PHP Security at OSCON

by Chris Shiflett

O'Reilly Open Source Convention.


I will be giving three talks at OSCON this year: two sessions and a tutorial.
They're all focused on PHP security in one way or another, and I'm very happy
that O'Reilly is giving this topic so much attention. I'm including the descriptions
below, although the exact outline of the tutorial (PHP Security) is
subject to change


Securing PHP Sessions


PHP's native session mechanism provides Web developers with all the tools
they need to create stateful PHP applications. In this talk, I will
explain how to take this one step further and secure your sessions to help
complicate impersonation as well as defend against various types of attacks.


By taking a detailed look at the HTTP transactions that take place as
users interact with a Web application, you will gain important insight into
the challenge of maintaining state. You will learn how to identify patterns
in a Web browser's requests to create a virtual fingerprint as well as how
to leverage multiple identifiers.


Beginning with the most basic example of implementing sessions with PHP,
you are shown exactly what is required to impersonate a user. This basic
example is strengthened as the talk continues by introducing a few different
techniques. As each technique is introduced and explained, the resulting
user experience is contrasted with a sample attack required to
impersonate the user. By the end, you should have a much clearer
understanding of sessions and walk away with some useful techniques that you can
implement in your own applications.


Foiling Cross-Site Attacks


PHP is quickly becoming the world's most popular programming language for
creating Web applications. As more and more applications are being built
for the Web, security is becoming a crucial topic. One of the best methods
you can use to educate yourself about PHP security is to study the various
types of attacks that you must defend against.


This talk introduces two of the most common types of attacks that current
Web developers face, Cross-Site Scripting (XSS) and Cross-Site Request
Forgeries (CSRF). Because XSS involves exploiting the trust granted to a
particular Web site and CSRF involves exploiting the trust granted to a
particular user, these two example attacks will help demonstrate a wide
variety of application-based attacks.


By using examples that illustrate exactly how these types of attacks are
accomplished, you are shown simple and effective techniques that you can
use to help prevent such vulnerabilities in your own PHP applications.


PHP Security


This is just a preliminary outline. I am basically choosing a focused
selection of topics from my upcoming book, PHP Security.




  1. Overview

    What Is Security?

    Register Globals

    Data Filtering

    Error Reporting


  2. Form Processing

    Spoofed Form Submissions

    Spoofed HTTP Requests

    Cross-Site Attacks


  3. Databases and SQL

    Exposed Access Credentials

    SQL Injection


  4. Sessions

    Session Fixation

    Session Hijacking


  5. Shared Hosts

    Exposed Session Data

    Browsing the Filesystem