Http and security
1 like1,543 views
The document discusses HTTP and security topics related to web applications. It provides an overview of HTTP basics including methods like GET and POST. It then covers security threats like cross-site scripting (XSS), SQL injection, sensitive data exposure, and cross-site request forgery (CSRF). The document recommends approaches to protect against these threats, such as input filtering, prepared statements, encryption, using tokens, and more. It also discusses how these security concepts apply to PHP and WordPress applications.
![PHP METHODS FOR POST AND GET
GET - $_GET variable
POST - $_POST variable
$_REQUEST for both + $_COOKIE
if (isset($_GET['user']) && isset($_GET['gen']))
{
$user = $_GET['user'];
$gen = $_GET['gen'];
echo 'User: '. $user. ' - gender: '. $gen;
}
](https://image.slidesharecdn.com/httpandsecurity-131121032627-phpapp02/85/Http-and-security-9-320.jpg)
![XSS PROTECTION
Stripping tags
Transform characters like <,>,/,’,” etc to html
entities
Php functions:
string strip_tags ( string $str [, string
$allowable_tags ] )
string htmlentities ( string $string)
string htmlspecialchars( string $string)](https://image.slidesharecdn.com/httpandsecurity-131121032627-phpapp02/85/Http-and-security-13-320.jpg)
![SQL INJECTION PROTECTION
Filter user input
Way 1:
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE
name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc())
{ // do something with $row }
Way2:
$unsafe_variable = $_POST["user-input"] ;
$safe_variable = mysql_real_escape_string($unsafe_variable);
mysql_query("INSERT INTO table (column) VALUES ('" .
$safe_variable . "')");
](https://image.slidesharecdn.com/httpandsecurity-131121032627-phpapp02/85/Http-and-security-16-320.jpg)
Http and security
- 2. AGENDA HTTP basics HTTP methods PHP and HTTP Security threats and attacks Security in PHP
- 3. HTTP The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems HTTP is the foundation of data communication for the World Wide Web.
- 4. HTTP HTTP functions as a request-response protocol in the client-server computing model The response contains completion status information about the request and may also contain requested content in its message body HTTP is an application layer protocol (mostly TCP, but can use UDP)
- 5. HTTP SESSIONS An HTTP session is a sequence of network request-response transactions Every session has an ID and reflects conversation between one client and server In PHP $_SESSION variable can hold session parameters
- 6. HTTP METHODS GET - Requests a representation of the specified resource HEAD - likeGET request, but without the response body POST - Requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI PUT - Requests that the enclosed entity be stored under the supplied URI DELETE - Deletes the specified resource. TRACE - Echoes back the received request so that a client can see what changes or additions have been made by intermediate servers. OPTIONS - Returns the HTTP methods that the server supports for the specified URL CONNECT - Converts the request connection to a transparent TCP/IP tunnel PATCH - Is used to apply partial modifications to a resource
- 7. HTTP GET /test/demo_form.php?name1=value1&name2=val ue2 GET requests can be cached GET requests remain in the browser history GET requests can be bookmarked GET requests should never be used when dealing with sensitive data GET requests have length restrictions (2048) GET requests should be used only to retrieve data
- 8. HTTP POST POST /test/demo_form.asp HTTP/1.1 Host: w3schools.com name1=value1&name2=value2 POST requests are never cached POST requests do not remain in the browser history POST requests cannot be bookmarked POST requests have no restrictions on data length
- 9. PHP METHODS FOR POST AND GET GET - $_GET variable POST - $_POST variable $_REQUEST for both + $_COOKIE if (isset($_GET['user']) && isset($_GET['gen'])) { $user = $_GET['user']; $gen = $_GET['gen']; echo 'User: '. $user. ' - gender: '. $gen; }
- 10. AND WORDPRESS Wordpress core does not use sessions Wordpress core uses only cookies However plugins can use sessions
- 11. SECURITY INTRODUCTION Weakest part of site is entry point Write your code secure! Don’t be victim of laziness and get hacked (or put users in risk) It’s easier to protect then to heal
- 12. CROSS SITE SCRIPTING (XSS) Adding additional HTML or javascript to source of page Injectiong trough url parameters, requests or form fields Stored XSS, Reflected, DOM based
- 13. XSS PROTECTION Stripping tags Transform characters like <,>,/,’,” etc to html entities Php functions: string strip_tags ( string $str [, string $allowable_tags ] ) string htmlentities ( string $string) string htmlspecialchars( string $string)
- 14. SQL INJECTION SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution Types: Classic SQLI Blind or Inference SQL injection
- 15. SQL INJECTION EXAMPLE statement = "SELECT * FROM users WHERE name ='" + userName + "';“ Attacker input 1: ' or '1'='1 Attacker input 2: ' or '1'='1' -- ' Executed query: 1: SELECT * FROM users WHERE name = '' OR '1'='1'; 2: SELECT * FROM users WHERE name = '' OR '1'='1' -- '; Consider input: a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't
- 16. SQL INJECTION PROTECTION Filter user input Way 1: $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // do something with $row } Way2: $unsafe_variable = $_POST["user-input"] ; $safe_variable = mysql_real_escape_string($unsafe_variable); mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
- 17. SQL INJECTION WORDPRESS PROTECTION Use prepare function with parameters $wpdb->query( $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 13, 'gargle' ) ); Prepare function filters parameters and is safe from sql injection
- 18. SENSITIVE DATA EXPOSURE All data that are stored should be stored hased or encrypted Try to protect also transport layer (best using ssl)
- 19. CROSS SITE REQUEST FORGERY (CSRF) Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Attacker creates page that request some action that only authorized user can execute Attacker sends link of the page to the victim Victim clicks on link and execute command as authorized user
- 20. PROTECTION AGAINST CSRF Use token when sending every action Token should be created for each request or at least per session In wordpres you may use wp_nonce_field and wp_verify_nonce, wp_create_nonce <form method="post"> <!-- some inputs here ... --> <?php wp_nonce_field('name_of_my_action','name_of_nonce_field'); ?> </form>
- 21. INSECURE DIRECT OBJECT REFERENCES