My PHP Security talk from the COMMON conference 2011

1. PHP and Web-Based Security Kevin Schroeder Zend Technologies

2. About Kevin Past: Programming/Sys Admin Current: Technology Evangelist/Author/Composer @kpschrade

3. Obligatory Plug Mike will be talking about OOP tomorrow at 8:00 Room 101A

4. The key themes for this year’s ZendCon are: Cloud Computing Mobile and User Experience Enterprise and Professional PHP

5. Disclaimer Do not use anything you learn here for nefarious purposes But if you do, I want to hear about it 

7. You may provide access to your own private data

8. You may provide access to others private data

9. You may allow someone to impersonate another (identity theft)

10. You may take the blame for another person’s attack (remote code injection)

12. Lots of bad code out there

13. There are lots of bad people out there

14. Many servers set up by inexperienced sys admins

15. Or someone simply forgot to filter a variable

16. Many people think they are immune/not a target

17. Security not taken seriously

18. Insufficient time or resources to take security into consideration

20. Validating a login is not enough

21. The principle of least privileges

22. Initialize all variables

23. Cast variables when appropriate

24. Don’t store sensitive data in the web tree

25. Filter all data

27. What are the rules? Validate Input Filter Output

29. Cross Site Scripting (XSS)

30. Cross Site Request Forgery (XSRF)

31. File Inclusion

32. Information Dissemination

33. Command Injection

34. Remote Code Injection

35. Session Hijacking

36. Session Fixation

38. SQL Injection Injects arbitrary code into SQL statements

40. Use prepared statements if possible

41. If prepared statements are not available escape everything using database-specific escaping functions

42. Validate data (ctype_*, preg_*, Zend_Filter_*)

44. Cross Site Scripting (XSS) – Non Persistent Exploits user’s trust in the site Bad guy identifies a vulnerable website and sends you a link with the vulnerability in the URL You click on that link Your browser executes bad guy’s code

45. Cross Site Scripting (XSS) - Persistent Exploits user’s trust in the site Bad guy posts code on a website You request the page on the website Your browser executes bad guy’s code

47. Use Zend_Form for handling forms

48. Employ a whitelist for places where HTML input is required (!)

49. Use ctype_digit and ctype_alnum for simple fields like names or phone numbers

52. Exploit the website’s trust in that user

53. Trick the user’s browser into sending HTTP requests

55. Use Zend_Form and Zend_Form_Element_Hash

58. Don’t use dynamically included files

63. If you need to use those functions use hard coded values. Do not trust a variable or anything defined in another file

66. Set allow_url_include to false

67. If you must make remote requests always filter any user provided data

69. Attacker retrieves a user’s session ID and uses it as their own

71. Use session_regenerate_id(true)

72. Validate a session against an IP address

75. Use session_regenerate_id(true)

76. before logging in

77. periodically in a user’s session

78. if the domain in the HTTP_REFERER doesn’t match the current domain

79. None of these are foolproof, but they limit the ability of an attacker to fixate a session

80. Disable the use of the session ID in the URL

83. Use the session handler

85. Do not use register_globals

86. Keep as much code and data out of the public code tree (htdocs/wwwroot) as possible

87. Use a whitelist approach when dealing with HTML

88. Don’t have predictable resource locations

90. When they do they are usually in extension interfaces or the extensions themselves, not PHP

92. Get more information and examples at eschrade.com…