securing php
play

Securing PHP Survey of the solutions Stanislav Malyshev - PowerPoint PPT Presentation

May 18, 2023 •25 likes •135 views

Securing PHP Survey of the solutions Stanislav Malyshev stas@zend.com Most code is extremely buggy Can we help? Input filtering Unauthorized code (remote include) Unauthorized DB access (SQL Injection) Client subversion (XSS,

  1. Securing PHP Survey of the solutions Stanislav Malyshev stas@zend.com

  2. Most code is extremely buggy… Can we help?

  3. Input filtering • Unauthorized code (remote include) • Unauthorized DB access (SQL Injection) • Client subversion (XSS, XSRF)

  4. Let’s protect all data Magic quotes: ☺ a.php?data=1’2 -> $data == “1\’2” can be inside quotes � Optional � No support for context

  5. Let’s restrict the user Safe mode: ☺ Allow access only to own files ☺ Allow only “safe” actions � No OS support � Too many modules not controlled � Too hard to find out all “unsafe” ones and not kill apps

  6. Let’s filter ☺ $var = filter_input(INPUT_GET, 'var'); ☺ Standard filters for standard use-cases � No time machine � Voluntary

  7. Let’s watch the data Data tainting ☺ No unfiltered data in sensitive contexts � How do I know the filtering was right? � Complex implementation – contexts � Performance

  8. Static vs. Dynamic Static Dynamic ☺ Can be as slow as it ☺ Real code, real data needs to ☺ Can prevent attack ☺ False positive OK ☺ External engine � $$foo = $$bar � Need for speed � $foo->$bar($baz) � Engine modification � eval($foo.$bar) � Breaks applications

  9. Let’s watch the data - II CSSE ☺ Track each character of data ☺ Ensure the data is safely � Safety is context-dependant � Modification for all operations � Performance?

  10. Let’s watch the input & learn Runtime detection ☺ No need to study application ☺ No need to study context � Complex heuristics � Needs data collection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses in Arizona Arizona L. William Staudenmaier One Arizona Center 400 East Van Buren Street, Suite 1900 Phoenix, Arizona 85004 2202 602.382.6000 |

574 views • 32 slides
Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS

Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS

Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS Industry-United Initiative ............................................ 2 The TAA Difference .................................................... 3 Life After

466 views • 19 slides
Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran

1.12k views • 42 slides
Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with

Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with

Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with WPA3 personal Making Wi-Fi great again With security this time, right? Securing home Wi-Fi with WPA3 personal - July 3 rd 2020 2 Why is WPA3

853 views • 28 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 |

SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 |

NON-PROFIT PRESENTATION TIPS FOR NON-PROFIT PRESENTATION TIPS FOR SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 | info@212mediastudios.com Having an efgective communication strategy is the fjrst step for your

116 views • 9 slides
Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The

Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The

Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The Waiting Room Working with Audio Working with Video Using the Tool Tray Chat In the Meeting When Things Go Wrong 2 Securing Your

325 views • 14 slides
Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K. MASMOUDI, K. MASMOUDI, H. AFIFI H. AFIFI Boston, 08/2004 6 th PCRD Integrated Project Goal : provide secure communication

450 views • 22 slides
LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile

LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile

LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile Phone Securing a Mobile Phone Securing a Mobile Phone Securing a Mobile Phone Can We Have it Both Ways? Safe Secure Privacy-friendly

892 views • 62 slides
Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL

Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL

Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL TIEMPO S.A.S. December 3, 2019 1 Outline Connected Objects Securing IoT with a hardware Secure Element Introduction Securing Treats

537 views • 10 slides
Securing RFID with Ultra-wideband Modulation Pengyuan Yu, Patrick Schaumont and Dong Ha

Securing RFID with Ultra-wideband Modulation Pengyuan Yu, Patrick Schaumont and Dong Ha

Securing RFID with Ultra-wideband Modulation Pengyuan Yu, Patrick Schaumont and Dong Ha Presented By: Eric Simpson Summary Traditional Secure Communications Securing the physical layer with UWB TH-PPM RFID digital baseband

386 views • 19 slides
- Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel - Securing Santas

- Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel - Securing Santas

- Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel - Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel Overview 1. Automotive Networks 2. SecVI Research Project 3. Software-Defined Networking

344 views • 31 slides
WHAT? DAMAGE TO THE CARGO The safe stowage and securing of cargoes depend on proper planning,

WHAT? DAMAGE TO THE CARGO The safe stowage and securing of cargoes depend on proper planning,

WHAT? DAMAGE TO THE CARGO The safe stowage and securing of cargoes depend on proper planning, execution and supervision. Personnel commissioned to tasks of cargo stowage and securing should be properly qualified and experienced. Monday, January

116 views • 7 slides
CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source database server in existence. On top of that, it is very commonly used in conjunction with PHP scripts to create powerful and dynamic server-side

92 views • 5 slides
<? <?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant

<? <?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant

<? <?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant v_ret; ; Variant Variant v_a v_a; ; v_ret v_ret = = f_foo f_foo(v_a (v_a); ); Facebook 2010 (confidential) <?php <?

287 views • 12 slides
Introduction R-php is an open-source project for the realization of a web-oriented statistical

Introduction R-php is an open-source project for the realization of a web-oriented statistical

Introduction Introduction R-php modules Main features of R-php Main features of R-php Software needed to install R-php Introduction R-php is an open-source project for the realization of a web-oriented statistical software. Using R via PHP:

205 views • 7 slides
CSE 154 LECTURE 15: MORE PHP Arrays $name = array(); # create $name =

CSE 154 LECTURE 15: MORE PHP Arrays $name = array(); # create $name =

CSE 154 LECTURE 15: MORE PHP Arrays $name = array(); # create $name = array(value0, value1, ..., valueN); $name[index] # get element value $name[index] = value; # set element

484 views • 25 slides
Web Security Part 2 CS642: Computer Security Professor

Web Security Part 2 CS642: Computer Security Professor

Web Security Part 2 CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu Liberal borrowing from

827 views • 39 slides
PHP Dr. Steven Bitner Your UMKC PHP account http://kc-sce-sphp01.kc.umkc.edu/~SSO SSO is

PHP Dr. Steven Bitner Your UMKC PHP account http://kc-sce-sphp01.kc.umkc.edu/~SSO SSO is

PHP Dr. Steven Bitner Your UMKC PHP account http://kc-sce-sphp01.kc.umkc.edu/~SSO SSO is your UMKC username, e.g. bitners Use an SSH program such as PuTTY to create code Alternatively, you can write code on your local machine and

630 views • 17 slides
Databases and PHP Accessing databases from PHP PHP & Databases l PHP can connect to

Databases and PHP Accessing databases from PHP PHP & Databases l PHP can connect to

Databases and PHP Accessing databases from PHP PHP & Databases l PHP can connect to virtually any database l There are specific functions built-into PHP to connect with some DB l There is also generic ODBC functions that will work with many

868 views • 28 slides
Be a Bold Coder Beth Tucker Long @e3betht Who am I?

Be a Bold Coder Beth Tucker Long @e3betht Who am I?

Be a Bold Coder Beth Tucker Long @e3betht Who am I? Beth Tucker Long (@e3betht) PHP Developer at Code Climate Stay-at-home

599 views • 56 slides

More recommend