HTTP AND SECURITY

AGENDA

HTTP basics

HTTP methods

PHP and HTTP

Security threats and attacks

Security in PHP

HTTP

The Hypertext Transfer Protocol (HTTP) is

an application protocol for distributed,

collaborative, hypermedia information systems

HTTP is the foundation of data communication

for the World Wide Web.

HTTP

HTTP functions as a request-response protocol in

the client-server computing model

The response contains completion status

information about the request and may also

contain requested content in its message body

HTTP is an application layer protocol (mostly

TCP, but can use UDP)

HTTP SESSIONS

An HTTP session is a sequence of network

request-response transactions

Every session has an ID and reflects conversation

between one client and server

In PHP $_SESSION variable can hold session

parameters

HTTP METHODS

GET - Requests a representation of the specified resource

HEAD - likeGET request, but without the response body

POST - Requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI

PUT - Requests that the enclosed entity be stored under the supplied URI

DELETE - Deletes the specified resource.

TRACE - Echoes back the received request so that a client can see what changes or additions have been made by intermediate servers.

OPTIONS - Returns the HTTP methods that the server supports for the specified URL

CONNECT - Converts the request connection to a transparent TCP/IP tunnel

PATCH - Is used to apply partial modifications to a resource

HTTP GET

/test/demo_form.php?name1=value1&name2=val

ue2

GET requests can be cached

GET requests remain in the browser history

GET requests can be bookmarked

GET requests should never be used when dealing

with sensitive data

GET requests have length restrictions (2048)

GET requests should be used only to retrieve

data

HTTP POST

POST /test/demo_form.asp HTTP/1.1

Host: w3schools.com

name1=value1&name2=value2

POST requests are never cached

POST requests do not remain in the browser

history

POST requests cannot be bookmarked

POST requests have no restrictions on data

length

PHP METHODS FOR POST AND GET

GET - $_GET variable

POST - $_POST variable

$_REQUEST for both + $_COOKIE

if (isset($_GET['user']) && isset($_GET['gen']))

{

$user = $_GET['user'];

$gen = $_GET['gen'];

echo 'User: '. $user. ' - gender: '. $gen;

}

AND WORDPRESS

Wordpress core does not use sessions

Wordpress core uses only cookies

However plugins can use sessions

SECURITY INTRODUCTION

Weakest part of site is entry point

Write your code secure!

Don’t be victim of laziness and get hacked (or put

users in risk)

It’s easier to protect then to heal

CROSS SITE SCRIPTING (XSS)

Adding additional HTML or javascript to source

of page

Injectiong trough url parameters, requests or

form fields

Stored XSS, Reflected, DOM based

XSS PROTECTION

Stripping tags

Transform characters like <,>,/,’,” etc to html

entities

Php functions:

string strip_tags ( string $str [, string

$allowable_tags ] )

string htmlentities ( string $string)

string htmlspecialchars( string $string)

SQL INJECTION

SQL injection is a code injection technique,

used to attack data driven applications, in which

malicious SQL statements are inserted into an

entry field for execution

Types:

Classic SQLI

Blind or Inference SQL injection

SQL INJECTION EXAMPLE

statement = "SELECT * FROM users WHERE name ='" + userName + "';“

Attacker input 1: ' or '1'='1

Attacker input 2: ' or '1'='1' -- '

Executed query:

1: SELECT * FROM users WHERE name = '' OR '1'='1';

2: SELECT * FROM users WHERE name = '' OR '1'='1' -- ';

Consider input:

a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

SQL INJECTION PROTECTION

Filter user input

Way 1: $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE

name = ?');

$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();

while ($row = $result->fetch_assoc())

{ // do something with $row }

Way2: $unsafe_variable = $_POST["user-input"] ;

$safe_variable = mysql_real_escape_string($unsafe_variable);

mysql_query("INSERT INTO table (column) VALUES ('" .

$safe_variable . "')");

SQL INJECTION WORDPRESS PROTECTION

Use prepare function with parameters

$wpdb->query(

$wpdb->prepare(

" DELETE FROM $wpdb->postmeta WHERE post_id

= %d AND meta_key = %s ",

13, 'gargle' )

);

Prepare function filters parameters and is safe

from sql injection

SENSITIVE DATA EXPOSURE

All data that are stored should be stored hased or

encrypted

Try to protect also transport layer (best using ssl)

CROSS SITE REQUEST FORGERY (CSRF)

Cross-site request forgery, also known as a

one-click attack or session riding and

abbreviated as CSRF, is a type of malicious

exploit of a website whereby unauthorized

commands are transmitted from a user that the

website trusts.

Attacker creates page that request some action

that only authorized user can execute

Attacker sends link of the page to the victim

Victim clicks on link and execute command as

authorized user

PROTECTION AGAINST CSRF

Use token when sending every action

Token should be created for each request or at

least per session

In wordpres you may use wp_nonce_field and

wp_verify_nonce, wp_create_nonce

<form method="post">

<!-- some inputs here ... -->

<?php

wp_nonce_field('name_of_my_action','name_of_nonce_field'); ?>

</form>

INSECURE DIRECT OBJECT REFERENCES