PHP Security at OSCON
by Chris Shiflett
I will be giving three talks at OSCON this year: two sessions and a tutorial.
They're all focused on PHP security in one way or another, and I'm very happy
that O'Reilly is giving this topic so much attention. I'm including the descriptions
below, although the exact outline of the tutorial (PHP Security) is
subject to change
Securing PHP Sessions
PHP's native session mechanism provides Web developers with all the tools
they need to create stateful PHP applications. In this talk, I will
explain how to take this one step further and secure your sessions to help
complicate impersonation as well as defend against various types of attacks.
By taking a detailed look at the HTTP transactions that take place as
users interact with a Web application, you will gain important insight into
the challenge of maintaining state. You will learn how to identify patterns
in a Web browser's requests to create a virtual fingerprint as well as how
to leverage multiple identifiers.
Beginning with the most basic example of implementing sessions with PHP,
you are shown exactly what is required to impersonate a user. This basic
example is strengthened as the talk continues by introducing a few different
techniques. As each technique is introduced and explained, the resulting
user experience is contrasted with a sample attack required to
impersonate the user. By the end, you should have a much clearer
understanding of sessions and walk away with some useful techniques that you can
implement in your own applications.
Foiling Cross-Site Attacks
PHP is quickly becoming the world's most popular programming language for
creating Web applications. As more and more applications are being built
for the Web, security is becoming a crucial topic. One of the best methods
you can use to educate yourself about PHP security is to study the various
types of attacks that you must defend against.
This talk introduces two of the most common types of attacks that current
Web developers face, Cross-Site Scripting (XSS) and Cross-Site Request
Forgeries (CSRF). Because XSS involves exploiting the trust granted to a
particular Web site and CSRF involves exploiting the trust granted to a
particular user, these two example attacks will help demonstrate a wide
variety of application-based attacks.
By using examples that illustrate exactly how these types of attacks are
accomplished, you are shown simple and effective techniques that you can
use to help prevent such vulnerabilities in your own PHP applications.
This is just a preliminary outline. I am basically choosing a focused
selection of topics from my upcoming book, PHP Security.
What Is Security?
Spoofed Form Submissions
Spoofed HTTP Requests
Databases and SQL
Exposed Access Credentials
Exposed Session Data
Browsing the Filesystem