BOOKS FOR PROFESSIONALS BY PROFESSIONALS ® Pro PHP Security If you've been a web developer for even a short time, you know that security is at once one of the most misunderstood and most important parts of your job. You need only experience the anguish of having a web site or application “hacked” by someone several continents away to understand that. By provid- ing the most current information available, this title will help you understand and avoid web security challenges while providing solutions for common real- world problems. This book begins by taking you through what can be done to secure your code by providing a rock solid grounding in the fundamentals of PHP security. Next, the book expands on that topic by what you can do to help protect your users and environment by covering such topics as encryption, SSL and SSH, UNIX security, CAPTCHAs, and more. Finally, the book delves into often forgot- ten (but incredibly important) topics such as keeping software up-to-date and maintaining separate production and development environments. Security is a big deal, and this book has been updated so today’s PHP devel- oper can successfully meet all of the security challenges of the future. Chris Snyder, Author of Pro PHP Security, First edition Thomas Myer, Author of No Nonsense XML Web Development with PHP Mac Basics in Simple Steps Shelve in: Web Development / PHP Programming User level: Intermediate–Advanced THE APRESS ROADMAP Zend Enterprise PHP Patterns Beginning PHP and Oracle Pro PHP Security, 2nd Edition Pro PHP Refactoring Beginning PHP & MySQL, 4th Edition PHP Objects Patterns & Practice, 3rd Edition www.apress.com SOURCE CODE ONLINE Companion eBook Michael Southwell, Coauthor of Pro PHP Security, First edition Snyder Myer Southwell SECOND EDITION PHP Security Companion eBook Available Pro THE EXPERT’S VOICE ® IN OPEN SOURCE Pro PHP Security From Application Security Principles to the Implementation of XSS Defenses SECOND EDITION Chris Snyder, Thomas Myer, and Michael Southwell Use PHP 5.3 to solve classic and modern day security concerns, from SQL injection to mobile security www.it-ebooks.info www.it-ebooks.info i Pro PHP Security From Application Security Principles to the Implementation of XSS Defenses Second Edition ■ ■ ■ Chris Snyder Thomas Myer Michael Southwell www.it-ebooks.info ii Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition Copyright © 2010 by Chris Snyder, Thomas Myer, and Michael Southwell All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-13 (pbk): 978-1-4302-3318-3 ISBN-13 (electronic): 978-1-4302-3319-0 Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1 Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. President and Publisher: Paul Manning Lead Editor: Frank Polhmann Technical Reviewer: Chris Snyder Editorial Board: Steve Anglin, Mark Beckner, Ewan Buckingham, Gary Cornell, Jonathan Gennick, Jonathan Hassell, Michelle Lowman, Matthew Moodie, Duncan Parkes, Jeffrey Pepper, Frank Pohlmann, Douglas Pundick, Ben Renow-Clarke, Dominic Shakeshaft, Matt Wade, Tom Welsh Coordinating Editor: Adam Heath Copy Editor: Jim Compton Compositor: MacPS, LLC Indexer: BIM Indexing & Proofreading Services Artist: April Milne Cover Designer: Anna Ishchenko Distributed to the book trade worldwide by Springer Science+Business Media, LLC., 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com. For information on translations, please e-mail rights@apress.com, or visit www.apress.com. Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook Licensing web page at www.apress.com/info/bulksales. The information in this book is distributed on an “as is” basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work. www.it-ebooks.info iii This, like all the others, is dedicated to my wife Hope Doty. Thanks for loving me anyway. —T.M. www.it-ebooks.info iv Contents at a Glance ■Contents v ■About the Authors xvi ■Acknowledgments xvii ■Preface xviii Part 1: The Importance of Security 1 ■Chapter 1: Why Is Secure Programming a Concern? 3 Part 2: Practicing Secure PHP Programming 13 ■Chapter 2: Validating and Sanitizing User Input 15 ■Chapter 3: Preventing SQL Injection 33 ■Chapter 4: Preventing Cross-Site Scripting 45 ■Chapter 5: Preventing Remote Execution 59 ■Chapter 6: Enforcing Security for Temporary Files 81 ■Chapter 7: Preventing Session Hijacking 93 ■Chapter 8: Securing REST Services 105 Part 3: Practicing Secure Operations 115 ■Chapter 9: Using CAPTCHAs 117 ■Chapter 10: User Authentication, Authorization, and Logging 133 ■Chapter 11: Preventing Data Loss 159 ■Chapter 12: Safe Execution of System and Remote Procedure Calls 177 Part 4: Creating a Safe Environment 207 ■Chapter 13: Securing Unix 209 ■Chapter 14: Securing Your Database 221 ■Chapter 15: Using Encryption 229 ■Chapter 16: Securing Network Connections: SSL and SSH 267 ■Chapter 17: Final Recommendations 295 ■Index 327 www.it-ebooks.info v Contents ■Contents at a Glance iv ■About the Authors xvi ■Acknowledgments xvii ■Preface xviii Part 1: The Importance of Security 1 ■Chapter 1: Why Is Secure Programming a Concern? 3 What Is Computer Security? 3 Why Absolute Computer Security Is Impossible 4 What Kinds of Attacks Are Web Applications Vulnerable To? 4 When Users Provide Information 4 When Information Is Provided to Users 8 In Other Cases 8 Five Good Habits of a Security-Conscious Developer 9 Nothing Is 100% Secure 10 Never Trust User Input 10 Defense in Depth Is the Only Defense 11 Simpler Is Easier to Secure 11 Peer Review Is Critical to Security 12 Summary 12  www.it-ebooks.info ■ CONTENTS vi Part 2: Practicing Secure PHP Programming 13 ■Chapter 2: Validating and Sanitizing User Input 15 What to Look For 15 Input Containing Metacharacters 16 Input of the Wrong Type 16 Too Much Input 17 Abuse of Hidden Interfaces 17 Input Bearing Unexpected Commands 18 Strategies for Validating User Input in PHP 18 Secure PHP’s Inputs by Turning Off Global Variables 18 Declare Variables 20 Allow Only Expected Input 21 Check Input Type, Length, and Format 22 Sanitize Values Passed to Other Systems 25 Testing Input Validation 31 Summary 31 ■Chapter 3: Preventing SQL Injection 33 What SQL Injection Is 33 How SQL Injection Works 33 PHP and MySQL Injection 35 Kinds of User Input 35 Kinds of Injection Attacks 36 Multiple-Query Injection 36 Preventing SQL Injection 37 Demarcate Every Value in Your Queries 37 Check the Types of Users’ Submitted Values 38 Escape Every Questionable Character in Your Queries 39 Abstract to Improve Security 39 Full Abstraction 42 www.it-ebooks.info ■ CONTENTS vii Test Your Protection Against Injection 42 Summary 43 ■Chapter 4: Preventing Cross-Site Scripting 45 How XSS Works 45 Scripting 45 Categorizing XSS Attacks 46 A Sampler of XSS Techniques 47 HTML and CSS Markup Attacks 48 JavaScript Attacks 49 Forged Action URIs 49 Forged Image Source URIs 50 Extra Form Baggage 50 Other Attacks 51 Preventing XSS 51 SSL Does Not Prevent XSS 51 Strategies 51 Test for Protection Against XSS Abuse 57 Summary 57 ■Chapter 5: Preventing Remote Execution 59 How Remote Execution Works 59 The Dangers of Remote Execution 60 Injection of PHP Code 60 Embedding of PHP Code in Uploaded Files 61 Injection of Shell Commands or Scripts 63 Strategies for Preventing Remote Execution 65 Limit Allowable Filename Extensions for Uploads 65 Store Uploads Outside the Web Document Root 66 Allow Only Trusted, Human Users to Import Code 66 Sanitize Untrusted Input to eval() 66 www.it-ebooks.info ■ CONTENTS viii Do Not Include PHP Scripts from Remote Servers 71  Properly Escape All Shell Commands 71 Beware of preg_replace() Patterns with the e Modifier 75 Testing for Remote Execution Vulnerabilities 78 Summary 78 ■Chapter 6: Enforcing Security for Temporary Files 81 The Functions of Temporary Files 81 Characteristics of Temporary Files 82 Locations 82 Permanence 82 Risks 82 Preventing Temporary File Abuse 84 Make Locations Difficult 84 Make Permissions Restrictive 87 Write to Known Files Only 88 Read from Known Files Only 88 Checking Uploaded Files 89 Test Your Protection Against Hijacking 90 Summary 91 ■Chapter 7: Preventing Session Hijacking 93 How Persistent Sessions Work 93 PHP Sessions 93 Abuse of Sessions 96 Session Hijacking 97 Fixation 99 Preventing Session Abuse 100 Use Secure Sockets Layer 100 Use Cookies Instead of $_GET Variables 100 Use Session Timeouts 101 www.it-ebooks.info [...]... These people never get their names on the cover but they probably do at least 50% of the work in getting the thing out This project was no different Many thanks to Chris Snyder for having lots of patience with me and my proposed changes to his first edition Also, many thanks to Adam Heath for keeping me on track (even though most of the time he probably wanted to reach through the phone and strangle... copyeditors, art directors, and production people who turned my gibberish into something with a professional layout Tom Myer xvii www.it-ebooks.info 3 ■ CONTENTS Preface Thanks for purchasing the second edition of this book It’s been almost five years since the first edition was published, and that meant that a lot has changed in the world of web security Our goal for this edition of the book was simple:... organization by providing bogus demographic data on a large scale, or by flooding the sales team with bogus requests for contact 7 www.it-ebooks.info CHAPTER 1 ■ WHY IS SECURE PROGRAMMING A CONCERN? When Information Is Provided to Users It might seem that the creators of any web application whose business is to provide information to users would be happy when such information is actually provided But... way outward to systems and environments 12 www.it-ebooks.info k PART 2 ■■■ Practicing Secure PHP Programming In Part 1, you saw a brief overview of the importance of security In Part 2, we discuss making your PHP code as secure as humanly possible Providing that security can take some care and ingenuity, because PHP is a powerful and flexible language that deliberately stays out of the way Instead of... Administrator’s Point of View 302 xiv www.it-ebooks.info ■ CONTENTS Maintaining Separate Development and Production Environments 303 Why Separate Development and Production Servers? .305 Effective Production Server Security 306 Keeping Software Up to Date 314 Installing Programs 315 Updating Software .320 Summary 326 ■Index ... a new dimension Suddenly, the compromise of what would appear to be merely local resources or secrets can affect other computers around the world In a networked world, every programmer and sysadmin has a responsibility to every other programmer and sysadmin to ensure that their code and systems are free from either accidental or malicious exploitation that could compromise other systems on the net... Fortunately, PHP is an extremely powerful language, well suited for providing security In the later chapters of this book, you will find a multitude of suggestions for keeping your applications as secure as can realistically be expected, along with specific plans for various aspects of protection, and the required code for carrying them out What Kinds of Attacks Are Web Applications Vulnerable To? It is probably... logs, saturate bandwidth, and attract other malicious users by advertising that the site has been compromised They are particularly dangerous because of their efficiency • Worms and viruses: Probably the most prominent form of automated attack, and certainly the most notorious, is the worm, or virus, a small program that installs itself onto your computer without your knowledge, possibly by attachment to... inaccurate picture of the public’s true opinions • An organization might create a website to promote interest in a new and expensive product, an automobile, a piece of electronic equipment, or almost anything It might decide to create interest in the new product by setting up a sweepstakes, where one of the new products will be given away to a person chosen by random from among all those who register... of PHP- based software solutions for their customers, customized many other systems, and integrated PHP applications to work with e-commerce systems, cloud applications, social media APIs, and mobile devices You can follow Thomas on Twitter, his handle is @myerman ■ Michael Southwell is a retired English professor who has been developing websites for more than 10 years in the small business, nonprofit, . / PHP Programming User level: Intermediate–Advanced THE APRESS ROADMAP Zend Enterprise PHP Patterns Beginning PHP and Oracle Pro PHP Security, 2nd Edition Pro PHP. Southwell, Coauthor of Pro PHP Security, First edition Snyder Myer Southwell SECOND EDITION PHP Security Companion eBook Available Pro THE EXPERT’S VOICE ®