PHP Security Training

Description

This workshop aims to illustrate all applicable security issues that may affect a PHP developer. It provides a number of good practices, design tips and suggestions for how existing and new applications can be enhanced to reduce the likehood of problems using third party, freely available software with minimal effort. By the end of the workshop you should be able to identify all major security issues write secure code and know how to enhance the security of your application during design.

Experience has shown that the vast majority of flaws within PHP applications are due to implementation details. Flaws found in PHP applications are often no different to those which are in other web facing languages (for example: Ruby, Python, Java) although there are a few cases where historical releases of PHP have tried to sprinkle magic on the issue, and failed (e.g. magic quotes, safe mode and register globals).

If you’ve taught yourself PHP, or come from a desktop application development background, it can be easy to miss out on the essential security issues that, when taken into consideration are needed to ensure you produce a secure, reliable application.

Duration

One day (condensed) or Two days with practicals (recommended)

Pre-Requisites

Working knowledge of PHP (Object Orientation and database use).

Content Overview

  • Introduction
    • Does security matter?
    • Who should be responsible for Security?
    • What we can’t control (as programmers)
  • Analysis of security requirements
    • Audit Trail support
    • Authentication
    • Data mining
  • Injection attacks
    • Filter In, Escape Out
    • SQL Injection
      • What is it?
      • Techniques to try and block it (the sticky plaster approach)
      • Tools to help detect vulnerable code
      • Solutions through refactoring or design
      • Examples of vulnerable code and vulnerability testing
      • Solutions through third party software (proxies and intrusion detection software)
    • Cross-site scripting (XSS)
      • What is it?
      • Techniques to block it
      • How to solve through refactoring or design
      • Use of an IDS
      • Use of appropriate filtering/sanitisation techniques
    • Command Injection
    • Session Injection
  • Session / Cookie Hijacking
  • Session fixation
  • Cross-site request forgery (CSRF)
    • What is it?
    • How to solve through refactoring or design
  • The dangers of client side Javascript/AJAX
  • Information leakage
  • Denial of Service and Brute force attacks
    • Different types of
    • Resource exhaustion
    • Means of detecting and coping with
  • HTTPS (Secure Sockets Layer)
    • Protection against cookie / session theft
    • Browser/SSL certificate authorities
  • Cryptography and protecting sensitive data
    • Best practices for storing user passwords within your application
    • How to generate/assign passwords
    • Issues around storing passwords
    • Retrieval of forgotten passwords
    • Salting
  • Privilege Escalation
  • PHP Configuration
    • Error display and logging
    • Magic Quotes and Register Globals
    • Third party add ons
  • Application configuration storage
  • How the user interface can make a difference and why browsers matter
  • Sending Email with PHP
    • Header injection
    • HTML Content/escaping
  • Practical introducing automated attack tools
  • Analysis of observed attacks with screenshots and code samples
  • O/S level issues (Buffer overflows, O/S defence, Symlink attacks, Resource exhaustion)
  • Race Conditions
    • What are they?
    • Solutions through locking (file based and semaphores)
    • Deadlock
  • Libraries are your friend
    • Introduction to the PHP Filter extension
    • Using Zend_Form to sanitising/validate form data
  • Phishing
    • What is it?
    • What you can do as a developer
    • Other solutions

Practicals

When run as a two day course, there are a number of practicals undertaken – based on use of a pre-built virtual machine image (provided). The practicals cover :

  • Installation and configuration of PHP
  • Fixing a ‘legacy’ application through use of PHP libraries
  • Introduction to third party tools for scanning/probing
  • Introduction to database firewalling as a means of applying a sticky plaster to vulnerable legacy applications or just providing security in depth
  • Web server fire-walling (Apache authentication checks, mod_security, iptables, fail2ban)

Code Reviews

Delegates are encouraged to bring along their own code for review during the course.

The course includes examples and solutions of vulnerabilities and examples of secure (and insecure) code.

Contact Us

Please contact us for more information.