Shulou(Shulou.com)06/03 Report--

Editor to share with you a sample analysis of PHP code review, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Overview

Code review is the work of systematically checking the source code of an application. Its purpose is to find and repair some loopholes or program logic errors in the development stage of the application, so as to avoid unnecessary risks to enterprises caused by illegal exploitation of program vulnerabilities.

Code review is not simply to check the code, the reason to review the code is to ensure that the code can safely protect information and resources, so it is very important to be familiar with the business process of the entire application to control potential risks.

Auditors can use questions like the following to interview developers to collect application information.

What type of sensitive information is contained in the application and how does the application protect it?

Does the application provide services internally or externally? Who will use it, and are they all trusted users?

Where is the application deployed?

How important is the application to the enterprise?

The best way is to make a checklist for developers to fill in. Checklist can intuitively reflect the information of the application and the coding security done by developers. It should cover modules that may have serious vulnerabilities, such as data authentication, authentication, session management, authorization, encryption, error handling, logging, security configuration, and network architecture.

Input validation and output display

The main reasons for most vulnerabilities are that the input data is not securely verified or the output data is not securely processed. The more stringent data verification method is to match the data accurately.

Accept whitelist data

Reject blacklist data

Encode the data that matches the blacklist

The list of variables that can be entered by the user in PHP is as follows:

$_ SERVER

$_ GET

$_ POST

$_ COOKIE

$_ REQUEST

$_ FILES

$_ ENV

$_ HTTP_COOKIE_VARS

$_ HTTP_ENV_VARS

$_ HTTP_GET_VARS

$_ HTTP_POST_FILES

$_ HTTP_POST_VARS

$_ HTTP_SERVER_VARS

We should check these input variables

Command injection

Security threat

Command injection attacks alter the dynamically generated content of a web page by entering HTML code into an input mechanism (such as a form field that lacks valid validation restrictions), which could lead to malicious commands taking control of users' computers and their networks. PHP executes system commands using the following functions: system, exec, passthru, ``, shell_exec, popen, proc_open, pcntl_exec. We search all program files to determine whether the parameters of these functions will be changed due to external submission, and check whether these parameters have been securely processed.

Code example

Example 1:

The copy code is as follows:

/ / ex1.php

We submit

The copy code is as follows:

Http:// localhost/ex1.php?dir= | cat / etc/passwd

After submission, the command becomes

The copy code is as follows:

System ("ls-al | cat / etc/passwd")

Prevention method

1. Try not to execute external commands

2. Replace the function of external commands with custom functions or function libraries

3. Use the escapeshellarg function to handle command parameters

4. Use safe_mode_exec_dir to specify the path to the executable file

The esacpeshellarg function escapes any characters that cause the end of a parameter or command, replacing single quotation marks "'" with "\", double quotation marks "", and "\", semicolons ";", and using safe_mode_exec_dir to specify the path of the executable file. You can put commands that will be used into this path in advance.

The copy code is as follows:

Safe_mode = On

Safe_mode_exec_di r = / usr/local/php/bin/

Cross-site scripting threat (Cross Site Scripting)

Security threat

Cross Site Script (XSS), cross-site scripting threat. The attacker takes advantage of the dynamic data display function of the application to embed malicious code in the html page. When the user browses the page, the malicious code embedded in the html will be

Execution, the user browser is controlled by the attacker, thus achieving the special purpose of the attacker. Output functions are often used: echo, print, printf, vprintf,

There are three forms of cross-site scripting attacks:

(1) reflective cross-site scripting attack

Through social engineering, the attacker will send a URL connection to the user to open, and when the user opens the page, the browser will execute the malicious script embedded in the page.

(2) Storage cross-site scripting attack

An attacker takes advantage of the data entry or modification function provided by the web application to store the data in the server or user cookie, and when another user browses the page that displays the data, the browser executes malicious scripts embedded in the page. All visitors will be attacked.

(3) DOM cross-site attack

Because a JS is defined in the html page and a piece of html code is displayed according to the user's input, an attacker can insert a malicious script when typing and finally execute the malicious script when it is finally displayed. The difference between DOM cross-site and the above two cross-site attacks is that DOM cross-site is the output of pure page scripts, which can only be defended by the standard use of JAVASCRIPT.

Malicious attackers can use cross-site scripting attacks to do:

(1) steal user cookie and forge user identity to log in.

(2) Let the viewer be forced to perform a page operation and initiate a request to the server as a user to achieve the purpose of attack.

(3) combined with browser vulnerabilities, download the virus Trojan to the viewer's computer for execution.

(4) derive URL jump loopholes.

(5) make phishing pages appear on the official website.

(6) Worm attack

Code example

Displaying "user controllable data" directly on the html page will directly lead to cross-site scripting threats.

The copy code is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.