Evil Code and how to defend Evil Code and how to defend against itagainst it

CSCI 4300CSCI 4300http://shiflett.org/php-security.pdfhttp://shiflett.org/php-security.pdf

http://phpsec.org/projects/guide/2.htmlhttp://phpsec.org/projects/guide/2.html

Defense against form input attacks: Defense against form input attacks: data filteringdata filtering

Dispatch methodDispatch method

Dispatch script exampleDispatch script example

Spoofed form inputSpoofed form input

Whitelist Input VerificationWhitelist Input Verification

Whitelist Email address verificationWhitelist Email address verification

Simple message boardSimple message board

Message Board AttackMessage Board Attack

Message Board defenseMessage Board defense

• Security tip: use pre-existing PHP functions; they are more efficient and less likely to contain security holes.

Cross-Site Request forgeriesCross-Site Request forgeries

• Victim has authenticated to target site T

• Evil site E forges a privileged request to T

• Forged request succeeds by virtue of victim’s authentication tokens.

Cross-Site Request Forgery Cross-Site Request Forgery exampleexample

• Target site, stox.com:<input type=text name=stock>

<input type=text name=n_shares>

<input type=submit>

• Evil site, evil-hackers.org

<img src=http://stox.com?name=IBM&n_shares=1000000>

CSRF defense: form tokensCSRF defense: form tokens

Database CredentialsDatabase Credentials

• Place db.inc outside of document root, so it cannot be accessed via a URL!

SQL injection attackSQL injection attack

• <?php//get $uname and $passwd

...mysql_query (“select * from user where

uname=‘$uname’ and password=‘$passwd’”)

Evil input:Uname = my_unamePasswd= mypassd’; delete from user where

‘a’=‘a’