Website Security
Download as PPTX, PDF0 likes1,473 views
The document discusses various internet security threats, emphasizing the importance of filtering input and escaping output to protect web applications. It outlines different attack vectors such as XSS, CSRF, and SQL injection, along with strategies for their mitigation. Key recommendations include using whitelist filtering for input control and PHP functions like htmlspecialchars() for securely escaping output.
![FILTER INPUT CONT’D
$clean = array();
if (ctype_alpha($_POST[’username’]))
{
$clean[’username’] = $_POST[’username’];
}
if (ctype_alnum($_POST[’password’]))
{
$clean[’password’] = $_POST[’password’];
}
$colors = array(’Red’, ’Blue’, ’Yellow’, ’Green’);
if (in_array($_POST[’color’], $colors))
{
$clean[’color’] = $_POST[’color’];
}
CPTR304: INTERNET AUTHORING
6](https://image.slidesharecdn.com/website-20security-140309233633-phpapp02/85/Website-Security-6-320.jpg)
![$html = array();
$html[’message’] = htmlentities($user_message,
ENT_QUOTES, ’UTF-8’);
echo $html[’message’];
CPTR304: INTERNET AUTHORING
10](https://image.slidesharecdn.com/website-20security-140309233633-phpapp02/85/Website-Security-10-320.jpg)
Website Security
- 1. SECURITY CPTR304: INTERNET AUTHORING HENRY OSBORNE
- 2. This presentation examines some attack vectors and highlights means to mitigate and even eliminate most attacks. CPTR304: INTERNET AUTHORING 2
- 3. ALL INPUT IS TAINTED As a general rule of thumb, the data in all of PHP’s superglobals arrays should be considered tainted. $_SERVER array is not fully safe, because it contains some data provided by the client. Before processing tainted data, it is important to filter it Two approaches to filtering data: The whitelist approach The blacklist approach. CPTR304: INTERNET AUTHORING 3
- 4. WHITELIST VS BLACKLIST FILTERING The blacklist approach is the less restrictive form of filtering that assumes the programmer knows everything that should not be allowed to pass through. Whitelist filtering is much more restrictive, yet it affords the programmer the ability to accept only the input he expects to receive. CPTR304: INTERNET AUTHORING 4
- 5. FILTER INPUT <form method="POST"> Username: <input type="text" name="username" /><br/> Password: <input type="text" name="password" /><br/> Favorite color: <select name="color"> <option>Red</option> <option>Blue</option> <option>Yellow</option> <option>Green</option> </select><br/> <input type="submit" /> </form> CPTR304: INTERNET AUTHORING 5
- 6. FILTER INPUT CONT’D $clean = array(); if (ctype_alpha($_POST[’username’])) { $clean[’username’] = $_POST[’username’]; } if (ctype_alnum($_POST[’password’])) { $clean[’password’] = $_POST[’password’]; } $colors = array(’Red’, ’Blue’, ’Yellow’, ’Green’); if (in_array($_POST[’color’], $colors)) { $clean[’color’] = $_POST[’color’]; } CPTR304: INTERNET AUTHORING 6
- 7. FILTER INPUT CONT’D Filtering with a whitelist approach places the control firmly in your hands and ensures that your application will not receive bad data. CPTR304: INTERNET AUTHORING 7
- 8. ESCAPE OUTPUT Output is anything that leaves your application, bound for a client. The client, in this case, is anything from a Web browser to a database server, and just as you should filter all incoming data, you should escape all outbound data. Whereas filtering input protects your application from bad or harmful data, escaping output protects the client and user from potentially damaging commands. CPTR304: INTERNET AUTHORING 8
- 9. ESCAPE OUTPUT CONT’D To escape output intended for a Web browser, PHP provides htmlspecialchars() and htmlentities(), the latter being the most exhaustive and, therefore, recommended function for escaping. CPTR304: INTERNET AUTHORING 9
- 10. $html = array(); $html[’message’] = htmlentities($user_message, ENT_QUOTES, ’UTF-8’); echo $html[’message’]; CPTR304: INTERNET AUTHORING 10
- 11. WEBSITE SECURITY CPTR304: INTERNET AUTHORING 11
- 12. SPOOFED FORMS A common method used by attackers is a spoofed form submission. There are various ways to spoof forms, the easiest of which is to simply copy a target form and execute it from a different location. Spoofing a form makes it possible for an attacker to remove all client-side restrictions imposed upon the form in order to submit any and all manner of data to your application. CPTR304: INTERNET AUTHORING 12
- 13. CROSS-SITE SCRIPTING (XSS) One of the most common and best known kinds of attacks. An XSS attack exploits the user’s trust in the application and is usually an effort to steal user information, such as cookies and other personally identifiable data. All applications that display input are at risk. CPTR304: INTERNET AUTHORING 13
- 14. CROSS-SITE REQUEST FORGERIES (CSRF) An attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. CPTR304: INTERNET AUTHORING 14
- 15. DATABASE SECURITY CPTR304: INTERNET AUTHORING 15
- 16. SQL INJECTION A technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. CPTR304: INTERNET AUTHORING 16
- 17. SESSION SECURITY CPTR304: INTERNET AUTHORING 17
- 18. SESSION FIXATION Manually setting the session identifier through the query string, forcing the use of a particular session. This is most commonly achieved by creating a link to your application and appending the session identifier that the attacker wishes to give any user clicking the link. <a href="http://example.org/index.php?PHPSESSID=1234">Click here</a> CPTR304: INTERNET AUTHORING 18
- 19. SESSION HIJACKING Any means by which an attacker gains a user’s valid session identifier (rather than providing one of his own). CPTR304: INTERNET AUTHORING 19
- 20. FILE SYSTEM SECURITY CPTR304: INTERNET AUTHORING 20
- 21. REMOTE CODE INJECTION A remote code injection attack occurs when an attacker is able to cause your application to execute PHP code of their choosing. CPTR304: INTERNET AUTHORING 21
- 22. COMMAND INJECTION The injection and execution of arbitrary system commands. exec(), system() and passthru() functions CPTR304: INTERNET AUTHORING 22
- 23. Despite the many ways your applications can be attacked, four simple words can sum up most solutions to Web application security problems (though not all): filter input, escape output. CPTR304: INTERNET AUTHORING 23
Editor's Notes
- #4: $_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server.
- #6: This form contains three input elements: username, password, and colour. For this example, username should contain only alphabetic characters, password should contain only alphanumeric characters, and colour should contain any of “Red,” “Blue,” “Yellow,” or “Green.”It is possible to implement some client-side validation code using JavaScript to enforce these rules, but it is not always possible to force users to use only your form and, thus, your client-side rules. Therefore, server-side filtering is important for security, while client-side validation is important for usability.
- #7: To filter the input received with this form, start by initializing a blank array. It is important to use a name that sets this array apart as containing only filtered data; this example uses the name $clean. Later in your code, when encountering the variable $clean[’username’], you can be certain that this value has been filtered. If, however,you see $_POST[’username’] used, you cannot be certain that the data is trustworthy. Thus, discard the variable and use the one from the $clean array instead.ctype_alnum — Check for alphanumeric character(s)ctype_alpha — Check for alphabetic character(s)in_array — Checks if a value exists in an array
- #8: If, for example, someone tries to pass a username or color that is not allowed to the processing script, the worst that can happen is that the $clean array will not contain a value for username or color. If username is required, then simply display an error message to the user and ask them to provide correct data. You should force the user to provide correct information rather than trying to clean and sanitize it on your own. If you attempt to sanitize the data, you may end up with bad data, and you’ll run into the same problems that result with the use of blacklists.
- #9: Escaping output should not be regarded as part of the filtering process, however. These two steps, while equally important, serve distinct and different purposes. Filtering ensures the validity of data coming into the application; escaping protects you and your users from potentially harmful attacks.Output must be escaped because clients—Web browsers, database servers, and so on—often take action when encountering special characters. For Web browsers, these special characters form HTML tags; for database servers, they may include quotation marks and SQL keywords. Therefore, it is necessary to know the intended destination of output and to escape accordingly.Escaping output intended for a database will not suffice when sending that same output to a Web browser—data must be escaped according to its destination.
- #11: ENT_QUOTES - Will convert both double and single quotes.
- #12: Website security refers to the security of the elements of a website through which an attacker can interface with your application. These vulnerable points of entry include forms and URLs, which are the most likely and easiest candidates for a potential attack.
- #14: An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.
- #15: Whereas an XSS attack exploits the user’s trust in an application, a forged request exploits an application’s trust in a user, since the request appears to be legitimate and it is difficult for the application to determine whether the user intended for it to take place.
- #16: Databases are cardinal components of any web based application by enabling websites to provide varying dynamic content. Since very sensitive or secret information can be stored in a database, you should strongly consider protecting your databases.To retrieve or to store any information you need to connect to the database, send a legitimate query, fetch the result, and close the connection.
- #17: Many web developers are unaware of how SQL queries can be tampered with, and assume that an SQL query is a trusted command. It means that SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks, and sometimes SQL queries even may allow access to host operating system level commands.http://www.php.net/manual/en/security.database.sql-injection.php
- #19: While the user accesses your site through this session, they may provide sensitive information or even login credentials. If the user logs in while using the provided session identifier, the attacker may be able to “ride” on the same session and gain access to the user’s account. This is why session fixation is sometimes referred to as “session riding.”Since the purpose of the attack is to gain a higher level of privilege, the points at which the attack should be blocked are clear: every time a user’s access level changes, it is necessary to regenerate the session identifier. PHP makes this a simple task with session_regenerate_id().
- #21: PHP is subject to the security built into most server systems with respect to permissions on a file and directory basis. This allows you to control which files in the filesystem may be read. Care should be taken with any files which are world readable to ensure that they are safe for reading by all users who have access to that filesystem.Since PHP was designed to allow user level access to the filesystem, it's entirely possible to write a PHP script that will allow you to read system files such as /etc/passwd, modify your ethernet connections, send massive printer jobs out, etc. This has some obvious implications, in that you need to ensure that the files that you read from and write to are the appropriate ones.