CodeCall Programming Blog

I attended the Zend: PHP Security Webinar today which is a free one hour course by Zend using Webex presented by Kevin Schroeder.  I'll use this blog for my notes and to discuss some of the information presented.  The actual webinar presented a lot more information than this and I expect the Zend course covers even more.  This brief introduction was enough to entice me to signing up for the full class. 

Topics Covered:

• Why Program Securely - which listed several reasons to make secure programs (prevent identity theft, steal of private data, etc).
• Why's the web so dangerous? - Reasons that there are so many security vulnerabilities such as bad code, bad people, etc.
  
• What are the rules? - Use multiple methods of security, deny by default, initialize all variables, cast variables, filter all data, don't rely on hidden form variables.
• Easy way to prevent XSS is to cast your variable to integer.
• Using just username/password isn't verifying identity but knowledge.
  
• Types of Attacks
• SQL Injection
• XSS
• XSRF (Cross Site Request Forgery)
• Command Injection
• Remote Code Injection
• Session Hijacking
• Session Fixation
• Cookie Forging

Preventing SQL Injection
Convert to int, ie


 

Use prepared statements.  This will actually seperate the user input from the query.  ALWAYS validate data.  IE:


 

Most of this has been covered on the forum in various topics.


XSS
Talked about what it was and the method for prevention. Similar to my previous blog: Cross Site Scripting (XSS)


XSRF
Cross-site request forgery merely transmits unauthorized commands from a user the website trusts.

Solutions?
Use a token in session.


 

Force session timeouts and use tokens that expire.


Command Injection
Passing Linux/System commands through to the OS.  This is only enabled IF you use the system functions like exec, backwards tick, popen, shell_exec, etc.


Remote Code Injection
Pointing the PHP to another URL which contains PHP.  This was the method used in the Joomla! Hacking script posted here: http://forum.codecall.net/security-tutorials/4867-joomla-hacking-script.html

The easiest way to prevent this is to use the Joomla! .htaccess which prevents unusual information being passed via GET


Session Hijacking
I've mentioned this in my XSS blog as well.  This is taking fetching the users current session ID and assuming that ID in your browser.  You can read more about this in my blog.

In order to prevent don't allow submission from other domains. Don't allow JavaScript code submission.  Don't display user input as HTML. 

Use the session_regenerate_id(true) function which will cause the old session to expire.


Session Fixation
Stealing session and using PHPSESSID=. Assumes you are the same as the real person.

Use session_regenerate_id(true) as well.
Make sure the referrer is the current domain (your site/domain).


Cookie Forging
Using the telnet prompt a hacker can bypass your cookie settings.  Solution is to not use Cookies.


Ending
Above is just what I took from the training.  There was more information above and these are just quick notes.  The webinar is free and Zend often gives out webinars.  I recommend you take one if you are interested.