Are you a developer who works with PHP? Then this webinar was made for you. Even though PHP is a simple and practical language, it is easy to make code with the help of unorthodox solutions, also known as "kludges", that can endanger your website. In this webinar, Jean will explore some examples of PHP coding done incorrectly. Jean will also show you how badly written code is an invitation for hackers to exploit a website.

1. WEBINAR

3. •
•
•
–
–
•
•

4. WEBINAR
Jean Rafael Tardem Delefrati
• Software Engineer
• 1995 – Programming
• 2001 – Webmaster
• 2003 – PHP
• 2015 – Sucuri
delefrati

5. • Initially stood for “Personal Home Page”, currently ”PHP: Hypertext
Preprocessor”
• Free and Open Source
• Active community
• Performance (PHP 7)
• Easy to learn (similar to C/C++ and Perl)
• Multi-platform (portability)
• Manipulation of Data and Files
• “Malleable” - dynamic typing / almost everything is an object or array
PHP

6. 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Nov-2016 Dec-2016 Jan-2017 Feb-2017 Mar-2017 Apr-2017 May-2017 Jun-2017 Jul-2017 Aug-2017 Sep-2017 Oct-2017 Nov-2017
Historical Trends in the Usage of Server-Side
Programming Languages for Websites
PHP ASP.NET Java static files ColdFusion Ruby JavaScript Perl Python Erlang
Source:: https://w3techs.com/technologies/history_overview/programming_language

8. • MacGyverism
• Improvisation
• Without planning
• Alternative method
• Quick-and-dirty solution
• Alternative engineering
• A computer program that has been
revised and tinkered with so much
that it will never work
What are kludges?
[source: http://www.dictionary.com/browse/kludge]

9. • WOP - Workaround-oriented
programming
• kludge or kluge n. Slang 1. A system,
especially a computer system that is
constituted of poorly matched
elements or of elements originally
intended for other applications.[...]
[source: The American Heritage Dictionary of the English Language (2011)]
What are kludges?

10. • Code
• Configuration
• Programming Model
• Structure
• Etc.
Kinds and Causes
• Lack of experience
• Lack of logic
• Lack of methodology
• Laziness
• Hurry
• Legacy code
• Frankenstein code

11. v
Examples

12. Classic: Automatic Form

13. Classic: Automatic form

15. Else? What is that?

17. Authorization by Blacklist

18. Indentation is for the weak

19. I think that it’s safe...

21. Kind of an exception

22. Auto load even what it shouldn’t

23. • Use your head!
• Refactor/rewrite!
• KISS principle – keep it simple, stupid!
• Use standards: PSR-1, PSR-2, PSR-3, PSR-4
• Use a CDN (with cache) to avoid direct access to your code.
• Be aware that attacks are unavoidable. Have backups and monitoring.
• Use a WAF!
How to avoid kludges?

24. vWAF
Web Application Firewall

25. • Act as an intermediary service between your website's application and the
visitor reaching for it.
• Intercept and remove malicious requests before they can cause damage.
• Prevent known payloads and malicious inputs sent by users.
• Help keep your work, your server, your environment, and your customers
safe.
*Most attacks happen because hackers are actively searching huge amounts
of websites for common vulnerabilities.
How a WAF can help you:

26. • ... do not have full control over the code (use plug-ins or codes
from other sources)
• ... use frameworks or common CMS
• ... prefer to do everything ”in-house”
• ... cannot or don’t want to upgrade your server or language
version
• ... use legacy code or don’t know very well the entire code
• ... have sensitive data from yourself or from your users
Especially effective if you...

27. • Won’t replace the existing controls, but will complement
them.
• Won’t help you to write simpler code.
• Won’t help you to write less kludges.
How a WAF CANNOT help you:

28. • Website Application Firewall (WAF) and Intrusion Prevention System
(IPS) specifically developed to address the challenges of site security.
• Employs Virtual Patching and Hardening technologies that mitigate
attacks on our network without requiring the site owner to take any
further actions.
WAF – Sucuri

29. v
APPLICATION FIREWALL

30. • Not configuring (not pointing the website to the WAF)
• Leaving “loose ends” (partial configuration)
• Whitelisting everything
• Blacklisting everything
• Whitelisting unsafe code
Bonus: How not to configure a WAF