Transcript Evil Code Examples CSCI 4300

Evil Code and how to defend
against it
CSCI 4300
http://shiflett.org/php-security.pdf
http://phpsec.org/projects/guide/2.html
Defense against form input attacks:
data filtering
Dispatch method
Dispatch script example
Spoofed form input
Whitelist Input Verification
Whitelist Email address verification
Simple message board
Message Board Attack
Message Board defense
• Security tip: use pre-existing PHP functions;
they are more efficient and less likely to contain
security holes.
Cross-Site Request forgeries
• Victim has authenticated to target site T
• Evil site E forges a privileged request to T
• Forged request succeeds by virtue of
victim’s authentication tokens.
Cross-Site Request Forgery
example
• Target site, stox.com:
<input type=text name=stock>
<input type=text name=n_shares>
<input type=submit>
• Evil site, evil-hackers.org
<img
src=http://stox.com?name=IBM&n_shares
=1000000>
CSRF defense: form tokens
Database Credentials
• Place db.inc outside of document root, so it
cannot be accessed via a URL!
SQL injection attack
• <?php
//get $uname and $passwd
...
mysql_query (“select * from user where
uname=‘$uname’ and password=‘$passwd’”)
Evil input:
Uname = my_uname
Passwd= mypassd’; delete from user where
‘a’=‘a’