PHP Filtering with OWASP
Results 1 to 5 of 5

Thread: PHP Filtering with OWASP

  1. #1

    PHP Filtering with OWASP

    PHP Filtering with OWASP
    By Soda_Popinsky

    Background: http://alex.netwindows.org/owasp/fil...rs_handout.pdf
    Download: http://www.owasp.org/software/labs/phpfilters.html
    OWASP: http://www.owasp.org
    OWASP Top Ten: http://www.owasp.org/documentation/topten.html

    Overview

    This tutorial is aimed to introduce the reader to PHP filters from OWASP. OWASP (Open Web Application Security Project ) released a top ten list for web application security vulnerabilities in 2003 and 2004, you can find the 2004 list here:
    http://www.owasp.org/documentation/topten.html

    Most of the top ten vulnerabilities including (A1) Unvalidated Input, (A2) Broken Access Control, (A4) Cross Site Scripting (XSS) Flaws, and (A6) Injection Flaws, can be avoided using these filters.

    Installation
    Download the file from the provided link, and extract the contents. We will be using the file sanitize.inc.php.txt. Rename this to sanitize.inc.php and we will use if from here on. Place it into a folder in the www root of your webserver with PHP installed.

    Create a .php file with this code and save it into the same folder as sanitize.inc.php:
    PHP Code:
    <?php

    include('sanitize.inc.php');


    $Test "This is a test string";
    $Flags PARANOID;


    echo 
    $Test;

    //PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP, UTF8
    //echo sanitize($Test, $Flags);

    ?&gt
    Visit that file you created in your browser. The output should be "This is a test string". If that is the output, then we are ready to begin using the filters.

    The first filter is the PARANOID filter. Comment ("//") the "echo $Test;" line and uncomment the other two. View the page, and you will notice that the output string is now different. This is because we used our sanitize function. The syntax for the function is "sanitize($String, $Flags)". PARANOID was our flag. You can replace this with SQL, SYSTEM, HTML, INT, FLOAT, LDAP, or UTF8, all of which have different sanitization capabilities.

    Filters

    PARANOID

    This will return a string containing only alphanumeric values. This is very strict and will remove anything that isn't a number or letter.

    SQL

    Returns a string with slashed out quotes. This is to be used for strings being entered in SQL queries, because single quotes can lead to a MySQL injection. (OWASP A1, A6)

    SYSTEM

    Returns a string without special characters and wrapped in quotes. This is for strings being used for system commands. If you wrote a PHP web frontend for a command line tool such as nmap and used a string from a form for command line arguments, an attacker could use it to specify arguments to compromise your system. (OWASP A1, A5, A6, A9)

    HTML

    Returns a string with HTML replacements for special characters. This allows HTML to be shown on screen instead of interpreted, and prevents XSS attacks. (OWASP A4)

    INT and FLOAT

    Returns only an integer/float without any extraneous characters. This prevents bad characters from being used where integers or floats are expected. (OWASP A1)

    LDAP

    Returns a string sanitized for LDAP queries and prevents injection. (OWASP A1, A6)

    UTF8

    Decodes utf-8 encoding which is used to bypass filters. (OWASP A1)

    Boolean Check Function
    If all we want to do is test a string instead of changing it and return a boolean, we use the check() function. check() has the same syntax as sanitize.

    PHP Code:
    <?php

    include('sanitize.inc.php');


    $Test "' OR ''"//SQL injection attempt
    $Flags SQL //SQL sanitization flag

    if(check($TestSQL)){ //Is $Test sanitized?
    echo 'yes';} //Yeah it is
    else echo 'no'//No it isn't
    ?>
    The if statement receives a boolean value from the check() function, if $Test is sanitized or not. $Test is not sanitized, and will echo "no".

    Combining Filters

    In the source of the included OWASP file, you will see this set of lines:
    PHP Code:
    define("PARANOID"1);
    define("SQL"2);
    define("SYSTEM"4);
    define("HTML"8);
    define("INT"16);
    define("FLOAT"32);
    define("LDAP"64);
    define("UTF8"128); 
    If you were to replace PARANOID with 1 in the sanitize function, you would get the same results. To combine filters, we can add them together.

    PHP Code:
    <?php

    include('sanitize.inc.php');


    $Test "<script>' or ''</script>";//XSS and injection attack
    $Flags HTML SQL//Add 2 filters to sanitization

    //PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP, UTF8

    echo sanitize($Test$Flags);

    ?>
    This will return "&ltscript&gt&#39 or &#39&#39&lt/script&gt", which will not be interpreted but will render as "<script>' or ''</script> ". It is now "safe" to query a database with that variable, and also display it to the screen.

    These filters take a large chunk of the sanization work out for you, but there is still the issue of string length, with PHP the substr function will take care of that. These filters are hardly a end-all solution, but it provides a good drop-in solution that will be strengthened with other developers.

    --------------------------------------------------------------------------

    Same as always, criticism/suggestions/food is encouraged and welcomed.

    Oh... I almost forgot.
    Written in Word.

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    Written in Word... NOW we're talking...

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    What, no Email address flag?

    Nice tutorial, if a bit brief and specific.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    Added "Check Funtion" and "Combining Filters" sections...

    One problem though...
    PHP Code:
    &lt;?php

    include('sanitize.inc.php');


    $Test "&lt;script&gt;' or ''&lt;/script&gt;";//XSS and injection attack
    $Flags HTML SQL//Add 2 filters to sanitization

    //PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP, UTF8

    echo sanitize($Test$Flags);

    ?&
    gt
    I just noticed that this output does not render correctly in FireFox, or am I missing something?

    Thanks!

  5. #5
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I think that's either a bug or they're not meant to be used like that. HTML takes the &lt; and &gt; and replaces them with & lt ; and & gt ; (minus spaces), then SQL takes the ; and replaces them with nothing, so it's surprising that it even partly works. It seems to work if you use SQL first then HTML, but that's just for that one string. I'm sure you'd run into problems for others. Weird though.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •