最近看了两本PHP安全方面的书,下面就算是读书笔记吧~
设计,代码
用户输入
1. 空?特殊字符?长度?
2. 不允许HTML标签?
strip_tags()
不允许& “ ‘ < > 这5个标签,将他们转换成字符,其他允许
htmlentities()
将所有HTML标签转换
htmlspecialchars()
3. 垃圾邮件
正则检查是否存在,和;这两个符号(不能完全杜绝)
$tainted_to = $_POST['to'];
if ($tainted_to !~ ^.*[\;|\,].*$) {
$to = $tainted_to;
}
4. 反馈错误信息,记录log日志
5. Shell命令
escapeshellarg() 好于 escapeshellcmd()
6. 使用api封装
7. 阻止Buffer Overflows缓存溢出
更新php版本,数据长度校验
8. 正则表达式
使用PCRE,不使用POSIX,preg_match() function rather than ereg()
First or last name ^[a-zA-Z\-\']{2,30}$
E-mail address ^[\w\.-]{1,}\@([\da-zA-Z-]{1,}\.){1,}[\da-zA-Z-]+$
Phone number ^((\(\d{3}\)\s?)|(\d{3}\-))\d{3}\-\d{4}$
URL http://([\w-]+\.)+[\w-]* (/[\w- ./?%=]*)?
—————————————————————————————————————
9. 文件系统:
最好不使用远程文件操作,禁止allow_url_fopen
上传文件表单enctype=“multipart/form-data”
”
系统,配置
服务器
Linux:更新内核。查看Linux版本: uname -a
Apache:更新稳定版本。查看Apache版本 httpd –v
(1)建立单独的用户及组来进行apache操作 p149
(2)隐藏header敏感信息
Set ServerSignature to Off.
Set ServerTokens to Prod.
(3)限制可访问路径
(4)去除httpd.conf没用的选项
(5)包过滤http://www.modsecurity.org/
MySQL:查看版本:mysql
(1) 升级前备份,解决库兼容问题
(2) 按需决定是否允许远程连接
(3) 更改默认管理员用户名密码
随机密码生成:https://www.grc.com/passwords.htm
(4) 为每个应用建立账户
(5) 删除样例数据库
PHP
(1)共享主机:SUHOSIN http://www.hardened-php.net/suhosin/index.html
(2)ModSecurity http://www.modsecurity.org/
php.ini
• safe_mode = On
As we discussed earlier in this chapter, safe_mode is a good thing to turn on
unless you have a compelling reason not to use it.
• safe_mode_gid = Off
Combined with safe_mode = On, turning off safe_mode_gid requires that a file be
owned by the same user and group ID in order to be accessed by a PHP application.
• open_basedir =
This allows you to set the top-level directory that PHP applications can access.
For example, if you set open_basedir = /home/my_application/, an attacker
would not be able to traverse the filesystem to /home/some_other_user/.
• safe_mode_exec_dir =
Combined with safe_mode = On, functions that execute system programs such
as exec() and system() would not have access to them unless they are placed in
the specified directory. This means that only system functions you specifically
place in the specified directory would be available to your application, preventing
a hacker from executing anything else.
• expose_php = Off
This prevents PHP from including information about itself (such as the version
of PHP running on the server) in HTTP headers. This information is very helpful
to hackers because it narrows down which vulnerabilities they may be able to
exploit. If hackers discover that you are running PHP 4, they will know that there
is a good likelihood that they will be able to exploit typical PHP 4 vulnerabilities.
• register_globals = Off
Unless register_globals is turned off, any parameter sent to a PHP script is
automatically converted to a global variable. This allows a hacker to create new
variables within your application. register_globals is turned off by default in
every version of PHP starting with 4.2.0, but it doesn’t hurt to check the setting
just to be sure it hasn’t been turned on at some point.
• session.cookie_lifetime
session.cookie_lifetime specifies how long a session cookie remains viable
before it times out. The default value is 0 or no time-out. It’s a good idea to set
this value to something that makes sense for your application. For instance, if
you’re writing an online banking application, you may want to set it for only a
few minutes. For our guestbook, a couple of hours is probably sufficient. This
allows the user to walk away and come back, but will prevent some session hijacking
attempts.
• display_errors = Off
display_errors is a very useful debugging tool, because it displays detailed
error messages anytime a PHP application encounters a problem. Like most
debugging tools, it should be turned off in a production environment—unless, of
course, you want to share path names, SQL statements, and other sensitive information with the world.
测试
1. cronjob跑测试框架(一组测试函数),用现有的或者自己写。
2. Unit Tests和System Tests,注意选择充分的测试数据
3. Fuzz testing适用于下列漏洞检测
• Buffer overflows
• Denial of service
• SQL injections
• Cross-site scripting
POWERFUZZER http://sourceforge.net/projects/powerfuzzer (python)
CAL9000 http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
acunetix http://www.acunetix.com/
http://ha.ckers.org/
— Spread the word: