Web Programming Step by Step, 2nd Edition

Chapter 15: Web Security

Except where otherwise noted, the contents of this document are Copyright 2012 Marty Stepp, Jessica Miller, and Victoria Kirst. All rights reserved. Any redistribution, reproduction, transmission, or storage of part or all of the contents in any form is prohibited without the author's expressed written permission.

Valid XHTML 1.1 Valid CSS!

15.1: Security Principles

Our current view of security

group hug

The real world

orcs (dorks?)

Attackers' goals

burglar

Why would an attacker target my site?

Tools that attackers use

firebug

Assume that the attacker knows about web dev and has the same tools you have:

Some kinds of attacks

burglar

Information leakage

information leakage

when the attacker can look at data, files, etc. that he/she should not be allowed to see

15.2: Cross-Site Scripting (XSS)

HTML injection

a flaw where a user is able to inject arbitrary HTML content into your page

8-ball

Injecting HTML content

8ball.php?question=<em>lololol</em>

Cross-site scripting (XSS)

a flaw where a user is able to inject and execute arbitrary JavaScript code in your page

8ball.php?question=<script type='text/javascript'>alert('pwned');</script>

Another XSS example

Buy-a-Grade

Securing against HTML injection / XSS

htmlspecialchars returns an HTML-escaped version of a string
$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   # "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"

15.3: Validating Input Data

What is form validation?

A real form that uses validation

wamu

Client vs. server-side validation

Validation can be performed:

An example form to be validated

<form action="http://foo.com/foo.php" method="get">
	<div>
		City:  <input name="city" /> <br />
		State: <input name="state" size="2" maxlength="2" /> <br />
		ZIP:   <input name="zip" size="5" maxlength="5" /> <br />
		<input type="submit" />
	</div>
</form>

Basic server-side validation code

$city  = $_REQUEST["city"];
$state = $_REQUEST["state"];
$zip   = $_REQUEST["zip"];
if (!$city || strlen($state) != 2 || strlen($zip) != 5) {
	print "Error, invalid city/state/zip submitted.";
}

Regular expressions

/^[a-zA-Z_\-]+@(([a-zA-Z_\-])+\.)+[a-zA-Z]{2,4}$/

Regular expressions in PHP (PDF)

function description
preg_match(regex, string) returns TRUE if string matches regex
preg_replace(regex, replacement, string) returns a new string with all substrings that match regex replaced by replacement
preg_split(regex, string) returns an array of strings from given string broken apart using given regex as delimiter (like explode but more powerful)

PHP form validation w/ regexes

$state = $_REQUEST["state"];
if (!preg_match("/^[A-Z]{2}$/", $state)) {
	print "Error, invalid state submitted.";
}

Basic regular expressions

/abc/

Wildcards: .

Special characters: |, (), \

Quantifiers: *, +, ?

More quantifiers: {min,max}

Anchors: ^ and $

Character sets: []

Character ranges: [start-end]

Escape sequences

Regular expression PHP example

# replace vowels with stars
$str = "the quick    brown        fox";

$str = preg_replace("/[aeiou]/", "*", $str);
                         # "th* q**ck    br*wn        f*x"

# break apart into words
$words = preg_split("/[ ]+/", $str);
                         # ("th*", "q**ck", "br*wn", "f*x")

# capitalize words that had 2+ consecutive vowels
for ($i = 0; $i < count($words); $i++) {
	if (preg_match("/\\*{2,}/", $words[$i])) {
		$words[$i] = strtoupper($words[$i]);
	}
}                        # ("th*", "Q**CK", "br*wn", "f*x")

Regular expressions in JavaScript

Replacing text with regular expressions

15.4: SQL Injection

SQL injection

grades

a flaw where the user is able to inject arbitrary SQL into your query

A SQL injection attack

Too true...

bobby tables xkcd comic

Securing against SQL injection

quote returns a SQL-escaped version of a string
$username = $db->quote($_POST["username"]);
$password = $db->quote($_POST["password"]);
$query = "SELECT name, ssn, dob FROM users
WHERE username = $username AND password = $password";

15.5: Session-Based Attacks

Man-in-the-middle attack

man in the middle

when the attacker listens on your network and reads and/or modifies your data

Secure HTTP (HTTPS)

https

Session hijacking

firesheep

when the attacker gets a hold of your session ID and masquerades as you