[OWASP_PHPSEC] Secure Application Configuration and State

Abbas Naderi abiusx at owasp.org
Sun Jul 14 09:10:30 UTC 2013


Its always better to paste in the mail body rather than a text file, answers inline:
> Lets say I am creating a test file. In test files, I create a DB connection as:
> DatabaseManager::connect (new DatabaseConfig('pdo_mysql', 'OWASP', 'root', 'myPassword'));
> 
> So, instead of the above I will write this:
> $password = ConfidentialString("myPassword");
> 
Actually you should not do that in your test code. You should have a base test class that does database testing, and it should handle the connection.
> So, now I make the connection to DB like this:
> DatabaseManager::connect (new DatabaseConfig('pdo_mysql', 'OWASP', 'root', $password)); //Note the use of variable $password instead of real password.
> 
> Internally when the program runs, it checks if this class has been called the first time. If yes, then it encrypts the string and returns the encrypted value. For rest of the time, it takes the encrypted string, and decrpts it, and returns the decrypted value.
> 
> 		
> 		
> 		
> 		
> 		Here is my doubt:
> 		------------------------
> 		
> 		How is it helping us? I mean we still are putting plain-text password in one place in the code. That plain-text password is changed the second time the function is run.
> 
> 		I am also not clear on the idea of how we can replace a text. I mean simple take code in (Line 5), how can that code on the second run will change to
> 		$password = ConfidentialString(:encryptedValue);
> 
> 
You can use debug_backtrace, which gives you a backtrace of all the functions that are called. Actually it needs to be $password= new CondidentialString("password_here").
You have the line, file and position this is called, just use a little PHP parsing to figure out the exact location and try to change the file content.
> 		
> 		
> 		
> 
> Here is the possible algorithm for ConfidentialString function:
> 
> 		function ConfidentialString($string)
> 		{
> 			if ( isFirstTime() )	//checks if the function is run for the first time.
No need for this, check if the string is a plaintext, or an encrypted password.
> 			{
> 				$encryptedString = AES($string, $key);
> 				return $encryptedString;
> 			}
> 			else
> 			{
> 				$decrypredString = AES($string, $key);
> 				return $decryptedString;
> 			}
> 		}
> 
> 
> I was thinking something like this:
> 
> Let the user store the (key, value) pair in DB themselves of sensitive data. We make a function ( ConfidentialString($key) ) that goes to DB, bring the (key, value) pair , decrypts it, and replaces the original value in the code. e.g. if they have to store a DBPassword, they will store that data in the encrypted form in the DB themselves. So, they will encrypt the value themselves (say abcde is the encrypted value), and then store this info in the DB as KEY=>DBPassword and VALUE=>abcde. Our job will only be to bring that encrypted value and decrpyt it and use it.
Nop, database is the weakest link. The first SQL Injection makes all database data available, so its better to store sensitive data in the code, which is harder to read.
-Abbas
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 23, 1392, at 12:11 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> I have attached a text file. My doubt is listed there. Please clarify. I have understood most of the parts. Its just that please help me putting all the pieces in place.
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> <doubt.txt>_______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130714/331cff7e/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list