Introduction to PHP Security

Learning objectives

• Understand how web servers handle requests and hand them over to PHP interpreter
• Recognize that there is no sandbox with PHP, and know how to tackle those implications
• Use configuration files to control the PHP interpreter to effectively apply the most important security controls
• Properly plan for users and the filesystem to prevent command execution
• Recognize that the availability of dynamic code does not mean it can be used
• Generate strong random numbers in different versions of PHP with CSPRNG and PRNG
• Perform checks on $_FILES server-side and client-side
• Achieve and describe the concept of plane separation with PDO and other drivers
• Set up a project (i.e., code, not a server) capable of customized error handling without showing verbose error information to the user

Course Outline

• Web Server and PHP Interpreter
• Handlers
• Superglobals
• Forced Browsing
• Forced Browsing: Storing Code Outside the Root
• Forced Browsing: Storing Everything in the Document Root
• Apache Caveat
• Directory Exceptions
• Run As Unprivileged User

PHP Configuration and Sandboxing

• Breaking Out of the PHP Sandbox
• OS Command Injection
• OS Command Injection: Example
• File System Access
• Path Traversal
• File System Manipulation
• disable_functions
• Handling Errors Safely
• Configuring Error Reporting

PHP Command Injection

• Dynamic Code Injection
• eval()
• Be Careful With Callbacks
• Remote and Local File Inclusion
• Injecting Code as Data
• Template Injection
• Serialization
• Using extract() in Views
• Malware Loves Dynamic Code
• The Darker Side of Magic

Using the Right Tool for the Job

• (CS)PRNG
• Native PRNGs in PHP
• Session Management
• Is Your Server-Side Check Really Server-Side?
• Don't Trust Your $_FILES
• Validate Your MIME Types Correctly
• Rename Your Uploads
• Store Your Uploads Securely
• Not Just $_FILES
• TimThumb Fiasco

SQL Injection

• SQL Injections
• Non-Malicious Input
• Malicious Input
• Parameterized Queries
• Prepared Statements
• Other Database Engines
• Validating Inputs

Mitigating Content Injection Attacks

• XSS
• Stored XSS
• Reflected XSS
• DOM-Based XSS
• Separation of Concerns
• Output Encoding
• URL Encoding
• How to Steal Credentials Using XSS
• XML Injection
• XML External Entity (XXE)
• XML Entity Expansion (XEE)
• PHP's XML Parsers
• Securing XML in PHP
• The Google Toolbar Attack
• LDAP
• LDAP Injection
• Escaping LDAP User Inputs

Password Storage

• Data Breaches
• Password Storage and Verification
• Simple Hash
• Simple Attacks
• Salted Hashes as Defense
• Adaptive One-Way Functions
• Selecting a One-Way Function
• Default Behavior and Calling Conventions
• Best Practice: Specifics of Argon2

Third-Party Components

• Problem Definition
• That Time Our Framework Didn't Protect Us
• Dependency Management 101
• To Fork or Not to Fork
• Coordinating Release
• Provenance and Distribution Integrity
• Cautionary Tale: left-pad
• Composer
• Composer Risks
• PHP's Native Extensions
• Risks of Native Extensions
• Bottom Line
• Open Source Is More Secure, Right?

Requests and Responses

• Requests and Responses
• What Triggers the Output?
• Responses and Structure
• Gotta Catch-All!
• Error Reporting Question
• Output Buffering
• Bear Traps Included!
• Redirection
• Authenticating Requests
• CSRF Tokens