In daily development, security has always been one of the focus of our research. In security, the most important point is our input data. All attacks and ultra vires occurred from an inadvertently left request loophole. Of course, many frameworks have solved most of the security problems for us now, but once the secrets are sparse, there will always be unexpected places where we forgot to add filtering or omit some verification. The extension we are going to learn today was born for us to solve this kind of problem.
What is Taint
We got it in the last article, and we will also introduce an extension tool for Niaoge. The extension of Taint is one of the works of Niaoge Dashen. However, this extension is not recommended to be installed in a production environment. Its main battlefield is to be used in our test environment. Its main function is that if we use unprocessed variables such as \$_GET, $_POST, $_COOKIE, it will report a warning message. Note that it is only a warning, not an error or exception. Generally, in the online environment, we will habitually turn off the error reporting of warning messages, so this extension has limited online functions.
The installation of the extension is very simple, just download the corresponding extension and then perform the ordinary extension installation, without the need for additional components in other operating systems. For detailed information about this extension, you can refer to the description of the Bird Brother article in the second link at the end of the article.
how to use?
Open the extension in php.ini, and then set taint.enable = 1. This extension is officially enabled. Then we test through the code.
$a = $_GET['a'];
$file_name = '/tmp' . $a;
$output = "Welcome, {$a} !!!";
$var = "output";
$sql = "Select * from " . $a;
echo $a, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 10
echo $output, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 12
print $$var; echo "<br/>"; // Warning: main() [print]: Attempt to print a string that might be tainted in /data/www/blog/taint/1.php on line 14
include($file_name);echo "<br/>"; // Warning: main() [include]: File path contains data that might be tainted in /data/www/blog/taint/1.php on line 16
mysqli_query(null, $sql);echo "<br/>"; // Warning: main() [mysqli_query]: SQL statement contains data that might be tainted in /data/www/blog/taint/1.php on line 18We use php -S to debug this test file. After accessing the test file and bringing the a parameter, you can see that the following operations will report warning messages. The unfiltered $a, whether it is spliced into a string or as a variable variable, as long as it is called by echo, print, include, or mysqli_query(), an alarm will appear immediately, prompting you to use this The data string needs to be filtered. taint means taint. might be tainted, which means tainted content.
Most of the functions such as output or operation database will report these warnings. The specific information of these contents can be found in the official documents.
We can also use a judgment function to verify whether a variable contains such unprocessed data.
var_dump(is_tainted($var)); // bool(false)
echo "<br/>";
var_dump(is_tainted($output)); // bool(true)
echo "<br/>";How not to call the police?
How to prevent it from calling the police? That of course is to process the data.
$output = "Welcome, ".htmlentities($a)." !!!";
echo $output, "<br/>";
$sql = "Select * from " . mysqli_escape_string(null, $a);
mysqli_query(null, $sql);echo "<br/>";When outputting, perform html encoding, which corresponds to the prevention of XSS attacks. Escape when operating the database, which corresponds to dealing with SQL injection attacks. After using these processing functions to perform security processing on the data, no warning message will be reported.
It can be seen that this extension is indeed a good helper in our daily development and debugging, especially in the test environment. As mentioned earlier, there will always be omissions and forgotten places. Through this extension, the program can automatically discover these contents, which can greatly improve the security of our development.
Detection and conversion functions
Finally, in the Taint extension, two functions are also provided for forcing warnings and disarming warnings. Of course, it is also for the convenience of our debugging in the test environment.
$newOutput = "Welcome !!!";
echo $newOutput, "<br/>";
var_dump(taint($newOutput)); // bool(true)
echo $newOutput, "<br/>"; // // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 39
$newOutput = "Welcome {$a} !!!";
echo $newOutput, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 42
var_dump(untaint($newOutput)); // bool(true)
echo $newOutput, "<br/>";The taint() function can cause a normal statement to report a warning. And untaint() can prevent a data that should be alarmed.
Summarize
It is also a very small extension, but after learning it, it is really useful, and it is especially suitable for providing an alarm system for comprehensive detection of safety and quality in our test environment. As the article has always emphasized, for the development of medium and large projects, omissions are inevitable. Even with a complete code review mechanism, there will always be vulnerabilities that everyone has missed. It is naturally the best to test it through a program, so you can try more.
Test code:
Reference documents:
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。