Forgot your password?
typodupeerror
Image

Securing PHP Web Applications 229

Posted by samzenpus
from the protect-ya-neck dept.
Michael J. Ross writes "The owners and the developers of typical Web sites face a quandary, one often unrecognized and unstated: They generally want their sites' contents and functionality to be accessible to everyone on the Internet, yet the more they open those sites, the more vulnerable they can become to attackers of all sorts. In their latest book, Securing PHP Web Applications, Tricia and William Ballad argue that PHP is an inherently insecure language, and they attempt to arm PHP programmers with the knowledge and techniques for making the sites they develop as secure as possible, short of disconnecting them from the Internet." Keep reading for the rest of Michael's review.
Securing PHP Web Applications
author Tricia Ballad, William Ballad
pages 336
publisher Addison-Wesley Professional
rating 7/10
reviewer Michael J. Ross
ISBN 978-0321534347
summary A wide-ranging guide to PHP security.
The book was published by Addison-Wesley on 26 December 2008, under the ISBN 978-0321534347. The publisher maintains a Web page for the book, where visitors will find a detailed description, the table of contents, and a sample chapter ("Cross-Site Scripting," Chapter 10) only three pages in length — undoubtedly a record. That is essentially all one will find on that Web page. Most technical publishers offer far more information on the Web pages for each one of their books — such as the preface and index online, updates to the book's content (including reported errata, confirmed and otherwise), descriptions of the chapters, information about and pictures of the author(s), feedback from readers and the media, and, perhaps most valuable of all, the sample code used in the given book. (However, that is less of a factor with this particular book, since it does not contain much sample code.) Many such publisher pages even have links to book- or technology-specific forums, where readers can post questions to the authors, and read other people's questions and the replies. Addison-Wesley, like all of the Pearson Education imprints, has through the years proven quite sparing with the supplementary online content, thereby no doubt reducing the number of prospective readers and other traffic to their sites.

Despite its fairly modest length (336 pages) in comparison to the average programming book being published these days, Securing PHP Web Applications tries to cover a sizable number of topics, in five parts, which encompass 17 chapters: general security issues; error handling; system calls; buffer overflows and sanitizing variables; input validation; file access; user authentication; encryption and passwords; sessions and attacks against them; cross-site scripting; securing Apache and MySQL; securing IIS and SQL Server; securing PHP; automated testing; exploit testing; designing a secure application; and hardening an existing application. The book concludes with an epilogue on professional habits to improve the security of one's applications, an appendix describing additional resources, a glossary, and an index. Throughout the book, the authors illustrate key ideas with the use of a sample application — in this case, a Web-based guest book.

The first chapter, which is the only one in the first part of the book, is rather brief, but does prime the reader for all the material that follows, because it explains the inherent security problems of Web applications, and explains the dangers of some of the inadequate measures that naive programmers can take, such as security through obscurity, and the common belief that hackers only go after major Web sites.

Chapter 2 focuses on error handling, but begins with an example of SQL injection, and how effective it can be against the first iteration of the guest book application code. The most potentially confusing part of the discussion is when the authors show an SQL injection attack that perverts an INSERT statement by injecting it with an SQL command to drop a table, and the two commands are separated by a semicolon. But then instead of discussing how multiple SQL statements can be separated by semicolons (well, depending upon one's server settings), they instead discuss separating PHP commands was semicolons, but not SQL commands. Nonetheless, readers will find some good advice on handling unexpected input and using a centralized error-handling mechanism, even if quite simple. Also, the question of whether or not to accept HTML in user input, is briefly addressed. However, the material would be more useful if the authors were to explain specifically when htmlspecialchars() should be used instead of htmlentities(). Also, the option of using standard bulletin board codes (such as [b]bold[/b]) should have been mentioned, if only briefly with references to outside resources. At the bottom of page 22, the bare regex following a !"~" is not valid PHP (or even Perl, which it much more resembles). Lastly, one should not follow the recommendation of providing absolutely no feedback to the user as to what characters were invalid in the text they entered. Hackers gain nothing from being told the obvious, that HTML tags are not allowed; but legitimate users will be incensed when told only that the system didn't understand their input, with no indication as to how to make it acceptable.

In the third chapter, the authors explain the obvious danger of using unsanitized user input within a call to the operating system, such as exec() or system(). The discussion here assumes that you are on a *nux server, not Windows. Two PHP commands are suggested for sanitizing user input, as well as the option and advantages of building a custom API that is limited to only the system calls that should ever be executed within your Web application. On page 33, their test code appears to assume that register_globals has been enabled (so the GET variables in the malicious URL are automatically instantiated and set to the values in the URL), which is disappointing for a book on PHP security, since the dangers inherent in register_globals are so severe that it is now disabled by default, is deprecated in PHP version 5.3.0, and will be completely removed in version 6.

In Chapter 4, readers get an overview of program and data storage on a computer, including buffers, stacks, and heaps, as groundwork for learning what buffer overflows are and how hackers can try to exploit them to execute database and operating system statements, including using your server as a staging point for remote exploits and denial-of-service attacks. The fifth chapter dovetails nicely with the previous one, because it discusses input validation, which is a key component of avoiding boundary condition attacks. The authors explain the importance of validating tainted data, using character length and regular expressions. One simple countermeasure to such attacks that the authors fail to mention, is simply setting a maximum input length ("maxlength") on HTML "input" tag fields. After all, most entry fields on forms are input tags — not textarea tags, for which the maxlength attribute only specifies wrapping. Using maxlength does not prevent manipulation of POST values, but does prevent the less knowledgeable attacker from overflowing input tag fields.

Chapter 6 explains the risks in working with local and remote files, and why it is critical to not allow mischievous users do such tricks as inserting a pathname in a filename, when your code is expecting only a simple filename. Unfortunately, some of the code and claims in this chapter are suspect: On page 70, the value of $path_to_uploaded_files is missing a needed trailing forward slash. The suggested method of processing malicious file paths could be made much more simple and secure with the use of basename(). The file_get_contents() attack shown on page 71 again seems to assume that register_globals is enabled; even if it were enabled, the exploit wouldn't work because $file is always set to a value in the script code. The authors seemingly believe that GET variables can override anything in a script. Nonetheless, their advice about handling user-uploaded files is spot on.

Part 4 of the book focuses on user security. The first of its chapters covers user authentication and authorization — combining the two for their sample application — and starting with usernames and passwords. Access denial due to invalid username or password is supposedly illustrated by Figure 7.2, but all that it illustrates is that a concept that needs no visual depiction is not made more clear by trying to represent it with a confusing image. The authors provide a thorough discussion of authentication purposes and methods, as well as password encryption and strength. Yet they provide no rationale for setting the default values for usernames, passwords, and e-mail addresses to " " simply because the columns are non-nullable. After all, a record would only be added to the table if those values were known. Also, in their validateUsernamePassword() function, they've mistakenly commented out the first "return FALSE;" and they create unused variables $username and $password.

Chapter 8 provides an overview of various types of encryption, particularly for passwords, and some recommendations for PHP-supported algorithms. One blemish in this discussion is the claim that the longer the key for decryption, the longer it will take for your application to load the data (presumably the encrypted text) — which doesn't make sense. Also, their password() and login() functions reference class member names of an object not yet defined or explained. Code out of context like this can be confusing to the reader.

Sessions are a key component of maintaining and securing the identity of an authenticated user as she goes from one page to another in your PHP application. In Chapter 9, the authors describe the three major categories of session attacks: fixation, hijacking, and injection. The next chapter addresses cross-site scripting (XSS), but runs only three pages, and provides no examples of an XSS attack, which would have been helpful for the reader to understand how such an attack could try to compromise his PHP code, and what sort of malicious code to look for in his site. However, references to four open source XSS filtering projects are provided, in case the reader would like to learn more about them.

The fifth part of the book is devoted to securing whichever server environment on which you choose to host your application — Apache and MySQL, or IIS and Microsoft SQL Server, as well as PHP. In the chapter on PHP, the authors present the Zend Core release of PHP, which can save developers time in installing components of the LAMP stack, and also save them from reinventing the wheel, by using the Zend Framework. Other techniques for hardening PHP are discussed. Chapters 14 and 15 explain how to use automated testing and exploit testing, to increase your application's security, using powerful exploit testing tools — free and proprietary.

The sixth and final part of the book contains two chapters, which purportedly discuss the advantages of designing security into a new application right from the start, and how to improve security in an application that has already been built. In the former chapter, the authors stress the importance of balancing no design ("Skip reading Slashdot for one day...") and too much design (i.e., stalling). But the material mostly consists of the basics of designing a Web application, with no new information on security, and concludes with a brief reiteration of security principles detailed in earlier chapters. The latter chapter offers some good advice on having separate development and test environments, in addition to the production environment. The principles expounded in each of the two chapters, do not overlap at all, and yet together they apply equally to new applications under development just as much as they do to finished applications; splitting the principles up does not make sense.

Sadly, the book does not live up to its potential. In general, much of the sample code is sloppy, as exemplified by the instances noted above. The authors and the technical reviewers should have tested the attacks, and thereby found which ones don't work. Even the HTML should not be used by any new Web developer as an example of quality code that adheres to leading standards. In the HTML that they have their sample PHP code generate, the tag attribute values are in single quotes, and not double, which means all of that code would need to be changed to make it compliant with XHTML 1.0. Moreover, by choosing to use single quotes for both the attribute values and the PHP strings, the authors end up having to escape every single attribute value quote mark, which wastes space and looks ridiculous. They repeat this at the end of Chapter 6, but this time with all double quotes. Also, some of the technical decisions are rather odd, such as their setting those default values to spaces in the user table, noted earlier. A few terms are used strangely, as well, such as their statement that IIS's footprint is the number of entry points to it; actually, a Web server software's footprint generally refers to how much memory it consumes. Every chapter ends with a summary, titled "Wrapping It Up," none of which add any value to the book. There are at least three technical errata in the book that should have been caught: spaces in "u + rwx, go + rx" (page 76), and the invalid addresses "www.blog/modsecurity.org" (page 215) and "www.ballad-nonfiction/SecuringPHP/" (page 288; adding ."com" does not fix it).

On the other hand, the book's marketing copy claims that "Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals..." and that is certainly a fair claim. Most of the explanations are straightforward and informative. As a side note, kudos to Addison-Wesley for printing this book on recycled paper; one can only hope that all publishers adopt that policy.

The primary value of Securing PHP Web Applications is that it touches upon security topics that are often glossed over or completely neglected in other PHP security books and articles. This is important, because online miscreants will be searching out every possible chink in your Web site's armor. You should do the same, before they strike — and this book shows how.

Michael J. Ross is a freelance Web developer and writer.

You can purchase Securing PHP Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

*

This discussion has been archived. No new comments can be posted.

Securing PHP Web Applications

Comments Filter:
  • by Anonymous Coward on Monday March 02, 2009 @03:00PM (#27043001)

    PHP has been bloated since 1.5, and the new .NET libraries offer improvements over all of PHP's core services. Why bother trudging through the maze of PHP gotchas, when .NET security is just a wizard away?

    • Um, because some of us want to write portable apps that aren't dependent on a single vendor, and don't want to be double-screwed by the forever-not-quite-up-to-date Mono libs. There is a world beyond Microsoft, and besides that, people in glass houses shouldn't throw rocks. I wouldn't exactly go to Microsoft for security.

      But I agree that PHP sucks, it's the BASIC of this decade. It's a godawful mess of a language that simply permits idiots too much capacity for getting ill-running programs up with little

      • by Gondola (189182)

        Anyone can pick up PHP in a few short online lessons and make something productive in an afternoon.

        Yes, inexperienced web developers can throw up insecure, poorly-designed sites. Yes, PHP could have more built-in security measures.

        However, it's not rocket surgery to create your own standards and libraries to help with security once you have a little knowledge and experience.

    • by NotBornYesterday (1093817) * on Monday March 02, 2009 @03:23PM (#27043259) Journal
      Security from a MS wizard? Maybe they could teach Clippy to implement security in development!

      Hi there! It looks like you are passing user input to an SQL statement. Would you like to:
      A) Sanitize your input before going any further.
      B) Sanitize, schmanitize, just code that sucker together. We'll iron out the kinks later.
      C) Huh? Why would that be a problem?
  • A lot of bogus traffic comes from countries that don't offer much in commercial value. I'm wondering if you could just configure Apache to just refuse connections to certain countries, or take them to an alternative page. Like, "404, We're sorry Russia, but you have too damned many crooks."

    Even still, one wonders if ISPs offer that service as well.

    • by myVarNamesAreTooLon (1474005) on Monday March 02, 2009 @03:26PM (#27043311)
      That would work well, people from other countries would NEVER think of spoofing their address.
    • This is a bad idea.

      The only thing it might stop is automated scans, and your application shouldn't have those holes to begin with. It'll have basically no effect on targeted attacks (attackers know about proxies), and it will annoy the hell out of the - unknown number of - visitors you would have from these countries.

    • by InsertWittyNameHere (1438813) on Monday March 02, 2009 @03:33PM (#27043393)

      Ok, but that might backfire. Take this hypothetical situation as an example:

      Let's say a Nigerian prince recently became the beneficiary of a large sum of money. Now in order to access that money he needs someone to lend him some seed money in order to fund the process to facilitate the release of said money. In return for the help, he promises to reward the lender generously.

      If he can't reach you with his urgent message YOU will be the one losing out!

    • by neoform (551705)

      Get an IP2Location database, there's a bunch of free ones on the net. Then do a lookup based on $_SERVER['REMOTE_ADDR'] at the beginning of all your scripts.. there might be an apache mod for this, but I've never used such a thing.

    • A lot of bogus traffic comes from countries that don't offer much in commercial value.

      Depends on what you're selling. If your products have global appeal, you might well be losing some customers from Russia. I have setup and maintained credit card processing system for a number of sites and in my experience about 95% of customers are from USA and Europe, the remaining 5% split between Australia, Japan, S. Korea, Russia, Israel, and very occasionally a South American or one of the wealthier Arab countries.
    • A lot of bogus traffic comes from countries that don't offer much in commercial value. I'm wondering if you could just configure Apache to just refuse connections to certain countries, or take them to an alternative page. Like, "404, We're sorry Russia, but you have too damned many crooks."

      For one thing, if you have security vulnerabilities, does it really make much difference to you whether they'll be exploited by a guy in Russia, or a guy in USA? Because they will be exploited if they're there.

      There's one more thing. Personally, if I ever stumbled onto a web site that blocked me because of my originating country, I would be very annoyed. In fact, I might actually be sufficiently annoyed to waste my precious time finding a proxy, and then thoroughly checking that site for vulnerabilities, si

  • what no AJAX (Score:4, Informative)

    by ianare (1132971) on Monday March 02, 2009 @03:27PM (#27043327)

    AJAX is probably the biggest security hole, even in a well designed application. Be especially careful when the AJAX does a DB update/insert - sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

    I find it very disappointing that this book doesn't cover that. Even if not an in-depth analysis, which could well require its own volume, at least a chapter on basic concepts.

    Because otherwise PHP security is actually pretty simple. There's only 3 major rules :
    Never trust anything from outside : filter/validate all user input.
    Don't display error messages on production servers.
    Wrap system binaries in scripts rather than executing them directly.

    • Re:what no AJAX (Score:5, Insightful)

      by dedazo (737510) on Monday March 02, 2009 @03:30PM (#27043371) Journal

      Be especially careful when the AJAX does a DB update/insert - sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

      Well yes, but usually you're doing cookie-based authentication, which flows with out of band requests as well. So it's no different than a normal POST operation. Ajax is not particularly less or more secure, unless you have an insecure app to begin with.

      • by fractalus (322043)

        Cookies + no XSRF protection = exploit.

      • by Jaime2 (824950)
        A lot of people have been doing security in the presentation layer for years and some of them don't realize that AJAX gives clients an easy way to bypass the presentation layer. It doesn't matter how well designed the authentication system is if the attacker is a valid user.
    • Re:what no AJAX (Score:5, Insightful)

      by truthsearch (249536) on Monday March 02, 2009 @04:01PM (#27043735) Homepage Journal

      I don't understand your point. From the server's perspective an AJAX request is identical to any other. So how does securing your server change if the request is AJAX?

      • Re: (Score:3, Insightful)

        by SatanicPuppy (611928) *

        The number of people who don't know how to lock down a database astounds me. Whitelist IPs, use low privilege users, never re-use users between applications.

        If you screw up your injection scrubbing, and someone sends in a "Drop tables" injection on a user who doesn't have those permissions, there's no issue. Likewise, lock the user down so it only has access to specific data...Never give a user the ability to touch a system table if they're used for a public app.

        I don't allow deletions most times, I just ad

        • This is a pretty damned good component, and goes to show you that security should be thought about like layers of onion. Due diligence at every layer means that even if worst comes to worst (say, there's a serious flaw in the interpreter itself), that there's something below that that can catch, or at least minimize the extent of the breach. Having your app access a user with privileges like "drop table" is nuts, no matter whether you think you have ironclad security on the app itself.

      • by ianare (1132971)

        Securing the server doesn't change, and if you follow proper security guidelines you will be generally OK. It's just that AJAX does add complexity, and any time complexity increases, so do potential exploits.

        For example some devs will forget that the return needs to be tested not to contain potentially dangerous information ... things like DB structures or users, info only visible to certain users, etc. Quite often this may be debug info that needs to be turned off on production, but because it's hidden und

    • by Tom (822)

      sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

      And if the obscurity of your URL and parameters is what you call "security", then you probably shouldn't be writing any apps, and PHP, Ajax or whatever is not where your problem is.

  • Why securing a PHP application would be any different than securing an application written in any other language. I mean is PHP really the only language where you need to sanitize database inputs? Or is this just another principles of security where they inserted code snippets from [insert your language here].

    • by seebs (15766)

      Probably more a question of "since you're probably writing in PHP, here's some security stuff". PHP's not my favorite language for security-related things; it doesn't necessarily do much to encourage or help with sanity checks.

    • by nxtw (866177)

      I mean is PHP really the only language where you need to sanitize database inputs?

      PHP and classic ASP are the only languages I've used that did not provide a convenient method for parameterized queries. (I no longer use either - classic ASP is dead and I avoid PHP.)

      In Java or .NET, it's much easier to use paramaterized queries & has been for quite some time - it is common practice.

  • by MattW (97290) <matt@ender.com> on Monday March 02, 2009 @04:04PM (#27043761) Homepage

    What qualifies these authors to even write on these topics? Do they engage the community of PHP developers at all? Do they have the exposure to enough environments and circumstances and code to be effective authors on the topic?

    Chris Shiflett is the CTO of OmniTI, arguably one of the biggest PHP development braintrusts around. Several of the Schlossnagle family work there (and it used to include George, who wrote the awesome Advanced PHP Programming. Chris wrote Essential PHP Security, and also maintains a blog that has a lot of good stuff.

    If I was buying one, I'd buy Chris's book.

    • by Dirtside (91468) on Monday March 02, 2009 @05:54PM (#27045063) Journal

      Since you're already at +5, I'll just concur with your post. I've met Shiflett, and he knows what the hell he's talking about.

      Also, his book is about 1/3 the length of this one, and from what I can tell, contains more or less all the same info ;)

    • by wrballad (1490617) on Monday March 02, 2009 @07:25PM (#27046021)
      I am one of the authors of this book. We had several gigs hardening PHP applications for developers who where self taught, this is what qualified us to write the book (and yes we were engaged in that PHP community). I agree with your main point, if you are a slashdot reader, buy Shifletts book, its probably the best on this topic. My book was not meant for you. If you know someone who is not a hard-core techie writing a PHP website, please point them at mine...if they can comprehend what we wrote and are hungry for more, then point them at Mr Shiflett. Honestly most security books would go over our intended audience's head, we tried to write this in a straight forward manner that a non-techie could easily grasp. This did lead the book to simplify some ares. We felt that it was better to at least try to have some security then none at all. If you look at the book you may notice that we explicitly list Chris' book as a invaluable resource for further study.
      • by trawg (308495)

        My mod points just vanished today, but if anyone else has some this is prolly worth modding up to clarify the differences between the books.

  • PHP is not inherently more or less secure. That's just marketing language to get you to buy the book.

    All public access to systems via any language creates potential security holes, ESPECIALLY when terms are accepted from users and used in conjunction with database queries.

    One of the biggest risks, and we are ALL GUILTY, is the use of things like printf to construct a query line. Technically, you should prepare a statement and then execute the statement using the parameters as terms. Not only is this faster,

    • by Qzukk (229616)

      is the use of things like printf to construct a query line.

      That's just dumb. If you're going to go through the trouble of getting everything in just the right order for printf to fill in those %s placeholders, what the heck are you doing using printf?

      I can understand
      $sql="SELECT * FROM foo WHERE day<='$maxdate'";
      because then at least you have the excuse of adding on a
      if ($mindate) { $sql.=" AND day>='$mindate'"; }
      which back in the bad old days of using "?" as placeholders in a prepared query would ha

  • Database Side (Score:2, Informative)

    by Tablizer (95088)

    One technique for security is to limit the visible data to only what the web-app's DB login can access. For example, limit the app's login user-name to pre-defined read-only views, and stored procedures for the write stuff. Thus, if the hacker is able to inject her way into the SQL interpreter, she can only read and change what has been pre-allowed at the maximum, which is often only what the app allowed anyhow. It's a bit tedious, but that's the cost of security.

  • I'm *really* getting sick of people saying that programming language X is inherently insecure. It's total bullshit. EVERY language has its pros and cons and unless the INTERPRETER has an issue, then it's NOT the languages fault. And since EVERY INTERPRETER has had flaws in it, that can_not_ be the criteria for whether a *language* is secure or not.

    In other words, STOP BLAMING THE LANGUAGE FOR THE FOLLY OF THE PROGRAMMER. Just because PHP has been used by some idiots does _not_ make it an "inherently ins

    • by TheSunborn (68004)

      The problem with php is that they made the insecure feature first, and told people to use it. Then they found out it was insecure and fixed it by making an other safer way to do the same thing.

      Examples include the entire way mysql is accessed. First they made mysql_query which is very very difficult to make secure, because it require the developer to manually escape all
      input that need to be escaped. (Not to talk about the fuckup with both having a mysql_escape_string() and then finding out it's not good eno

  • I would add as a security measure to be able to reinstall a web application from a recent backup immediately. Any place, any time, on a very short notice. Just have the recent backup ready to upload. Or even several of them, if one for some reason is corrupted.

    I experienced an SQL attack which destroyed one of MySQL tables. I reinstalled it from backup and corrected the breach a month later. I mean a hacker most probably will not be watching your website day and night and attack it as soon as it is back

The world will end in 5 minutes. Please log out.

Working...