PHP Web Security

Introduction

• Quick risk management overview
• What is a flaw and how it can become a vulnerability
• Preparation of tools that we will use
• General guidelines about fixes
• Testing and why you can do more than everyone else
• Solution for the code sample in the “Target audience” section

Finding and fixing vulnerabilities

This part will be iterative over all the subjects throughout the day. PHP, Drupal, Symfony, Zend:

• Flaw: Finding and understanding a flaw in the code
• Attack: Guided exploitation of found vulnerabilities
• Solution: What is needed in order to fix it
• Verification: Testing that the flaw is really fixed

For example, we will exploit a flaw implemented in Drupal that will gives access to the database and afterwards we will correct the error in the code, in order to finally verify that the vulnerability doesn’t exist anymore.

Conclusion

• Review of the guidelines for each technology
• How you can help with risk management
• General questions and answers

Target audience

The target attendee is a PHP developer that is not already aware of security methods and/or wants to have an overview of the attacker’s perspective.

If you know how to execute the following code without any error, warning or notice by doing an HTTP request in less than two minutes, this formation may not be for you.

<?php

$parts = array('PHP', 'Drupal', 'Symfony', 'Zend');

foreach ($parts as $p) {
        echo $p;
        eval($_GET['Flaw'] . $p);
        mysql_query($_GET['Attack'] . $p);
        file_get_contents($_POST['Solution'] . $p);
        if (system($_COOKIE['Verification'] . $p))
                continue;
        else
                exit;
}

?>

Training Details

• Duration: 1 day (Tuesday, February 28)
• Cost: 400$
• Maximum capacity: 8
• Requirements: A laptop with a DVD drive and network capabilities