Book Review : Pro PHP Security

I just finished reading Pro PHP Security by Chris Snyder and Michael Southwell. I’m always looking for ways to improve my programming skills and security is an area I try to focus on. Secure web applications are becoming more important every day as more and more of our lives are placed online. With that in mind, I purchased this book to increase my PHP skills.

Overall the book was quite good. The book is broken into four parts. Part one is a general overview of security and it’s importance. Nothing really new here, but a good introduction nonetheless.

Part two delves into server-side security, outside of the realm of PHP. This includes shared hosts, firewalls, software installation, and more. None of this is really PHP specific per se, but still important topics. There is a decent introduction to encryption and it’s importance in security. There are a few PHP examples throughout these chapters that show how to handle SSH, SSL, hashing, and general encryption using the mcrypt() function. Part two concludes with an overview of authentication, permissions, and restrictions. There is a decent example of a single sign-on system, as well as an overview of PHP safe mode.

Part three covers more in-depth PHP programming practices designed to prevent many of the more common security problems. This section starts with a chapter on input validation, a very important topic indeed. The authors explain what input validation is and how to accomplish it. There are several examples that show how to validate the data you need and ensure that it’s safe to use throughout your program. Subsequent chapters cover SQL Injection, Cross-Site Scripting, Remote Execution, and Session Hijacking. Throughout each chapter are dozens of examples showing how to handle each situation.

Finally, part four covers user interaction with your programs. Since the majority of the web applications you will write are intended to interact with users, this is pretty important.  The authors cover ways to ensure that your users are, in fact, human users and not scripts.  Identity verification is covered with methods ranging from simple email response to SMS messages.  And once you’ve determined that your users are real, you’ll need to provide them with a list of actions they can perform.  The authors show how roles-based authorization can help with this and allow for a scaleable system that can be extended in the future.  In the next few chapters, the authors cover data loss, safely executing system commands, and handling RPC calls.  And finally, the authors explain the value of Open Source software and the advantages of peer review.

Â

Overall this is an excellent book and I highly recommend it.  While this book is geared towards PHP programming, it does cover a wide variety of topics that are not strictly PHP specific.  While I was aware of many of the topics covered within this book, I did learn a variety of new tricks for dealing with security threats.  If you’re interested in learning more about security and how to secure your programs, I definitely recommend reading this book.

phpTodo 0.7 Released!

After 7 months a new version of phpTodo has arrived. I’ve spent the last month or so working on this and polishing it up. I think I have a pretty decent release put together.

New additions include a “Next Action” field, validated RSS feeds, UI enhancements, and tons of bug fixes. You can read all about the enhancements and bug fixes in the release itself, so head over and download it!

Future plans include adding ATOM 1.0 support, sub task support (todos for your todos!), group support (so you can assign a single task to multiple people), and more. I’d like to eventually migrate into an entire management system that can be used for project management.

 

I’d love to hear any feedback regarding this project. This is my first sourceforge project and really the first open source code I’ve released into the wild. So please feel free to leave me comments!

Gamefest 2006 Content & XNA

I noticed over at Let’s Kill Dave that the content for Gamefest 2006 was released and is available for download. Head over to Dave’s blog to check it out!

 

Also, XNA Game Studio Express is out. Go get it. You’ll need Visual C# Express as well, but the complete package looks pretty slick. Time to learn yet another programming language!

Microsoft takes a step towards user content

Gamasutra has some news about Microsoft’s XNA Game Studio Express, a game development tookit geared towards the amateur/hobbyist developer. From the article :

 

The details of the new tech are as follows: XNA Game Studio Express will be available for free to anyone with a Windows XP-based PC, and will provide them with what’s described as “Microsoft’s next-generation platform for game development.” In addition, by joining a “creators club” for an annual subscription fee of $99, users will be able to build, test and share their games on Xbox 360, as well as access a wealth of materials to help speed the game development progress.

 

So it looks like Microsoft is taking the first steps towards making the need for modchips obsolete! Maybe. According to the article, the content created won’t be available to “regular” 360 owners, just to those who are part of the creator’s club. However, they go on to state that the content may be available via Xbox Live Arcade (XBLA) at some point in the future. It’s not explicitly stated, but it looks like PC owners will have access to the content regardless of membership.

Other companies have already pledged support. GarageGames has already ported their Torque Engine over to the studio, and Autodesk has confirmed support for their FBX file exchange format. Apparently some universities and game development schools have decided to add the studio to their curriculum and will use the XBox 360 exclusively. While I’m not sure I like the lock-in to the 360 console, it is nice to see awareness and knowledge growing.

So, what does this mean for the indie developer? Well, in short, it gives access to a pretty powerful console. And since it’s officially sanctioned by Microsoft you can expect mailing lists and forums dedicated to development. Ownership of a 360 isn’t necessary either as the studio runs on a Windows XP PC. It may also mean a revenue stream as well. If Microsoft opts to allow content to be available on XBLA, they may also allow the developer to charge for downloads. I’m sure Microsoft will get their cut, but this could mean some serious cash for the young developer.

Overall, this is definitely a step in the right direction. Despite what you and I may think of Microsoft, I think they’re doing something right here. Only time will tell how it turns out. I’ll definitely be downloading this when it becomes available on August 30th.

 

UPDATE : Maxconsole dug up the official FAQ direct from Microsoft. This is different than the FAQ on the XNA site. Looks like you’ll have to sign up to get the beta :

 

A beta of XNA Game Studio Express will be released on August 30. To receive a notification on when the Beta is available, please go to http://connect.microsoft.com and select “Available Connections.” Then choose the XNA connection and follow the link to sign up for the XNA Game Studio Express Beta. (Note: A valid Windows Live ID is required, if you do not have one, you will be given the option of creating one.)

 

It looks like the beta will be limited to PC content only. It uses .NET technology on both the 360 and PC to create the games and according to the FAQ, it looks like it will be limited to C# code only.

AJAX Security

I read an interesting article today over at Darknet. It brings to light some of the “new” techniques that can be used to exploit newer Web 2.0 applications.

 

The article was an interesting read and got me thinking about application security again. I find myself spending more and more time on security in an application, and less time on features and actual logic. Generally I’m splitting coding time between idiot proofing the application so the end user is forced to put in the right data, and hack proofing the code against would-be hackers. Even with custom frameworks to handle the boring bits, it still takes a lot of time and effort to make sure you’ve covered your bases. Oh well, such is the world we live in nowadays.

The new ways to exploit applications are interesting as well. Actually, most of them aren’t new, but rather the same old hacks used to exploit the new way of doing things. For instance, in an AJAX application you pass information between the browser and the server, behind the scenes. Ok, all well and good, but how do you make sure you’re still talking to the original browser that opened the request? You could use a cookie, or perhaps some sort of a session ID. Maybe a combination of the two. And on top of it, you might check the User Agent string and the referrer URL. Mind you, this can all be spoofed. In fact, spoofing the UA and referrer is extremely easy and can be done with tools like curl and wget. So what is the best way to secure these apps?

I haven’t really started working with AJAX very seriously, so I haven’t done much research into the matter. But, thinking about it, maybe there is a way to secure things a little better? Perhaps a variable in the browsers memory rather than a cookie? Combined with a session ID? Right now I like to secure my apps by using a combination of a session ID, the IP address of the user, and a cookie with seemingly random data in it. This has worked pretty well thus far, but I’m not sure how hard anyone has tried to hack it. I’m definitely interested in more security, though, provided it doesn’t slow things to a grinding halt.

Of course, there’s always the one true way for security. Unplug it. Turn it off. If it’s not running, it can’t be broken into.. Well, not yet anyways.. There’s always the quantum level.

Qmail SPP 0.42

Pawel Foremski is preparing to release the latest version (0.42) of his qmail-spp patch for qmail. This incredibly useful patch allows you to modify the behaviour of qmail, on the fly, through use of external scripts. These external scripts can be written in any programming language that allows STDIN and STDOUT. I have found this to be incredibly useful and it has haled tremendously when targeted by spammers and virii.

 

There was some initial concern about the overhead involved with calling an external program for processing, but my fears have been calmed since then. I’ve seen this patch in production on machines processing over 250,000 emails per day. That’s a LOT of email.

 

The patch allows you to inject special processing during specific portions of the smtpd process. These areas include
HELO/EHLO, MAIL, RCPT, DATA and (if supported) AUTH. There is also another hook available when the client connects, before any data is transferred between the client and server. These 6 areas allow for a massive amount of power. For instance, you can interrupt the process right after the HELO/EHLO and run an spf plugin. Or, you can check the from address during the RCPT portion and determine if the user is relaying, and if they’re allowed. Basically, a chkusr function. Tarpitting is fairly simple at the RCPT level as well. The initial connection point is a great time to check for blacklists. In fact, you can set different SPP config files for use depending on where the connection originates. Thus, you can add additional RBL lists depending on the source. So, you can skip RBL altogether for known local connections, and use a wider range of blocklists for external connections. All in all, the flexibility is incredible.

 

I highly recommend the use of this patch for any qmail installation intended for normal mail use. Obviously if you’re never going to allow mail delivery, there’s no real point, but if you need a strong, secure mail server, this is definitely a step in the right direction. In fact, I worked with Pawel to create a patch that will work with the SMTP AUTH/TLS patch that Bill Shupp put together. Bill has a nice page with a complete qmail toaster on it. His toaster was the basis for my own foray into the qmail scene, and I owe a lot to the work he’s done. I’ve built my own toaster based loosely on his, but using the qmail-spp patch, and some of my own experience. You can find my toaster by either clicking here, or on the link to the right.

K I S S

I’ve been perusing the boards over at PHP Freaks

lately and I’ve noticed a few annoying practices that I want to highlight. In my experience, keeping things as simple as possible helps to keep the code clean and usable. It’s easier to debug, easier to change, and lasts longer. When dealing with something like PHP, you inevitably run into the problem of differentiating languages. PHP, HTML, CSS, Javascript, UGH! Far too many people combine everything in one file and try to make sense of it. It’s rough enough for some people to keep one language straight, let alone 4. So, let’s use some common sense. It’s possible to separate them, so why don’t we?

 

Let’s start with the simple ones. CSS and Javascript are easily put in separate files. Creating a .js and .css file is a good practice and should be a standard step in all web creation. Granted, this should be done with some additional common sense. Creating either file for one or two small additions is not necessary unless those functions/definitions are used frequently through several pages.

 

So, we’ve removed 2 of the 4 languages and separated them out to their own files. How about the PHP and HTML? Well, there’s a fairly easy solution there too. I, personally, use the Smarty Template Engine. I believe there are other template systems out there, but Smarty works for me and I like it. Basically, you put all your php code in one file, make calls to $smarty->assign() and variables from php appear as Smarty variables in the template. From there you can easily “print” them in the template by using something like {$var} … Extremely flexible. Smarty also allows you to do some primitive programming. Enough to make it useful, but not so much that you get confused once more by 2 languages in one file.

 

So now we’ve separated everything into it’s own file. It’s easier to read, easier to understand, and easier to make changes. Imagine being able to simply change the HTML only and not worry about impacting the logic in the PHP program! Ahh.. flexibility!

 

Next on my pet peeve list is programmers who just won’t use functions like sprintf()… Let’s try an example here.. Which looks simpler :

 

$query = ‘SELECT id, name, age, salary FROM users WHERE name LIKE “%’ . $name . ‘%” AND age > ‘ . $age . ‘ AND salary > ‘ . $salary . ‘ ORDER BY name’;

 

or this :

 

$query = sprintf(‘SELECT id, name, age, salary FROM users WHERE name LIKE “%%%s%%” AND age > %d AND salary > %f ORDER BY NAME’, $name, $age, $salary);

 

Now, at first glance, the second one looks a little suspect. That’s because I chose what might be considered an ugly example. But, an experienced programmer can tell at a glance what the intended value of the 3 variables used in the query should be. String, Decimal, and Float. In addition to making it look a little nicer, you also gain some security. If someone snuck a string in for $age, it has no effect. So even if you skip sanitizing your variables, you still have a little bit of security. (Don’t skip sanitization…)

 

Simple additions to your coding toolkit, tons and tons of enhancements to your skillset. Please, code responsibly.

AJAX : It’s not just for cleaning anymore…

There’s a new or, rather, old programming language.. wait.. language? Hrm.. mixture of concepts is more like it. Anyways, there’s this new way of doing things on the web. It’s called AJAX which is an acronym for Asynchronous Javascript and XML. Based on the XMLHttpRequest object, it allows a web programmer to transfer information between the server and the web browser without requiring a complete reload of the web page. Pretty nifty stuff.

 

Dubbed Web 2.0, this “new” technology is revolutionizing the way users interact with the web. More than a mere buzzword, AJAX is sweeping the web and offering up some very powerful web applications. Gmail has been using AJAX for a while now. AJAX, combined with DHTML, allows you to “build” your Google homepage, and allows that same page to be updated on the fly without reloading the entire page. More recently, sites such as Netvibes, Pageflakes, and Eskobo offer “Web Desktops”. Other sites such as Yahoo Maps and Google Local offer web based mapping software without the arrow clicking and page reloading.

I’ve purchased a book on AJAX to enhance my own knowledge of this powerful web development tool. It’s definitely an intruiging concept and it seems simple enough up front, but extremely powerful when you get deep into it. Stay tuned for more!!!

Phew! There’s a backup!

Network management is a field I’ve been in for the past few years. In addition to making sure that packets get from point A to point B in the most efficient manner, I’ve also had to deal with network failures and disaster recovery. Essential to the disaster recovery scenario is the concept of backups. We’ve all heard of backing up the files on your computer, and backing up the servers, and storing them off-site, etc. But sometimes people overlook other backups that need to be handled. Namely, network device configuration backups. It really sucks when you realize that the smoking router in the corner has the only copy of the configuration you need to get the network back up…

 

I’ve written a bunch of code in the past to handle backing up a bunch of different types of equipment, and I’ve decided to make it open source. This new project will be hosted at SourceForge, and there is a link to the project page in the links section of this blog.

 

The initial code release will take a little bit to put together, but I’m hoping to have an alpha release within a month or so. It’s all written in object-oriented perl, a language I find fun to code in. I hope someone out there finds this useful. I know I spent quite a bit of time looking for a solution like this, and was sadly disappointed that I did not find one…