The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Introduction to PHP Security

Course description

This implementation-focused course dives into the core security skills needed for the PHP platform. It provides strategies and examples for previously insecure practices in PHP.

Learning objectives

  • Understand how web servers handle requests and hand them over to PHP interpreter
  • Recognize that there is no sandbox with PHP, and know how to tackle those implications
  • Use configuration files to control the PHP interpreter to effectively apply the most important security controls
  • Properly plan for users and the filesystem to prevent command execution
  • Recognize that the availability of dynamic code does not mean it can be used
  • Generate strong random numbers in different versions of PHP with CSPRNG and PRNG
  • Perform checks on $_FILES server-side and client-side
  • Achieve and describe the concept of plane separation with PDO and other drivers
  • Set up a project (i.e., code, not a server) capable of customized error handling without showing verbose error information to the user

Details

Delivery Format: eLearning

Duration: 1 hour

Level: Intermediate

Intended Audience:

  • Architects
  • Back-End Developers
  • Front-End Developers
  • Enterprise Developers
  • QA Engineers

Prerequisites:

Course Outline

Web Server Configuration
  • Web Server and PHP Interpreter
  • Handlers
  • Superglobals
  • Forced Browsing
  • Forced Browsing: Storing Code Outside the Root
  • Forced Browsing: Storing Everything in the Document Root
  • Apache Caveat
  • Directory Exceptions
  • Run As Unprivileged User

PHP Configuration and Sandboxing

  • Breaking Out of the PHP Sandbox
  • OS Command Injection
  • OS Command Injection: Example
  • File System Access
  • Path Traversal
  • File System Manipulation
  • disable_functions
  • Handling Errors Safely
  • Configuring Error Reporting

PHP Command Injection

  • Dynamic Code Injection
  • eval()
  • Be Careful With Callbacks
  • Remote and Local File Inclusion
  • Injecting Code as Data
  • Template Injection
  • Serialization
  • Using extract() in Views
  • Malware Loves Dynamic Code
  • The Darker Side of Magic

Using the Right Tool for the Job

  • (CS)PRNG
  • Native PRNGs in PHP
  • Session Management
  • Is Your Server-Side Check Really Server-Side?
  • Don't Trust Your $_FILES
  • Validate Your MIME Types Correctly
  • Rename Your Uploads
  • Store Your Uploads Securely
  • Not Just $_FILES
  • TimThumb Fiasco

SQL Injection

  • SQL Injections
  • Non-Malicious Input
  • Malicious Input
  • Parameterized Queries
  • Prepared Statements
  • Other Database Engines
  • Validating Inputs

Mitigating Content Injection Attacks

  • XSS
  • Stored XSS
  • Reflected XSS
  • DOM-Based XSS
  • Separation of Concerns
  • Output Encoding
  • URL Encoding
  • How to Steal Credentials Using XSS
  • XML Injection
  • XML External Entity (XXE)
  • XML Entity Expansion (XEE)
  • PHP's XML Parsers
  • Securing XML in PHP
  • The Google Toolbar Attack
  • LDAP
  • LDAP Injection
  • Escaping LDAP User Inputs

Password Storage

  • Data Breaches
  • Password Storage and Verification
  • Simple Hash
  • Simple Attacks
  • Salted Hashes as Defense
  • Adaptive One-Way Functions
  • Selecting a One-Way Function
  • Default Behavior and Calling Conventions
  • Best Practice: Specifics of Argon2

Third-Party Components

  • Problem Definition
  • That Time Our Framework Didn't Protect Us
  • Dependency Management 101
  • To Fork or Not to Fork
  • Coordinating Release
  • Provenance and Distribution Integrity
  • Cautionary Tale: left-pad
  • Composer
  • Composer Risks
  • PHP's Native Extensions
  • Risks of Native Extensions
  • Bottom Line
  • Open Source Is More Secure, Right?

Requests and Responses

  • Requests and Responses
  • What Triggers the Output?
  • Responses and Structure
  • Gotta Catch-All!
  • Error Reporting Question
  • Output Buffering
  • Bear Traps Included!
  • Redirection
  • Authenticating Requests
  • CSRF Tokens

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster