Thông tin tài liệu
BOOKS FOR PROFESSIONALS BY PROFESSIONALS
®
Pro PHP Security
If you've been a web developer for even a short time, you know that security
is at once one of the most misunderstood and most important parts of your
job. You need only experience the anguish of having a web site or application
“hacked” by someone several continents away to understand that. By provid-
ing the most current information available, this title will help you understand
and avoid web security challenges while providing solutions for common real-
world problems.
This book begins by taking you through what can be done to secure your
code by providing a rock solid grounding in the fundamentals of PHP security.
Next, the book expands on that topic by what you can do to help protect your
users and environment by covering such topics as encryption, SSL and SSH,
UNIX security, CAPTCHAs, and more. Finally, the book delves into often forgot-
ten (but incredibly important) topics such as keeping software up-to-date and
maintaining separate production and development environments.
Security is a big deal, and this book has been updated so today’s PHP devel-
oper can successfully meet all of the security challenges of the future.
Chris Snyder, Author of
Pro PHP Security, First edition
Thomas Myer, Author of
No Nonsense XML Web
Development with PHP
Mac Basics in Simple Steps
Shelve in:
Web Development / PHP
Programming
User level:
Intermediate–Advanced
THE APRESS ROADMAP
Zend Enterprise
PHP Patterns
Beginning
PHP and Oracle
Pro
PHP Security,
2nd Edition
Pro
PHP Refactoring
Beginning
PHP & MySQL,
4th Edition
PHP Objects
Patterns & Practice,
3rd Edition
www.apress.com
SOURCE CODE ONLINE
Companion eBook
Michael Southwell,
Coauthor of
Pro PHP Security, First edition
Snyder
Myer
Southwell
SECOND
EDITION
PHP Security
Companion
eBook Available
Pro
THE EXPERT’S VOICE
®
IN OPEN SOURCE
Pro
PHP Security
From Application Security Principles
to the Implementation of XSS Defenses
SECOND EDITION
Chris Snyder, Thomas Myer,
and Michael Southwell
Use PHP 5.3 to solve classic and modern day security
concerns, from SQL injection to mobile security
www.it-ebooks.info
www.it-ebooks.info
i
Pro PHP Security
From Application Security Principles to the
Implementation of XSS Defenses
Second Edition
■ ■ ■
Chris Snyder
Thomas Myer
Michael Southwell
www.it-ebooks.info
ii
Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses,
Second Edition
Copyright © 2010 by Chris Snyder, Thomas Myer, and Michael Southwell
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying, recording, or by any information
storage or retrieval system, without the prior written permission of the copyright owner and the
publisher.
ISBN-13 (pbk): 978-1-4302-3318-3
ISBN-13 (electronic): 978-1-4302-3319-0
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1
Trademarked names, logos, and images may appear in this book. Rather than use a trademark
symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and
images only in an editorial fashion and to the benefit of the trademark owner, with no intention of
infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
President and Publisher: Paul Manning
Lead Editor: Frank Polhmann
Technical Reviewer: Chris Snyder
Editorial Board: Steve Anglin, Mark Beckner, Ewan Buckingham, Gary Cornell, Jonathan
Gennick, Jonathan Hassell, Michelle Lowman, Matthew Moodie, Duncan Parkes, Jeffrey
Pepper, Frank Pohlmann, Douglas Pundick, Ben Renow-Clarke, Dominic Shakeshaft, Matt
Wade, Tom Welsh
Coordinating Editor: Adam Heath
Copy Editor: Jim Compton
Compositor: MacPS, LLC
Indexer: BIM Indexing & Proofreading Services
Artist: April Milne
Cover Designer: Anna Ishchenko
Distributed to the book trade worldwide by Springer Science+Business Media, LLC., 233
Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505,
e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com.
For information on translations, please e-mail rights@apress.com, or visit www.apress.com.
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional
use. eBook versions and licenses are also available for most titles. For more information, reference
our Special Bulk Sales–eBook Licensing web page at www.apress.com/info/bulksales.
The information in this book is distributed on an “as is” basis, without warranty. Although every
precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall
have any liability to any person or entity with respect to any loss or damage caused or alleged to be
caused directly or indirectly by the information contained in this work.
www.it-ebooks.info
iii
This, like all the others, is dedicated to my wife Hope Doty.
Thanks for loving me anyway.
—T.M.
www.it-ebooks.info
iv
Contents at a Glance
■Contents v
■About the Authors xvi
■Acknowledgments xvii
■Preface xviii
Part 1: The Importance of Security 1
■Chapter 1: Why Is Secure Programming a Concern? 3
Part 2: Practicing Secure PHP Programming 13
■Chapter 2: Validating and Sanitizing User Input 15
■Chapter 3: Preventing SQL Injection 33
■Chapter 4: Preventing Cross-Site Scripting 45
■Chapter 5: Preventing Remote Execution 59
■Chapter 6: Enforcing Security for Temporary Files 81
■Chapter 7: Preventing Session Hijacking 93
■Chapter 8: Securing REST Services 105
Part 3: Practicing Secure Operations 115
■Chapter 9: Using CAPTCHAs 117
■Chapter 10: User Authentication, Authorization, and Logging 133
■Chapter 11: Preventing Data Loss 159
■Chapter 12: Safe Execution of System and Remote Procedure Calls 177
Part 4: Creating a Safe Environment 207
■Chapter 13: Securing Unix 209
■Chapter 14: Securing Your Database 221
■Chapter 15: Using Encryption 229
■Chapter 16: Securing Network Connections: SSL and SSH 267
■Chapter 17: Final Recommendations 295
■Index 327
www.it-ebooks.info
v
Contents
■Contents at a Glance iv
■About the Authors xvi
■Acknowledgments xvii
■Preface xviii
Part 1: The Importance of Security 1
■Chapter 1: Why Is Secure Programming a Concern? 3
What Is Computer Security? 3
Why Absolute Computer Security Is Impossible 4
What Kinds of Attacks Are Web Applications Vulnerable To? 4
When Users Provide Information 4
When Information Is Provided to Users 8
In Other Cases 8
Five Good Habits of a Security-Conscious Developer 9
Nothing Is 100% Secure 10
Never Trust User Input 10
Defense in Depth Is the Only Defense 11
Simpler Is Easier to Secure 11
Peer Review Is Critical to Security 12
Summary 12
www.it-ebooks.info
■ CONTENTS
vi
Part 2: Practicing Secure PHP Programming 13
■Chapter 2: Validating and Sanitizing User Input 15
What to Look For 15
Input Containing Metacharacters 16
Input of the Wrong Type 16
Too Much Input 17
Abuse of Hidden Interfaces 17
Input Bearing Unexpected Commands 18
Strategies for Validating User Input in PHP 18
Secure PHP’s Inputs by Turning Off Global Variables 18
Declare Variables 20
Allow Only Expected Input 21
Check Input Type, Length, and Format 22
Sanitize Values Passed to Other Systems 25
Testing Input Validation 31
Summary 31
■Chapter 3: Preventing SQL Injection 33
What SQL Injection Is 33
How SQL Injection Works 33
PHP and MySQL Injection 35
Kinds of User Input 35
Kinds of Injection Attacks 36
Multiple-Query Injection 36
Preventing SQL Injection 37
Demarcate Every Value in Your Queries 37
Check the Types of Users’ Submitted Values 38
Escape Every Questionable Character in Your Queries 39
Abstract to Improve Security 39
Full Abstraction 42
www.it-ebooks.info
■ CONTENTS
vii
Test Your Protection Against Injection 42
Summary 43
■Chapter 4: Preventing Cross-Site Scripting 45
How XSS Works 45
Scripting 45
Categorizing XSS Attacks 46
A Sampler of XSS Techniques 47
HTML and CSS Markup Attacks 48
JavaScript Attacks 49
Forged Action URIs 49
Forged Image Source URIs 50
Extra Form Baggage 50
Other Attacks 51
Preventing XSS 51
SSL Does Not Prevent XSS 51
Strategies 51
Test for Protection Against XSS Abuse 57
Summary 57
■Chapter 5: Preventing Remote Execution 59
How Remote Execution Works 59
The Dangers of Remote Execution 60
Injection of PHP Code 60
Embedding of PHP Code in Uploaded Files 61
Injection of Shell Commands or Scripts 63
Strategies for Preventing Remote Execution 65
Limit Allowable Filename Extensions for Uploads 65
Store Uploads Outside the Web Document Root 66
Allow Only Trusted, Human Users to Import Code 66
Sanitize Untrusted Input to eval() 66
www.it-ebooks.info
■ CONTENTS
viii
Do Not Include PHP Scripts from Remote Servers 71
Properly Escape All Shell Commands 71
Beware of preg_replace() Patterns with the e Modifier 75
Testing for Remote Execution Vulnerabilities 78
Summary 78
■Chapter 6: Enforcing Security for Temporary Files 81
The Functions of Temporary Files 81
Characteristics of Temporary Files 82
Locations 82
Permanence 82
Risks 82
Preventing Temporary File Abuse 84
Make Locations Difficult 84
Make Permissions Restrictive 87
Write to Known Files Only 88
Read from Known Files Only 88
Checking Uploaded Files 89
Test Your Protection Against Hijacking 90
Summary 91
■Chapter 7: Preventing Session Hijacking 93
How Persistent Sessions Work 93
PHP Sessions 93
Abuse of Sessions 96
Session Hijacking 97
Fixation 99
Preventing Session Abuse 100
Use Secure Sockets Layer 100
Use Cookies Instead of $_GET Variables 100
Use Session Timeouts 101
www.it-ebooks.info
[...]... These people never get their names on the cover but they probably do at least 50% of the work in getting the thing out This project was no different Many thanks to Chris Snyder for having lots of patience with me and my proposed changes to his first edition Also, many thanks to Adam Heath for keeping me on track (even though most of the time he probably wanted to reach through the phone and strangle... copyeditors, art directors, and production people who turned my gibberish into something with a professional layout Tom Myer xvii www.it-ebooks.info 3 ■ CONTENTS Preface Thanks for purchasing the second edition of this book It’s been almost five years since the first edition was published, and that meant that a lot has changed in the world of web security Our goal for this edition of the book was simple:... organization by providing bogus demographic data on a large scale, or by flooding the sales team with bogus requests for contact 7 www.it-ebooks.info CHAPTER 1 ■ WHY IS SECURE PROGRAMMING A CONCERN? When Information Is Provided to Users It might seem that the creators of any web application whose business is to provide information to users would be happy when such information is actually provided But... way outward to systems and environments 12 www.it-ebooks.info k PART 2 ■■■ Practicing Secure PHP Programming In Part 1, you saw a brief overview of the importance of security In Part 2, we discuss making your PHP code as secure as humanly possible Providing that security can take some care and ingenuity, because PHP is a powerful and flexible language that deliberately stays out of the way Instead of... Administrator’s Point of View 302 xiv www.it-ebooks.info ■ CONTENTS Maintaining Separate Development and Production Environments 303 Why Separate Development and Production Servers? .305 Effective Production Server Security 306 Keeping Software Up to Date 314 Installing Programs 315 Updating Software .320 Summary 326 ■Index ... a new dimension Suddenly, the compromise of what would appear to be merely local resources or secrets can affect other computers around the world In a networked world, every programmer and sysadmin has a responsibility to every other programmer and sysadmin to ensure that their code and systems are free from either accidental or malicious exploitation that could compromise other systems on the net... Fortunately, PHP is an extremely powerful language, well suited for providing security In the later chapters of this book, you will find a multitude of suggestions for keeping your applications as secure as can realistically be expected, along with specific plans for various aspects of protection, and the required code for carrying them out What Kinds of Attacks Are Web Applications Vulnerable To? It is probably... logs, saturate bandwidth, and attract other malicious users by advertising that the site has been compromised They are particularly dangerous because of their efficiency • Worms and viruses: Probably the most prominent form of automated attack, and certainly the most notorious, is the worm, or virus, a small program that installs itself onto your computer without your knowledge, possibly by attachment to... inaccurate picture of the public’s true opinions • An organization might create a website to promote interest in a new and expensive product, an automobile, a piece of electronic equipment, or almost anything It might decide to create interest in the new product by setting up a sweepstakes, where one of the new products will be given away to a person chosen by random from among all those who register... of PHP- based software solutions for their customers, customized many other systems, and integrated PHP applications to work with e-commerce systems, cloud applications, social media APIs, and mobile devices You can follow Thomas on Twitter, his handle is @myerman ■ Michael Southwell is a retired English professor who has been developing websites for more than 10 years in the small business, nonprofit, . / PHP
Programming
User level:
Intermediate–Advanced
THE APRESS ROADMAP
Zend Enterprise
PHP Patterns
Beginning
PHP and Oracle
Pro
PHP Security,
2nd Edition
Pro
PHP. Southwell,
Coauthor of
Pro PHP Security, First edition
Snyder
Myer
Southwell
SECOND
EDITION
PHP Security
Companion
eBook Available
Pro
THE EXPERT’S VOICE
®
Ngày đăng: 17/03/2014, 11:20
Xem thêm: Pro PHP Security, 2nd Edition ppt, Pro PHP Security, 2nd Edition ppt