=com_foobar&title= ' union select 1,2 -- ' This causes the query to become: SELECT id, title FROM #__foobar WHERE title = ' ' union select 1,2 -- ' ' MySQL uses a double dash (--) or a pound (#) to denote a comment, which allows an attacker to remove the ending of the query
- 35. SQL Injection – Example 2 $db = JFactory::getDbo(); $title = $db ->Quote( JRequest::get String ( 'title' ) ) ; $query = 'SELECT id, title FROM #__foobar WHERE title = ' . $title ; $db ->setQuery( $query ); $results = $db ->loadObject();
- 36. Code Execution User input in code execution methods
- 39. Code Execution shell_exec() / passthru() / etc
- 40. escapeshellcmd()
- 41. escapeshellarg()
- 42. Local File Inclusion User input in include / require statements
- 43. Null bytes can be used to end a path prematurely
- 44. Only allow known files to be included
- 45. Local File Inclusion - Example $view = JRequest:: getString ( 'view' ); require_once JPATH_COMPONENT. '/views/' . $view . '.php' ;
- 46. Local File Inclusion - Example User input is passed directly into require_once
- 47. A malicious user can use the following request: option=com_foobar&view= ../../../../../../../../../../../proc/self/environ%00 Included file becomes (example): /var/www/components/com_foobar/ views/../../../../../../../../../../../proc/self/environ%00.php This path is resolved as: /proc/self/environ
- 48. Local File Inclusion - Example $path = JPATH_COMPONENT. '/views/' ; $files = JFolder::files( $path , '.php$' ); $file = JRequest::getString( 'view' ). '.php' ; if (in_array( $file , $files ) { require_once $path . $file ; } else { JError::raiseError( 500 , JText::_( 'COM_FOOBAR_VIEW_NOT_FOUND' ) ); }
- 49. Local File Inclusion - Example /proc/self/environ is not the only file that contains user-provided information Apache logs
- 50. FTP logs
- 51. User-uploaded images PHP has been patched to protect against null byte injections as of 5.3.4
- 52. Remote File Inclusion Generally not an issue, depending on PHP configuration (allow_url_include should be disabled) and defined paths like JPATH_ROOT
- 53. register_globals and global path variables
- 54. File Uploads File extensions JFile::getExt();
- 55. Proper regular expressions (using $) Mimetypes
- 56. Don't trust information from $_FILES
- 57. Cross Site Scripting (XSS) One of the hardest vulnerabilities to protect against
- 58. Javascript is a very flexible language
- 60. HTML DOM
- 61. E4X
- 62. Cross Site Scripting (XSS) Preventing XSS in your Joomla! Extension User-supplied input rendered inside a template file can be escaped using $this->escape(); <a href = "#" > <?php echo $this ->escape( $this ->item->title); ?> </a>
- 63. Cross Site Scripting (XSS) Preventing XSS in your Joomla! Extension Creating HTML outside a template is generally bad practice, but sometimes cannot be avoided
- 64. JFilterInput
- 65. JFilterOutput
- 67. htmlentities();
- 68. Cross Site Request Forgery Always use session tokens in forms <?php echo JHtml::_('form.token'); ?> Always check tokens in controllers before taking any actions JRequest::checkToken() or die('Invalid Token');
- 69. Any Questions?