About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PHP Security by Example

Almost an entire month has passed since my last blog entry, and a lot has happened. I'll try to catch up over the next week or two.

About a week ago, the Flash version of PHP Security by Example was Dugg.

I'm always disappointed to see trolls (Digg seems to have a bigger problem with this than Slashdot), but a few of the comments raise some valid questions. I'll try to summarize and answer those here.

It's true that slides are never a substitute for a talk, and this is especially true for this one, because it's a hands-on workshop. It's something Marco calls a BYOL (bring your own laptop), and it involves a lot of one-on-one attention and hand-holding.

The reason it's in Flash is because the person submitting the story linked to the Flash version. :-) To be fair, the only other format available for this talk is PDF. I've been wanting to create a nice web application for viewing Keynote slides. I think the best approach might be to export the slides as images, and create a simple slide navigator. I can always continue to also offer PDF, Quicktime, and Flash formats.

One comment really stands out:

If these tips helped you in a commercial website, then you should refund your customers money because you have no business writing software. The last thing the world needs is another PHP programmer that doesn't understand security.

I disagree with this type of comment (the underlying sentiment is shared by others) for a couple of reasons:

  • The attacks covered in this talk have been known to affect many major web applications, including Google, Amazon, and Yahoo. CSRF in particular is still a dangerous attack that seems to be hovering below the radar of many developers. Ignorance is not exactly the same thing as incompetence.
  • Elitism does nothing to promote the education of up-and-coming developers. This industry needs a nurturing environment, not one where those who don't know something are afraid to ask questions. This is especially true for niche topics such as web application security. Don't assume everyone who doesn't know about XSS is an idiot.

These comments have motivated me to improve the slides for this talk, and I might try to prepare a video that demonstrates some of these attacks, so that it's more useful to an Internet audience.

This is a perfect opportunity to promote Dan Kuykendall's new Hackme Test Site. It's a hands-on environment where you can try some XSS and SQL injection attacks of your own. Check it out.

About This Post

PHP Security by Example was posted on Thu, 06 Jul 2006 at 18:20:03 GMT.

9 Comments

1. Nick's GravatarNick said:

Glad you're back with us Chris :)

I agree completely with your comments - there is too much elitism in this industry - I think people assume PHP itself is insecure or inefficient, but it's just a case of inexperienced developers who haven't taken the time to learn how to build secure applications.

If more people like you could reach out to these inexperienced developers, then I'm sure PHP's reputation would be improved.

Regards,

Nick.

Thu, 06 Jul 2006 at 19:14:38 GMT Link

2. Matthieu's GravatarMatthieu said:

I totally agree with you and I think nobody has the ability to know everything about everything. Security of web applications is a subject that has been ignored for many years because developers were focusing on other aspects such as performances. That's probably why many people don't know about it and unless you spend your time reading security digest, there is no way to know about a problem until it hits you or it's getting enough focus from the community to be noticed. You may not have had to experience it ever. And same thing goes with other aspects considered basics like using indexes in your tables and such. Of course if you know about it and choose to ignore it, that's another problem. I think programming end-users application is a question of compromises and sometime you have to give in on a certain aspect because of time constratint or budget.

To comment about the inappropriate comment, I'd say that nobody can pretend to deliver a flawless product, that would be very pretentious.

Thu, 06 Jul 2006 at 20:14:29 GMT Link

3. Aaron's GravatarAaron said:

Soooooooo that's where all the trolls went. Slashdot was getting pretty quiet. Now with the new Web2.0 look I hope we can get some of our troll-share back ;)

Fri, 07 Jul 2006 at 15:58:55 GMT Link

4. Marcelo Santos Araujo's GravatarMarcelo Santos Araujo said:

A real good explanation about security issues and sql injection techniques :)

Congrats for delivering such nice articles!

Thanks,

Marcelo Araujo

Sat, 08 Jul 2006 at 15:01:42 GMT Link

5. Chris Shiflett's GravatarChris Shiflett said:

Thanks, Marcelo. :-)

Hopefully I can make it better.

Sat, 08 Jul 2006 at 15:04:56 GMT Link

6. R.Rajesh Jeba Anbiah's GravatarR.Rajesh Jeba Anbiah said:

FWIW, you may try Eric Meyer's tool for presentation http://meyerweb.com/eric/tools/s5/

Mon, 10 Jul 2006 at 05:46:17 GMT Link

7. Peter Brodersen's GravatarPeter Brodersen said:

I really like that you point out that _SERVER variables are tainted as well.

I think people often overlook this. PHP_SELF "seems" like it is fixed, but as you have pointed out, it is not.

I believe that another interesting stab would be at other variables, such as the HTTP_HOST. This seems fixed (or at least non-vulnerable for "special characters"), but this could be tainted as well, though some prerequisites would have to exist:

A couple of sites have DNS-entries like *.example.com. Furthermore, Apache would be configured to have *.example.com as a ServerAlias for a specific virtual host.

One could create a custom HTTP request with the following Host header:

Host: www.%22%3EXSS.example.com

Custom requests don't exploit that much, as we would only fiddle with the output for our own request. But some HTTP clients - e.g. Internet Explorer 6 - would happily request www.%22%3EXSS.example.com (currently it seems like Firefox and Opera consider the URL invalid) and since the DNS and web server answer for *.example.com our request would work.

Besides "Don't trust user data" I suppose the lesson is "Be sure to know where user data could actually appear".

Mon, 10 Jul 2006 at 23:28:02 GMT Link

8. streaky's Gravatarstreaky said:

What's that skippy? Troll 2.0?

Having looked at the slides, I see no issue, looks like a basic, straightforward introduction to basic problems new developers fall into.

I love this comment -

"His first example was retarded. Running javascript in your own browser is not XSS, there's no benefit."

- five minutes looking through the changelog of any open source application and you'll fixes for hundreds of these, including ones I've worked on. I can't emphasize enough how dangerous these kinds of attacks are - they allow a person to get things like login cookies and user session IDs, they should be avoided at all costs.

Right from the start it's pretty blatant that this slide show was created to be part of a presentation, and is in no way aimed at a casual web user. If anybody thinks otherwise, who is truly the retarded person there?

And the last comment - "lame really lame n00b examles" - well isn't that the point? Seems to me to be a basic introduction. So it's not like you're going to be complicated examples into it.

My favorite resource for XSS related stuff is the XSS Cheat Sheet at http://ha.ckers.org/xss.html - it's got lots of examples of very complex attacks that even the most dedicated fail to find.

Regards, Keep up the good work!

Fri, 21 Jul 2006 at 08:34:54 GMT Link

9. Bob Mehoff's GravatarBob Mehoff said:

I can't believe that they don't support urls like the following:

http://ha.ckers.org/

http://sla.ckers.org/

http://pa.ckers.org/

There's got to be at least some AdSense revenue there.

And all you get is no domain, or a picture of Johnny Cash flipping you off. You'd think at least they'd have one of a GBP QB giving you the finger :)

Oh well,

You can't have everything (at least at the same time)

Tue, 25 Jul 2006 at 09:33:36 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

Chris Shiflett wrote:

Glad it helped, Niall!

Posted in Git on Snow Leopard
Niall Kelly wrote:

Having tried other methods without success and looked through plenty of bloated documentation, th...

Posted in Git on Snow Leopard
liukang wrote:

I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...

Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...

Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:

Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...

Posted in Webstock

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook