PHP Security at OSCON

05 Mar 2004

O'Reilly Open Source Convention.

I will be giving three talks at OSCON this year: two sessions and a tutorial. They're all focused on PHP security in one way or another, and I'm very happy that O'Reilly is giving this topic so much attention. I'm including the descriptions below, although the exact outline of the tutorial (PHP Security) is subject to change.

Securing PHP Sessions

PHP's native session mechanism provides Web developers with all the tools they need to create stateful PHP applications. In this talk, I will explain how to take this one step further and secure your sessions to help complicate impersonation as well as defend against various types of attacks.

By taking a detailed look at the HTTP transactions that take place as users interact with a Web application, you will gain important insight into the challenge of maintaining state. You will learn how to identify patterns in a Web browser's requests to create a virtual fingerprint as well as how to leverage multiple identifiers.

Beginning with the most basic example of implementing sessions with PHP, you are shown exactly what is required to impersonate a user. This basic example is strengthened as the talk continues by introducing a few different techniques. As each technique is introduced and explained, the resulting user experience is contrasted with a sample attack required to impersonate the user. By the end, you should have a much clearer understanding of sessions and walk away with some useful techniques that you can implement in your own applications.

Foiling Cross-Site Attacks

PHP is quickly becoming the world's most popular programming language for creating Web applications. As more and more applications are being built for the Web, security is becoming a crucial topic. One of the best methods you can use to educate yourself about PHP security is to study the various types of attacks that you must defend against.

This talk introduces two of the most common types of attacks that current Web developers face, Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF). Because XSS involves exploiting the trust granted to a particular Web site and CSRF involves exploiting the trust granted to a particular user, these two example attacks will help demonstrate a wide variety of application-based attacks.

By using examples that illustrate exactly how these types of attacks are accomplished, you are shown simple and effective techniques that you can use to help prevent such vulnerabilities in your own PHP applications.

PHP Security

This is just a preliminary outline. I am basically choosing a focused selection of topics from my upcoming book, PHP Security.

  1. Overview
    What Is Security?
    Register Globals
    Data Filtering
    Error Reporting
  2. Form Processing
    Spoofed Form Submissions
    Spoofed HTTP Requests
    Cross-Site Attacks
  3. Databases and SQL
    Exposed Access Credentials
    SQL Injection
  4. Sessions
    Session Fixation
    Session Hijacking
  5. Shared Hosts
    Exposed Session Data
    Browsing the Filesystem