Security Bootcamp 2013 - Lap trinh web an toan
1 like1,323 views
This document summarizes various web coding security vulnerabilities including SQL injection, cross-site scripting (XSS), and file uploads. For SQL injection, it provides examples of vulnerable code and discusses preventing vulnerabilities using prepared statements. For XSS, it discusses persistent and non-persistent types and provides examples of vulnerable code and prevention through input validation and output encoding. For file uploads, it provides examples of vulnerable upload code and discusses prevention by storing files outside the web root and using system-generated filenames.
![– Bad code 1:
if(isset($_POST['user']) && isset($_POST['password']))
{
$u = $_POST['user'];
$p = $_POST['password'];
$u = preg_replace('/union|select|from|where|and|or/i','',$u);
$p = preg_replace('/union|select|from|where|and|or/i','',$p);
$q = mysql_query("select * from user where username='$u' and
password='$p'");
if($r=mysql_fetch_assoc($q))
{
echo "<br>Log in successfully !";
echo "<br>Hello $r[username]";
}
else
echo "<br>Invalid login !";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-8-320.jpg)
![– Bad code 2:
if(isset($_POST['user']) && isset($_POST['password']))
{
$u = $_POST['user'];
$p = $_POST['password'];
$u = preg_replace(“/’/i”,””,$u);
$p = preg_replace(“/’/i”,””,$p);
$q = mysql_query("select * from user where username='$u' and
password='$p'");
if($r=mysql_fetch_assoc($q))
{
echo "<br>Log in successfully !";
echo "<br>Hello $r[username]";
}
else
echo "<br>Invalid login !";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-9-320.jpg)
![– Bad code 3:
if(isset($_GET['id']))
{
$id = $_GET['id'];
$id = mysql_real_escape_string($id);
$q = mysql_query("select * from user where id=$id");
if($r=mysql_fetch_assoc($q))
{
echo "<br>Profile: $r[username]";
echo "<br>Age: $r[Age]";
echo "<br>Phone: $r[Phone]";
echo "<br>Mail: $r[Mail]";
echo "<br>Address: $r[Address]";
}
else
echo "<br>Invalid id !";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-10-320.jpg)
![– Bad code 4:
if(isset($_POST['user']) && isset($_POST['password']))
{
$u = mysql_real_escape_string($_POST['user']);
$p = mysql_real_escape_string($_POST['password']);
$p = hash("whirlpool", $p, true);
$q = mysql_query("select * from user where username='$u' and password='$p'");
if($r=mysql_fetch_assoc($q))
{
echo "<br>Log in successfully !";
echo "<br>Hello $r[username]";
}
else
Echo "<br>Invalid login !";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-11-320.jpg)
![if(isset($_POST['user']) && isset($_POST['password']))
{
$u = $_POST['user'];
$p = $_POST['password'];
$q = $sql->prepare("select * from user where username=? and password=?");
$q->bind_param("ss", $u, $p);
$q->execute();
$res = $q->get_result();
if($r=$res->fetch_assoc())
{
echo "<br>Log in successfully !";
echo "<br>Hello $r[username]";
}
else
echo "<br>Invalid login !";
$q->close();
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-13-320.jpg)
![• Bad codes
– Bad code 1:
if (isset($_GET['color']))
{
$color = $_GET['color'];
$color = htmlspecialchars($color);
echo "<body bgcolor='". $color."'></body>";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-21-320.jpg)
![– Bad code 2:
if (isset($_GET['color']))
{
$color = $_GET['color'];
$color = htmlspecialchars($color, ENT_QUOTES);
echo "<body bgcolor=$color></body>";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-22-320.jpg)
![• Bad codes
– Bad code 1:
if (isset($_POST['submit']))
{
if($_FILES['userfile']['type'] != "image/gif")
{
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'uploads/';
$uploadfile= $uploaddir.basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
echo "File is valid, and was successfully uploaded.n";
else
echo "File uploading failed.n";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-30-320.jpg)
![– Bad code 2:
if (isset($_POST['submit']))
{
$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg')
{
echo "Sorry, we only accept GIF and JPEG imagesn";
exit;
}
$uploaddir = 'uploads/';
$uploadfile= $uploaddir.basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
echo "File is valid, and was successfully uploaded.n";
else
echo "File uploading failed.n";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-31-320.jpg)
![– Bad code 3:
if (isset($_POST['submit']))
{
$uploaddir = ‘D:/uploads/';
$uploadfile= $uploaddir.basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
echo "File is valid, and was successfully uploaded.n";
echo "<IMG SRC='" . $uploadfile . "'>";
}
else
echo "File uploading failed.n";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-32-320.jpg)
![if (isset($_POST['submit']))
{
$uploaddir = ‘D:/uploads/';
$new_file_name = rand(1,1000);
$uploadfile = $uploaddir . $new_file_name;
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
echo "File is valid, and was successfully uploaded.n";
echo "<IMG SRC='" . $uploadfile . "'>";
}
else
echo "File uploading failed.n";
}](https://image.slidesharecdn.com/scb2013-laptrinhwebantoan-131028232819-phpapp01/85/Security-Bootcamp-2013-Lap-trinh-web-an-toan-34-320.jpg)
Security Bootcamp 2013 - Lap trinh web an toan
- 1. web coding security Huỳnh Hải Âu Công ty ISePRO
- 2. Đơn vị tổ chức: Đơn vị tài trợ:
- 3. Contents • SQL Injection • XSS • File upload
- 4. SQL Injection • Introduction • Bad codes • Preventing solutions
- 7. • Types: 3 types – Union base • Inject a union query to extract data from database – Error base • Inject SQL characters, queries to make the application query fail and raise errors • Use sql errors to extract data from database – Blind SQLi • Inject sql characters to ask the database true or false questions and determines the answer based on the applications response
- 8. – Bad code 1: if(isset($_POST['user']) && isset($_POST['password'])) { $u = $_POST['user']; $p = $_POST['password']; $u = preg_replace('/union|select|from|where|and|or/i','',$u); $p = preg_replace('/union|select|from|where|and|or/i','',$p); $q = mysql_query("select * from user where username='$u' and password='$p'"); if($r=mysql_fetch_assoc($q)) { echo "<br>Log in successfully !"; echo "<br>Hello $r[username]"; } else echo "<br>Invalid login !"; }
- 9. – Bad code 2: if(isset($_POST['user']) && isset($_POST['password'])) { $u = $_POST['user']; $p = $_POST['password']; $u = preg_replace(“/’/i”,””,$u); $p = preg_replace(“/’/i”,””,$p); $q = mysql_query("select * from user where username='$u' and password='$p'"); if($r=mysql_fetch_assoc($q)) { echo "<br>Log in successfully !"; echo "<br>Hello $r[username]"; } else echo "<br>Invalid login !"; }
- 10. – Bad code 3: if(isset($_GET['id'])) { $id = $_GET['id']; $id = mysql_real_escape_string($id); $q = mysql_query("select * from user where id=$id"); if($r=mysql_fetch_assoc($q)) { echo "<br>Profile: $r[username]"; echo "<br>Age: $r[Age]"; echo "<br>Phone: $r[Phone]"; echo "<br>Mail: $r[Mail]"; echo "<br>Address: $r[Address]"; } else echo "<br>Invalid id !"; }
- 11. – Bad code 4: if(isset($_POST['user']) && isset($_POST['password'])) { $u = mysql_real_escape_string($_POST['user']); $p = mysql_real_escape_string($_POST['password']); $p = hash("whirlpool", $p, true); $q = mysql_query("select * from user where username='$u' and password='$p'"); if($r=mysql_fetch_assoc($q)) { echo "<br>Log in successfully !"; echo "<br>Hello $r[username]"; } else Echo "<br>Invalid login !"; }
- 12. • Preventing solutions: – Prepare statement • aka parameterized statement • Template of sql query structure – INSERT INTO PRODUCT (name, price) VALUES (?, ?) • Separation of control flow & data flow
- 13. if(isset($_POST['user']) && isset($_POST['password'])) { $u = $_POST['user']; $p = $_POST['password']; $q = $sql->prepare("select * from user where username=? and password=?"); $q->bind_param("ss", $u, $p); $q->execute(); $res = $q->get_result(); if($r=$res->fetch_assoc()) { echo "<br>Log in successfully !"; echo "<br>Hello $r[username]"; } else echo "<br>Invalid login !"; $q->close(); }
- 14. Cross Site Scripting (XSS) • Introduction • Bad codes • Preventing solutions
- 19. • Non-Persistent: In this type of XSS vulnerability an attacker is able to execute his own code into a webpage but no changes can be done in that website.
- 20. • Persistent: In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing the data. • Common targets are: – – – – Comments Chat messages E-mail messages Wall posts, etc.
- 21. • Bad codes – Bad code 1: if (isset($_GET['color'])) { $color = $_GET['color']; $color = htmlspecialchars($color); echo "<body bgcolor='". $color."'></body>"; }
- 22. – Bad code 2: if (isset($_GET['color'])) { $color = $_GET['color']; $color = htmlspecialchars($color, ENT_QUOTES); echo "<body bgcolor=$color></body>"; }
- 23. • Preventing solutions: – Input validation – Output encoding
- 24. • Input validation – whitelist of acceptable inputs – Consider potential input properties: length, type, range of acceptable values, syntax
- 25. function validate($input) { if(!is_string($input)) die(“input must be string !”); if(strlen($input) > 10) die(“input length must lower than 10”); if(!pregmatch(“/^city/”,$input)) die(“input must begin with city word”); $whitelist={“red”, “green”, “blue”}; if(!in_array($input, $whitelist)) die(“bad input”); }
- 26. • Output encoding – Sanitizing all values before outputing to browser – Output encoding functions: • htmlentities: convert all applicable characters to HTML entities
- 27. function encoding($output) { return htmlenties($output); } $safe_value = encoding($value); echo $safe_value;
- 28. File Upload Attack • Introduction • Bad codes • Preventing solutions
- 29. • Allow attacker to upload malicious files to server • Most of time, it’s web shell to take control over web server • Risk: – – – – – – Web-shell upload Website deface XSS Phishing Malware upload …
- 30. • Bad codes – Bad code 1: if (isset($_POST['submit'])) { if($_FILES['userfile']['type'] != "image/gif") { echo "Sorry, we only allow uploading GIF images"; exit; } $uploaddir = 'uploads/'; $uploadfile= $uploaddir.basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) echo "File is valid, and was successfully uploaded.n"; else echo "File uploading failed.n"; }
- 31. – Bad code 2: if (isset($_POST['submit'])) { $imageinfo = getimagesize($_FILES['userfile']['tmp_name']); if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') { echo "Sorry, we only accept GIF and JPEG imagesn"; exit; } $uploaddir = 'uploads/'; $uploadfile= $uploaddir.basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) echo "File is valid, and was successfully uploaded.n"; else echo "File uploading failed.n"; }
- 32. – Bad code 3: if (isset($_POST['submit'])) { $uploaddir = ‘D:/uploads/'; $uploadfile= $uploaddir.basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.n"; echo "<IMG SRC='" . $uploadfile . "'>"; } else echo "File uploading failed.n"; }
- 33. • Preventing solutions – Keep uploaded files where they cannot be directly accessed by the users via a direct URL • Outside of webroot • Or configure web server to deny access to upload directory – Use system-generated file names instead of the names supplied by users when storing files
- 34. if (isset($_POST['submit'])) { $uploaddir = ‘D:/uploads/'; $new_file_name = rand(1,1000); $uploadfile = $uploaddir . $new_file_name; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.n"; echo "<IMG SRC='" . $uploadfile . "'>"; } else echo "File uploading failed.n"; }
- 35. The end Thank you !