1 / 11

Securing PHP

Securing PHP. Survey of the solutions Stanislav Malyshev stas@zend.com. Most code is extremely buggy…. Can we help?. Input filtering. Unauthorized code (remote include) Unauthorized DB access (SQL Injection) Client subversion (XSS, XSRF). Let’s protect all data. Magic quotes:

knoton
Télécharger la présentation

Securing PHP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing PHP Survey of the solutions Stanislav Malyshev stas@zend.com

  2. Most code is extremely buggy… Can we help?

  3. Input filtering • Unauthorized code (remote include) • Unauthorized DB access (SQL Injection) • Client subversion (XSS, XSRF)

  4. Let’s protect all data Magic quotes:  a.php?data=1’2 -> $data == “1\’2” can be inside quotes • Optional • No support for context

  5. Let’s restrict the user Safe mode:  Allow access only to own files  Allow only “safe” actions  No OS support  Too many modules not controlled  Too hard to find out all “unsafe” ones and not kill apps

  6. Let’s filter • $var = filter_input(INPUT_GET, 'var'); • Standard filters for standard use-cases • No time machine • Voluntary

  7. Let’s watch the data Data tainting • No unfiltered data in sensitive contexts • How do I know the filtering was right? • Complex implementation – contexts • Performance

  8. Static  Can be as slow as it needs to False positive OK External engine $$foo = $$bar $foo->$bar($baz) eval($foo.$bar) Dynamic Real code, real data Can prevent attack Need for speed Engine modification Breaks applications Static vs. Dynamic

  9. Let’s watch the data - II CSSE • Track each character of data • Ensure the data is safely • Safety is context-dependant • Modification for all operations • Performance?

  10. Let’s watch the input & learn Runtime detection  No need to study application • No need to study context • Complex heuristics • Needs data collection

  11. ?

More Related