Website Security

50 %
50 %
Information about Website Security

Published on March 10, 2014

Author: sicarii_13



PHP provides a rich toolset with immense power—some have argued that it is perhaps too much power—and this power, when used with careful attention to detail, allows for the creation of complex and robust applications. Without this attention to detail, though, malicious users can use PHP’s power to their advantage, attacking applications in a variety of ways.


This presentation examines some attack vectors and highlights means to mitigate and even eliminate most attacks. CPTR304: INTERNET AUTHORING 2

ALL INPUT IS TAINTED  As a general rule of thumb, the data in all of PHP’s superglobals arrays should be considered tainted.  $_SERVER array is not fully safe, because it contains some data provided by the client.  Before processing tainted data, it is important to filter it  Two approaches to filtering data:  The whitelist approach  The blacklist approach. CPTR304: INTERNET AUTHORING 3

WHITELIST VS BLACKLIST FILTERING  The blacklist approach is the less restrictive form of filtering that assumes the programmer knows everything that should not be allowed to pass through.  Whitelist filtering is much more restrictive, yet it affords the programmer the ability to accept only the input he expects to receive. CPTR304: INTERNET AUTHORING 4

FILTER INPUT <form method="POST"> Username: <input type="text" name="username" /><br/> Password: <input type="text" name="password" /><br/> Favorite color: <select name="color"> <option>Red</option> <option>Blue</option> <option>Yellow</option> <option>Green</option> </select><br/> <input type="submit" /> </form> CPTR304: INTERNET AUTHORING 5

FILTER INPUT CONT’D $clean = array(); if (ctype_alpha($_POST[’username’])) { $clean[’username’] = $_POST[’username’]; } if (ctype_alnum($_POST[’password’])) { $clean[’password’] = $_POST[’password’]; } $colors = array(’Red’, ’Blue’, ’Yellow’, ’Green’); if (in_array($_POST[’color’], $colors)) { $clean[’color’] = $_POST[’color’]; } CPTR304: INTERNET AUTHORING 6

FILTER INPUT CONT’D Filtering with a whitelist approach places the control firmly in your hands and ensures that your application will not receive bad data. CPTR304: INTERNET AUTHORING 7

ESCAPE OUTPUT Output is anything that leaves your application, bound for a client. The client, in this case, is anything from a Web browser to a database server, and just as you should filter all incoming data, you should escape all outbound data. Whereas filtering input protects your application from bad or harmful data, escaping output protects the client and user from potentially damaging commands. CPTR304: INTERNET AUTHORING 8

ESCAPE OUTPUT CONT’D To escape output intended for a Web browser, PHP provides htmlspecialchars() and htmlentities(), the latter being the most exhaustive and, therefore, recommended function for escaping. CPTR304: INTERNET AUTHORING 9

$html = array(); $html[’message’] = htmlentities($user_message, ENT_QUOTES, ’UTF-8’); echo $html[’message’]; CPTR304: INTERNET AUTHORING 10


SPOOFED FORMS  A common method used by attackers is a spoofed form submission.  There are various ways to spoof forms, the easiest of which is to simply copy a target form and execute it from a different location.  Spoofing a form makes it possible for an attacker to remove all client-side restrictions imposed upon the form in order to submit any and all manner of data to your application. CPTR304: INTERNET AUTHORING 12

CROSS-SITE SCRIPTING (XSS)  One of the most common and best known kinds of attacks.  An XSS attack exploits the user’s trust in the application and is usually an effort to steal user information, such as cookies and other personally identifiable data.  All applications that display input are at risk. CPTR304: INTERNET AUTHORING 13

CROSS-SITE REQUEST FORGERIES (CSRF)  An attack that tricks the victim into loading a page that contains a malicious request.  It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf.  CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. CPTR304: INTERNET AUTHORING 14


SQL INJECTION A technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. CPTR304: INTERNET AUTHORING 16


SESSION FIXATION  Manually setting the session identifier through the query string, forcing the use of a particular session.  This is most commonly achieved by creating a link to your application and appending the session identifier that the attacker wishes to give any user clicking the link. <a href="">Click here</a> CPTR304: INTERNET AUTHORING 18

SESSION HIJACKING Any means by which an attacker gains a user’s valid session identifier (rather than providing one of his own). CPTR304: INTERNET AUTHORING 19


REMOTE CODE INJECTION A remote code injection attack occurs when an attacker is able to cause your application to execute PHP code of their choosing. CPTR304: INTERNET AUTHORING 21

COMMAND INJECTION The injection and execution of arbitrary system commands.  exec(), system() and passthru() functions CPTR304: INTERNET AUTHORING 22

Despite the many ways your applications can be attacked, four simple words can sum up most solutions to Web application security problems (though not all): filter input, escape output. CPTR304: INTERNET AUTHORING 23


Add a comment

Related presentations

Related pages

Web Security | Website Security | SiteLock

What Makes SiteLock Unique 360° Website Security Technology. Real website security means protection from the inside out as well as the outside in.
Read more

G DATA WEBSITE SECURITY | Schützt Ihre Webseite vor ...

G DATA WEBSITE SECURITY BUSINESS: Schützt Ihre Internetpräsenz vor Malware, Manipulation und Phishing-Links. Ihr klares Statement zu Online-Sicherheit ...
Read more

Website Secure | Site Verification | Identity Theft ...

Website Secure Is An Independent Consumer Advocacy Organization Responsible For Certifying Honest Reputable Websites For Consumers.
Read more

Small Business Website Security Solutions | Symantec

Symantec Website Security Solutions secure websites for businesses with the strongest possible SSL certificate encryption.
Read more

Audit your website security with Acunetix Web ...

Audit websites and web application security with Acunetix Web Vulnerability Scanner and check for XSS, SQL Injection and other web vulnerabilities.
Read more

Is This Website Safe | Website Security | Norton Safe Web

Norton Safe Web scans millions of websites to make sure they are safe. Visit Norton Safe Web now to see if a website you are interested is safe to visit ...
Read more

Web application security - Wikipedia, the free encyclopedia

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. At a ...
Read more

Malware Scanner | Scan Your Website for Vulnerabilities ...

Keep your website clean and secure with SiteLock, GoDaddy's Vulnerability Scanner. Build trust with your shoppers while defending your website against attacks!
Read more

Website Security made EASY - Trust Seals from Trust Guard ...

Website Security scans = protection from Hackers and more Sales! SSL is not enough. We provide website security, value and Increased Sales! Have your site ...
Read more

Free Website Malware and Security Scanner

Web site security monitoring and malware removal ... Website Malware Monitoring. Be at ease knowing you have Sucuri monitoring your site.
Read more