Dynamic Web Technology

warbarnacleSecurity

Nov 5, 2013 (3 years and 7 months ago)

41 views

1

Dynamic Web Technology

Dr M Davison

0141 848 3605

Room E266

mark.davison@uws.ac.uk

CakePHP Lecture 6

Santization

and Debugging

2

Objectives



Develop knowledge & understanding of


Data Sanitization techniques


Debugging Techniques


remove unwanted data from user
-
submissions


remove malicious data from user
-
submissions

3

Data Sanitization
-

what is it?

4

Data Sanitization of output


why use it?


annoying content


alert
seen by all site visitors


external content
-

seen by all site visitors


image may not be harmless


XSS (Cross
-
site scripting)


eg insert fake login or drive
-
by browser malware


Incomplete tags (note missing create/modified & un
-
styled Actions

5

Data Sanitization


when to use it?

The manual states…

CakePHP already protects you against SQL Injection
if

you use CakePHP's ORM
methods (such as find() and save()) and proper array notation (ie. array('field' =>
$value)) instead of raw SQL. For sanitization against XSS it is generally better to
save raw HTML in database without modification and sanitize at the time of
output/display.


A common CakePHP
approach

is to
store
dirty data

and
serve
clean data
by
sanitizing at the output stage


Sanitizing before you store the data may remove some useful information


Sanitizing before you store the data may remove evidence of malicious
submissions


You may disagree and prefer to
store clean

(and serve clean) by sanitizing
before storing the data


6

Data Sanitization


where to use it?


core to CakePHP


use anywhere in CakePHP


usually in models or controllers


preferably not in views (.ctp) as there are so
many files to edit!



CakePHP Sanitization class can be imported and
used in non
-
CakePHP sites

7

Import Sanitize for all controllers

App::uses('Sanitize', 'Utility');


class AppController extends Controller {


...


...


...


You can import into each controller but I prefer something more
generalised


Edit app/app_controller.php to centralise import for all
controllers


Sanitize.php is in /lib/Cake/Utility/Sanitize.php


8

Sanitize Methods
-

paranoid

From the manual…

paranoid(string $string, array $
allowedChars
);


This function strips anything out of the target $string that is not a plain
-
jane

alphanumeric character. The function can be made to overlook certain characters by
passing them in $
allowedChars

array.


$
badString

= ";:<script><html>< // >@@#";

echo Sanitize::paranoid($
badString
);

// output:
scripthtml

echo Sanitize::paranoid($
badString
, array(' ', '@'));

// output:
scripthtml

@@


This function strips works with a string and I prefer something that allows me to be
lazier where possible!


9

Sanitize Methods
-

html

From the manual…

html(string $string, array $options = array())


This method prepares user
-
submitted data for display inside HTML. This is
especially useful if you don't want users to be able to break your layouts or insert
images or scripts inside of your HTML pages. If the $remove option is set to true,
HTML content detected is removed rather than rendered as HTML entities.


$badString = '<font size="99" color="#FF0000">

HEY</font><script>...</script>';

echo Sanitize::html($badString);

// output: &lt;font size=&quot;99&quot;
color=&quot;#FF0000&quot;&gt;

HEY&lt;/font&gt;&lt;script&gt;...&lt;/script&gt;

echo Sanitize::html($badString, array('remove' => true));

// output: HEY...

This function strips works with a string and I prefer something that allows me to be
lazier where possible!


10

Sanitize Methods
-

escape

From the manual…

escape(string $string, string $connection)


Used to escape SQL statements by adding slashes, depending on the system's
current magic_quotes_gpc setting. $connection is the name of the database to quote
the string for, as named in your app/config/database.php file.


If you use CakePHP's ORM methods (such as find() and save()) and proper array
notation (ie. array('field' => $value)) instead of raw SQL this shouldn't be necessary.

11

Sanitize Methods


see API

stripAll
( $
str

)

Strips extra whitespace, images, scripts and
stylesheets

from output

stripImages
( $
str

)


Strips image tags from output

stripScripts
( $
str

)

Strips scripts and
stylesheets

from output

stripTags
( )


Strips the specified tags from output. First parameter is string from
where to remove tags. All subsequent parameters are tags.

stripWhitespace
( $
str

)


Strips extra whitespace from output


Sometimes the API lists methods (see above)
not mentioned in the
Cookbook manual!


So
look at the API

at
http://api.cakephp.org/2.3/class
-
Sanitize.html

12

Sanitize Methods
-

clean

From the manual…

Sanitize::clean(mixed $data, mixed $options)

This function is an industrial
-
strength, multi
-
purpose cleaner, meant to be used on
entire arrays

(like
$this
-
>data
, for example). The function takes an array (or
string) and returns the clean version. The following cleaning operations are
performed on each element in the array (
recursively
):


$this
-
>data = Sanitize::clean($this
-
>data,







array('encode' => false));


This function strips works with an array which can be
large all encompassing data
structure

which allows me to be
very lazy

(or very efficient)!


13

Sanitize Methods


clean options array

odd_spaces

-

odd spaces (including 0xCA) are replaced with regular spaces

encode
-

Encode any html entities.

Encode must be true for the
remove_html

to work.

dollar
-

Escape $ with
\
$

carriage
-

Remove
\
r

unicode

-

escape
-

Should the string be SQL escaped.

backslash
-

Swapping of user
-
inputted backslashes with trusted backslashes.

remove_html

-

Strip HTML with
strip_tags
. encode must be true for this option to
work.


All of these options except connection are
boolean

values which are set to true by
default; to customize your results you can pass an array that sets the unwanted
options to false.

When you need more details like this
look at the API

(URL below) at as well as the
Manual.

http://api.cakephp.org/2.3/class
-
Sanitize.html#_clean

14

Sanitize::clean
usage in controller

example

$this
-
>set('comment',


Sanitize::clean($this
-
>Comment
-
>read(null, $id),



array(


'odd_spaces' => false,


'encode' => true,


'dollar' => false,


'carriage' => false,


'unicode' => true,


'escape' => false,


'backslash' => true,


'remove_html' => false




)


));


This cleans up an entire data structure (all fields within a record) but it could be
all fields in many records for an index view of many records.



15

Sanitize::clean


before & after

16

Sanitize::clean
options defined for all controllers

App::uses('Sanitize', '
Utility
');//import Sanitize for all controllers

// Sanitize.php within lib/Cake/
Utility
/

class AppController extends Controller {


public $components = array('Auth','Session');







public $cleanOptions = array (


'odd_spaces' => false,


'encode' => true,


'dollar' => false,


'carriage' => false,


'unicode' => true,


'escape' => false,


'backslash' => true,


'remove_html' => false



);


...


...

Then within an individual controller…

$this
-
>set( 'comments',


Sanitize::clean($this
-
>paginate(),$this
-
>cleanOptions) );


Possibly define your own
cleanSet

method or possibly override s
et

method to incorporate clean for
wider use.

17

Basic Debugging

The debug() function is a globally available function that works similarly to the
PHP function
print_r
().


// development environment debug option
1

or
2

// option
1

for debugging messages, option
2

also gives SQL
diagnostics

Configure::write('debug',
1
);
// within
app/
Config
/core.php



For
HTML
-
friendly display use
$
showHTML

= true


Show the line and file the debug() occurred on
$
showFrom

= true


debug($
foo
, $
showHTML

= true, $
showFrom

= true);


Outputs only if core debug variable
set to a value greater than 0

(a development
environment)


In production environment
core debug variable set to 0



18

Debugger techniques

For example, within a view…

debug($this
-
>data, $showHTML = true, $showFrom = true);

$showFrom = true

shows which model, view or
controller produced the output


19

Debugger Class


Dump prints out the contents of a variable. It will print out all properties and
methods (if any) of the supplied variable.

Debugger::dump($
foo
);


//
eg

examine data object supplied to a view

Debugger::dump($this
-
>data);


echo "<pre
>";


//
eg

examine actual values supplied to view

print_r($this
-
>data);

echo "</pre>";

20

Debugger Class


other methods


Debugger::log($
var
, $level = 7)

Similar to
Debugger::dump()
but writes to
app/
tmp
/debug.log

(must be writable)


Debugger::trace()

Stack trace, each line shows calling method, file name & line number where method call
originated


Other Debugger methods mainly used internally by Debugger.




http://book.cakephp.org/2.0/en/development/debugging.html




http://
api.cakephp.org/2.3/class
-
Debugger.html




Debug Kit


DebugKit

plugin may be a better option in CakePHP2.3 for development environment





https://github.com/cakephp/debug_kit


21

Further reading


http://book.cakephp.org/


CakePHP Cookbook (manual)


http://api.cakephp.org/2.3/

CakePHP API (more detail than the Book)


http://api.cakephp.org/2.3/class
-
Sanitize.html

Data Sanitization


http://api.cakephp.org/2.3/class
-
Sanitize.html#_clean

CakePHP :
Api

: Sanitize Class


http://book.cakephp.org/2.0/en/development/debugging.html


Various Debugging techniques including some not discussed in lecture


http://api.cakephp.org/2.3/class
-
Debugger.html

CakePHP:
Api

: Debugger Class Info


https://github.com/cakephp/debug_kit

Debug Kit supersedes Debugger class for development environment?


http://tv.cakephp.org/







this is worth a look

CakePHP TV


http://bakery.cakephp.org/







this is worth a look

The Bakery, Everything CakePHP