Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114540 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 52588 invoked from network); 20 May 2021 17:02:15 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 20 May 2021 17:02:15 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 72612180211 for ; Thu, 20 May 2021 10:12:19 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f54.google.com (mail-lf1-f54.google.com [209.85.167.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 20 May 2021 10:12:18 -0700 (PDT) Received: by mail-lf1-f54.google.com with SMTP id c10so4607775lfm.0 for ; Thu, 20 May 2021 10:12:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:from:date:message-id:subject:to; bh=bGyvaGl/P8Q07x6ZnuvDUYdLwqiXEeAjsVg1YEC9Y5A=; b=dXGicqucCvHQM+gyDsclWHj7kIRe818KcLjdmY/N9XF/j6ksVe9v1j46F8zXFMCPCq g+1LBZD/0FV40QhgAr8wpBV4qyKzb0JmCoZsCgNOK+jG/PMKXYyPBaEqZ8zDeURd0IX8 vhYx1RGigR1ynIZ7rhLepL/1f86E1xp1QQtIU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bGyvaGl/P8Q07x6ZnuvDUYdLwqiXEeAjsVg1YEC9Y5A=; b=rUDo5I+In0Mjnl7HfLtgqw5Df+Sr0+/cowibvwYgR1KZZvV0UUaabPfW7JhkRgTuxa tKEHcKFTgPm4ULVAdlFZoO5dGPEi34Rh2uKnUgjvuf2YNQF8ovxkRHlHnHEMmBgqVfZ6 m4JGL0tUBapdpQ4GHnNUCJSI0C8ayHvFy+G1UzTZ3V9Z8nBNRCOcGEHTyucBeBjJvpti Qpw/ezflPo6EzlWqdZfCWN2z4z8f1S/A/bRiXOkqXUKqflV1ZNXmxNmbqqa2MevPDCzH 99//GTuEmSOwLaGcmcHEsrxlaWf3MBnkrQzbZcRMyGtpxdU+Hoy+eKOYDVJZRy25q9Wk zEHA== X-Gm-Message-State: AOAM533g1lCYq1v4NyoiRgHq9hXd3SoN49EAuNp88Iik5O5F0vixjmot Ktzgc6zlC8n33hSHh5fFvWTeW63L8HyqvfKA4L4iY/TLXz4EBg== X-Google-Smtp-Source: ABdhPJyE8nTmnFf2MbIFVdFhryB6sfojxlsLhL6ozGmsrd3U4JYj1HjVj7qKXT7iOfLVMdxZnMiTr6CLnFUFeLs0XmU= X-Received: by 2002:a19:5f44:: with SMTP id a4mr3779695lfj.642.1621530735658; Thu, 20 May 2021 10:12:15 -0700 (PDT) MIME-Version: 1.0 Date: Thu, 20 May 2021 18:12:02 +0100 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="0000000000007dddee05c2c60b07" Subject: Injection vulnerabilities From: craig@craigfrancis.co.uk (Craig Francis) --0000000000007dddee05c2c60b07 Content-Type: text/plain; charset="UTF-8" Hi Internals, Just something for you to think about, to start the conversation (as the 8.1 deadline is fast approaching). Injection Vulnerabilities remain on the OWASP Top 10 List, same with XSS. https://owasp.org/www-project-top-ten/2017/ These mistakes happen when user supplied values are included in command strings - be that SQL, HTML, OS Commands (e.g. shell_exec), and dare I say it eval(). It's easy to make these mistakes, especially when using a library (API) that hides the implementation details. I've got loads of examples (one of the joys of auditing), but have a think about these 3 for now... --- *1*, Let's consider an ORM (I'm using CakePHP this time). Parts of the where() array must be defined by the programmer. Both of these examples work, but the first one has a simple mistake that has introduced an SQL Injection vulnerability: $articles->find()->where(['id != ' . $_GET['id']]); $articles->find()->where(['id != ' => $_GET['id']]); https://book.cakephp.org/3/en/orm/query-builder.html --- *2*, Maybe the programmer is writing the SQL themselves, and passes it on to a basic database abstraction; but they don't realise the SQL string should be entirely written by the programmer, using parameterised queries*: $sql = 'SELECT * FROM table WHERE id IN (' . implode(',', $_POST['select']) . ')'; * Yes, I know, things like table names cannot use parameters, but they have to be handled carefully as well, and will be covered. --- *3*, How about a small HTML snippet, which should also be written entirely by the programmer: $html = ""; Because escaping is hard (and sometimes completely forgotten), user values should be added to HTML via a context-aware Templating Engine/Library (so every one of the programmers using that well tested library don't have to worry about making these mistakes all the time). In this case, the src attribute value isn't quoted, and that kinda works, but it can be exploited with $url = '/ onerror=alert(1)'; --- Just have a think about these issues, and note how they are all affected by the same problem. Craig --0000000000007dddee05c2c60b07--