Scribd
Upload
485 views

PHP Security Crash Course - 1 - Introduction

This document is the presentation slides for a talk on PHP security given by Stefan Esser. The slides introduce Esser and his background in PHP and security. The agenda then outlines how the talk will cover security problems like XSS, CSRF, SQL injection, session management, and PHP code inclusion. It defines key terms like input, filtering, validation, output, and escaping. It emphasizes the mantra of filtering all input and escaping all output to avoid security issues that can arise from untrusted user input.

Uploaded by

kaplumb_aga
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
485 views

PHP Security Crash Course - 1 - Introduction

This document is the presentation slides for a talk on PHP security given by Stefan Esser. The slides introduce Esser and his background in PHP and security. The agenda then outlines how the talk will cover security problems like XSS, CSRF, SQL injection, session management, and PHP code inclusion. It defines key terms like input, filtering, validation, output, and escaping. It emphasizes the mantra of filtering all input and escaping all output to avoid security issues that can arise from untrusted user input.

Uploaded by

kaplumb_aga
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

http://www.sektioneins.

de

PHP Security Crash Course


Stefan Esser <[email protected]>

June 2009 - Amsterdam


Who I am?

Stefan Esser
• from Cologne / Germany

• Informationsecurity since 1998

• PHP Core Developer since 2001

• Month of PHP Bugs and Suhosin

• Head of Research and Development at SektionEins GmbH

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  2
Agenda

• Introduction
• Security Problems and Solutions
• XSS
• CSRF
• SQL Injection
• Session Management
• PHP Code Inclusion / Evaluation

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  3
Part I
Introduction

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  4
Introduction

• Input to web-applications can be arbitrary manipulated


• Many security problems arise from misplaced trust in
user input - but not all
• malfunction in case of
• unexpected variables

• unexpected data-types

• unexpected lengths

• unexpected characters / ranges

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  5
Mantra

Filter Input and Escape Output

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  6
What is Input? (I)

• $_GET - URL variables


• $_POST - form data
• $_COOKIE - cookies
• $_REQUEST - mixture of GPC (unknown source)
• $_FILES - uploaded files
• $_SERVER - HTTP headers / URL / querystring
• $_ENV - environment

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  7
What is Input? (II)

➡ don‘t forget other inputs like


• result of database queries
• result of shell commands
• result of web services
• or results of other external data sources

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  8
What is Filtering?

• removing all unknown / unexpected variables


• removing illegal input
• casting to expected data-types
• removing illegal characters
• cutting overlong input
• attention: repairing illegal input can be dangerous
• Mantra does not make a difference to validation

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  9
What is Validation?

• Validation of user input against expected


• data-types
• lengths
• characters / ranges
• Blocking / Ignoring illegal input

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  10
What is Output?

• every output of the web-application


• HTML, JSON, ...
• HTTP headers
• but also over communication with subsystems
• Database
• UNIX Shell (-commands)
• Filesystem (filenames)

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  11
What is Escaping?

• „escaping“ wrongly used in the Mantra


• „escaping“ normally means disarming subsystem
specific meta characters
• Mantra means every kind of preparation for output

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  12
Questions ?

Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 •  June 2009 •  13

You might also like