Elusive Thoughts

Intro  This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems. The Code In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to delete posts from the logged in users securely. <?php require_once 'common.php'; validatemySession(); mydatabaseConnect(); $username = $_SESSION['username'];// Insecure source $username = stripslashes($username);// Improper filtering $username = mysql_real_escape_string($username);//Flawed function // Delete the post that matches the postId ensuring that it was created by this user $queryDelete = "DELETE FROM posts WHERE PostId = " . (int) $_GET['postId']. " AND Username = '$username'"; if (mysql_query($queryDelete))// Bad validation co...

Intro  This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems. The Code In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to post the user comments securely. <?php require_once 'common.php'; validateMySession(); ?> <html> <head> <title>User Posts</title> </head> <body> <h1>Showing current posts</h1> <form action='awsomePosts.php'> <p>MySearch: <input type='text'  value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p> <p><input type='submit' value='MySearch'></p> </form> <?php showAwsomePosts();?> ...

Intro  This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems. The Code In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to de-validate the user credentials and allow the users to logout securely. 1: <?php 2: require_once 'common.php'; 3: if (isset($_SESSION['username']))//Insecure source 4: { 5: session_unset();// In properly destroyed session. 6: } 7: header('Location: index.php'); ?> I you look carefully the code you will se that the code is vulnerable to the following issues: NULL De-­Authentication Bypass     No Proper Session Termination     Think this is not accurate , think better. NULL De-­Authentication Bypass  Exploitation: An adversary may on pur...

Intro  This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems. The Code In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to validate the credentials and allow the users to login. <?php require_once 'commonFunctionality.php'; if (validateCredentials($someUsername, $somePassword)) { header('Location: myIndex.php'); } else { header('Location: wrong_login.php'); } ?> If you look carefully the code you will se that the code is vulnerable to the following issues: Reflected/Stored XSS Session Fixation/Session Hijacking   Lock Out Mechanism Not In Place Think this is not accurate , think better. Session Fixation/Session Hijacking An adversary may on purpo...