Securing PHP Web Applications 229
Michael J. Ross writes "The owners and the developers of typical Web sites face a quandary, one often unrecognized and unstated: They generally want their sites' contents and functionality to be accessible to everyone on the Internet, yet the more they open those sites, the more vulnerable they can become to attackers of all sorts. In their latest book, Securing PHP Web Applications, Tricia and William Ballad argue that PHP is an inherently insecure language, and they attempt to arm PHP programmers with the knowledge and techniques for making the sites they develop as secure as possible, short of disconnecting them from the Internet." Keep reading for the rest of Michael's review.
The book was published by Addison-Wesley on 26 December 2008, under the ISBN 978-0321534347. The publisher maintains a Web page for the book, where visitors will find a detailed description, the table of contents, and a sample chapter ("Cross-Site Scripting," Chapter 10) only three pages in length — undoubtedly a record. That is essentially all one will find on that Web page. Most technical publishers offer far more information on the Web pages for each one of their books — such as the preface and index online, updates to the book's content (including reported errata, confirmed and otherwise), descriptions of the chapters, information about and pictures of the author(s), feedback from readers and the media, and, perhaps most valuable of all, the sample code used in the given book. (However, that is less of a factor with this particular book, since it does not contain much sample code.) Many such publisher pages even have links to book- or technology-specific forums, where readers can post questions to the authors, and read other people's questions and the replies. Addison-Wesley, like all of the Pearson Education imprints, has through the years proven quite sparing with the supplementary online content, thereby no doubt reducing the number of prospective readers and other traffic to their sites.
| Securing PHP Web Applications | |
| author | Tricia Ballad, William Ballad |
| pages | 336 |
| publisher | Addison-Wesley Professional |
| rating | 7/10 |
| reviewer | Michael J. Ross |
| ISBN | 978-0321534347 |
| summary | A wide-ranging guide to PHP security. |
Despite its fairly modest length (336 pages) in comparison to the average programming book being published these days, Securing PHP Web Applications tries to cover a sizable number of topics, in five parts, which encompass 17 chapters: general security issues; error handling; system calls; buffer overflows and sanitizing variables; input validation; file access; user authentication; encryption and passwords; sessions and attacks against them; cross-site scripting; securing Apache and MySQL; securing IIS and SQL Server; securing PHP; automated testing; exploit testing; designing a secure application; and hardening an existing application. The book concludes with an epilogue on professional habits to improve the security of one's applications, an appendix describing additional resources, a glossary, and an index. Throughout the book, the authors illustrate key ideas with the use of a sample application — in this case, a Web-based guest book.
The first chapter, which is the only one in the first part of the book, is rather brief, but does prime the reader for all the material that follows, because it explains the inherent security problems of Web applications, and explains the dangers of some of the inadequate measures that naive programmers can take, such as security through obscurity, and the common belief that hackers only go after major Web sites.
Chapter 2 focuses on error handling, but begins with an example of SQL injection, and how effective it can be against the first iteration of the guest book application code. The most potentially confusing part of the discussion is when the authors show an SQL injection attack that perverts an INSERT statement by injecting it with an SQL command to drop a table, and the two commands are separated by a semicolon. But then instead of discussing how multiple SQL statements can be separated by semicolons (well, depending upon one's server settings), they instead discuss separating PHP commands was semicolons, but not SQL commands. Nonetheless, readers will find some good advice on handling unexpected input and using a centralized error-handling mechanism, even if quite simple. Also, the question of whether or not to accept HTML in user input, is briefly addressed. However, the material would be more useful if the authors were to explain specifically when htmlspecialchars() should be used instead of htmlentities(). Also, the option of using standard bulletin board codes (such as [b]bold[/b]) should have been mentioned, if only briefly with references to outside resources. At the bottom of page 22, the bare regex following a !"~" is not valid PHP (or even Perl, which it much more resembles). Lastly, one should not follow the recommendation of providing absolutely no feedback to the user as to what characters were invalid in the text they entered. Hackers gain nothing from being told the obvious, that HTML tags are not allowed; but legitimate users will be incensed when told only that the system didn't understand their input, with no indication as to how to make it acceptable.
In the third chapter, the authors explain the obvious danger of using unsanitized user input within a call to the operating system, such as exec() or system(). The discussion here assumes that you are on a *nux server, not Windows. Two PHP commands are suggested for sanitizing user input, as well as the option and advantages of building a custom API that is limited to only the system calls that should ever be executed within your Web application. On page 33, their test code appears to assume that register_globals has been enabled (so the GET variables in the malicious URL are automatically instantiated and set to the values in the URL), which is disappointing for a book on PHP security, since the dangers inherent in register_globals are so severe that it is now disabled by default, is deprecated in PHP version 5.3.0, and will be completely removed in version 6.
In Chapter 4, readers get an overview of program and data storage on a computer, including buffers, stacks, and heaps, as groundwork for learning what buffer overflows are and how hackers can try to exploit them to execute database and operating system statements, including using your server as a staging point for remote exploits and denial-of-service attacks. The fifth chapter dovetails nicely with the previous one, because it discusses input validation, which is a key component of avoiding boundary condition attacks. The authors explain the importance of validating tainted data, using character length and regular expressions. One simple countermeasure to such attacks that the authors fail to mention, is simply setting a maximum input length ("maxlength") on HTML "input" tag fields. After all, most entry fields on forms are input tags — not textarea tags, for which the maxlength attribute only specifies wrapping. Using maxlength does not prevent manipulation of POST values, but does prevent the less knowledgeable attacker from overflowing input tag fields.
Chapter 6 explains the risks in working with local and remote files, and why it is critical to not allow mischievous users do such tricks as inserting a pathname in a filename, when your code is expecting only a simple filename. Unfortunately, some of the code and claims in this chapter are suspect: On page 70, the value of $path_to_uploaded_files is missing a needed trailing forward slash. The suggested method of processing malicious file paths could be made much more simple and secure with the use of basename(). The file_get_contents() attack shown on page 71 again seems to assume that register_globals is enabled; even if it were enabled, the exploit wouldn't work because $file is always set to a value in the script code. The authors seemingly believe that GET variables can override anything in a script. Nonetheless, their advice about handling user-uploaded files is spot on.
Part 4 of the book focuses on user security. The first of its chapters covers user authentication and authorization — combining the two for their sample application — and starting with usernames and passwords. Access denial due to invalid username or password is supposedly illustrated by Figure 7.2, but all that it illustrates is that a concept that needs no visual depiction is not made more clear by trying to represent it with a confusing image. The authors provide a thorough discussion of authentication purposes and methods, as well as password encryption and strength. Yet they provide no rationale for setting the default values for usernames, passwords, and e-mail addresses to " " simply because the columns are non-nullable. After all, a record would only be added to the table if those values were known. Also, in their validateUsernamePassword() function, they've mistakenly commented out the first "return FALSE;" and they create unused variables $username and $password.
Chapter 8 provides an overview of various types of encryption, particularly for passwords, and some recommendations for PHP-supported algorithms. One blemish in this discussion is the claim that the longer the key for decryption, the longer it will take for your application to load the data (presumably the encrypted text) — which doesn't make sense. Also, their password() and login() functions reference class member names of an object not yet defined or explained. Code out of context like this can be confusing to the reader.
Sessions are a key component of maintaining and securing the identity of an authenticated user as she goes from one page to another in your PHP application. In Chapter 9, the authors describe the three major categories of session attacks: fixation, hijacking, and injection. The next chapter addresses cross-site scripting (XSS), but runs only three pages, and provides no examples of an XSS attack, which would have been helpful for the reader to understand how such an attack could try to compromise his PHP code, and what sort of malicious code to look for in his site. However, references to four open source XSS filtering projects are provided, in case the reader would like to learn more about them.
The fifth part of the book is devoted to securing whichever server environment on which you choose to host your application — Apache and MySQL, or IIS and Microsoft SQL Server, as well as PHP. In the chapter on PHP, the authors present the Zend Core release of PHP, which can save developers time in installing components of the LAMP stack, and also save them from reinventing the wheel, by using the Zend Framework. Other techniques for hardening PHP are discussed. Chapters 14 and 15 explain how to use automated testing and exploit testing, to increase your application's security, using powerful exploit testing tools — free and proprietary.
The sixth and final part of the book contains two chapters, which purportedly discuss the advantages of designing security into a new application right from the start, and how to improve security in an application that has already been built. In the former chapter, the authors stress the importance of balancing no design ("Skip reading Slashdot for one day...") and too much design (i.e., stalling). But the material mostly consists of the basics of designing a Web application, with no new information on security, and concludes with a brief reiteration of security principles detailed in earlier chapters. The latter chapter offers some good advice on having separate development and test environments, in addition to the production environment. The principles expounded in each of the two chapters, do not overlap at all, and yet together they apply equally to new applications under development just as much as they do to finished applications; splitting the principles up does not make sense.
Sadly, the book does not live up to its potential. In general, much of the sample code is sloppy, as exemplified by the instances noted above. The authors and the technical reviewers should have tested the attacks, and thereby found which ones don't work. Even the HTML should not be used by any new Web developer as an example of quality code that adheres to leading standards. In the HTML that they have their sample PHP code generate, the tag attribute values are in single quotes, and not double, which means all of that code would need to be changed to make it compliant with XHTML 1.0. Moreover, by choosing to use single quotes for both the attribute values and the PHP strings, the authors end up having to escape every single attribute value quote mark, which wastes space and looks ridiculous. They repeat this at the end of Chapter 6, but this time with all double quotes. Also, some of the technical decisions are rather odd, such as their setting those default values to spaces in the user table, noted earlier. A few terms are used strangely, as well, such as their statement that IIS's footprint is the number of entry points to it; actually, a Web server software's footprint generally refers to how much memory it consumes. Every chapter ends with a summary, titled "Wrapping It Up," none of which add any value to the book. There are at least three technical errata in the book that should have been caught: spaces in "u + rwx, go + rx" (page 76), and the invalid addresses "www.blog/modsecurity.org" (page 215) and "www.ballad-nonfiction/SecuringPHP/" (page 288; adding ."com" does not fix it).
On the other hand, the book's marketing copy claims that "Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals..." and that is certainly a fair claim. Most of the explanations are straightforward and informative. As a side note, kudos to Addison-Wesley for printing this book on recycled paper; one can only hope that all publishers adopt that policy.
The primary value of Securing PHP Web Applications is that it touches upon security topics that are often glossed over or completely neglected in other PHP security books and articles. This is important, because online miscreants will be searching out every possible chink in your Web site's armor. You should do the same, before they strike — and this book shows how.
Michael J. Ross is a freelance Web developer and writer.
You can purchase Securing PHP Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Just don't (Score:1, Insightful)
If you want to produce secure web apps, you need to hire a security specialist to audit the application, and (ideally) assist with the design phase as well. Application security is an incredibly subtle thing in many ways. A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.
Re:Just don't (Score:5, Insightful)
Making a secure PHP web app is not that hard.
-Make sure to keep globals off (or initialize all variables before using them.
-Sanitize all inputs before getting to the database.
-Always sanitize user-inputted data before displaying it on screen (strip_tags)
-Check permissions on every page. (Make sure I can't change id=17 to id=18 and see things I shouldn't.)
And so on...
Honestly, it's not some mysterious voodoo, it's very basic procedures (like these) that all programmers should get in the habit of doing, no matter what language you use.
Re:Just don't (Score:1, Insightful)
Application security is an incredibly subtle thing in many ways. A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.
Feeling insecure and trying to build yourself some job security by belittling developers? How cute. Yeah, let's leave developers in the dark so overpaid "specialists" can be required to do twice the work.
Re:Just don't (Score:2, Insightful)
I'm not really sure why people think it is so hard!
The fact that you think it is easy means you are unable to do it properly and don't know that you don't know.
Re:Just don't (Score:5, Insightful)
Re:Just don't (Score:5, Insightful)
The fact that you think it is easy means you are unable to do it properly and don't know that you don't know.
Or it's possible that, you know, he's an experienced developer who's got enough experience with PHP that to him it really is easy.
/Mikael
Re:Just don't (Score:3, Insightful)
.....Geez, if I had $1 for every time someone wrote an app that didn't properly validate.
....then you'd be almost as rich as me, if I had $1 for every time someone wrote a web page that didn't properly validate.
And I'd be almost as rich as random_grammar_nazi, if they had $1 for every time someone wrote a sentence that didn't properly validate.
There's a running theme here, in case you hadn't noticed. People, as a general rule, suck at following rules that don't have obvious, immediate consequences for breaking them.
Re:Just don't (Score:2, Insightful)
"Sanitize all inputs before getting to the database."
NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things)
before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.
If you use a well parametrized stored procedures/prepared statements you don't have to worry about any idiots trying to do sql injection, nor how you or someone else may have botched your sanitizer.
Re:How to write a secure PHP app (Score:3, Insightful)
Are you for real?
No. Otherwise they wouldn't have posted AC. .....just like you.
Re:what no AJAX (Score:5, Insightful)
Well yes, but usually you're doing cookie-based authentication, which flows with out of band requests as well. So it's no different than a normal POST operation. Ajax is not particularly less or more secure, unless you have an insecure app to begin with.
Re:what no AJAX (Score:5, Insightful)
I don't understand your point. From the server's perspective an AJAX request is identical to any other. So how does securing your server change if the request is AJAX?
Re:what no AJAX (Score:3, Insightful)
The number of people who don't know how to lock down a database astounds me. Whitelist IPs, use low privilege users, never re-use users between applications.
If you screw up your injection scrubbing, and someone sends in a "Drop tables" injection on a user who doesn't have those permissions, there's no issue. Likewise, lock the user down so it only has access to specific data...Never give a user the ability to touch a system table if they're used for a public app.
I don't allow deletions most times, I just add a delete flag to the record, and use an account running locally to do the deletes later...Someone tries to delete a whole table, row by row, and I can catch it before it happens.
Securing your code is necessary, but it shouldn't be your primary line of defense. Start at the server and work your way back.
Re:Just don't (Score:3, Insightful)
A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.
And specialists come from where? Are these individuals born with an innate knowledge of PHP security, or are these skills passed from father to son, mentor to apprentice? No, they get their knowledge from books, lectures, and websites; they read and learn (hopefully). I'd say the the best are likely senior developers who've developed a specialty.
Acting like security isn't in the realm of the developer is a particularly dangerous statement, and I really do hope that it's just a joke. As it's one of the basic parts of web application (no matter what the language). Sure one could hire a security specialist to review the process, but you're better off just using an intrusion detecting application (or service), and a proper code review.
Re:Just don't (Score:4, Insightful)
Let me guess... Zero_Kelvin makes his living as a software security expert. And, if ordinary programmers were to think that they could (*gasp*) write secure code all by themselves, he'd be out of a job.
Website software security is important, and not blatantly easy... but I don't know that it's soooo specialized that it needs its own entire profession.
Rather than comparing software security experts to heart surgeons, maybe we could compare them to professional babyproofers. They would have you believe that, until they get done, your home is a deathtrap to your munchkin, and there's just no way you could POSSIBLY have accounted for all the hidden dangers. Unless, of course, you spent a little time on the web, finding out about common causes of injury and death in home accidents for children in your offspring's age group, and maybe oh, I dunno, paid attention to your child to see what they are likely to hurt themselves doing.
It's not that they're useless, but they're doing something for you that, with some time and effort, you can do yourself. It just depends on whether you have more money to hire another body, or more resources on staff that can be developed to do things right in the first place.
Re:inherently insecure? (Score:3, Insightful)
Culture. For a long time the mysqli library did not allow the use of parameterized queries leading to the unhealthy culture of concatenating or interpolating sql queries and even "require" arguments.
And now it does. And there were other libraries that supported parameterized queries prior to mysqli supporting it. I agree that there are beginners who give the rest of us a bad name by not coding for security to begin with, but to say that that makes the language itself insecure is an unfounded assertion.
Easy entry with little architectural guidance which leads beginners down the dangerous paths.
The fact that the language is easy makes it insecure? So I guess we should all be programming in assembly to be completely secure? Oh, wait, that's stupid, since it's just as easy to have a buffer overflow in assembly as anywhere else.
the ability to "require" scripts from foreign servers.
Nobody does this; not once have I seen it in my eight or so years of coding PHP.
stupid type coercion such as 1 == "1more" is actually true.
That's what === is for, it does type checking.
super-weak type system, meaning that you can never trust what you expect to be an integer to be just that.
Again, an ease of use thing. If you want an integer, cast to int as you would in C, or use one of the checking mechanisms.
stupid attempts to accomodate developers and save LOCs by introducing "magic quotes", superglobals and the ability to "automagically" map query parameters to global variables.
Magic quotes is stupid. Thankfully, this has been discussed to death and they're disappearing as of PHP 6. Superglobals are fairly limited and used mostly for input. And register_globals is almost always off nowadays and, like magic quotes, will be removed as of PHP 6.
The fact that PHP is merely a glue layer, relying on binary extensions written in C with the usual buffer overflows, memory corruptions etc.
You could say the same about ASP.NET, yet it's used by huge enterprises. Haven't you ever heard of abstraction? Besides which, the "usual buffer overflows" in the underlying extensions of PHP are quite rare, and the fact that they're often used in more than just PHP means more eyes are examining them for security issues.
Inherently insecure my ass. If you're a crappy coder, you'll make crappy code. If you know what you're doing, you'll make code that's secure. Protecting an app against attackers is the developer's job, not the language's.
Re:Just don't (Score:3, Insightful)
After reading the last 3-4 posts you put up in this thread, the only thing I've come away with is:
Man... it sure must be hard to walk around with that large of a chip on your shoulder.