php security tips
TRANSCRIPT
PHP Security
September 20, 2011 NWO-PUG 1
E-mail: [email protected]: @dragonmantankIdenti.ca: dragonmantank
Who are you and why are you in my house?
Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a
few that some do TL;DR
https://github.com/dragonmantank
NWO-PUG 2September 20, 2011
The Parts of SecurityIt’s more than just a username/password
NWO-PUG 3September 20, 2011
What is Secure Programming?
1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly
September 20, 2011 NWO-PUG 4
https://www.owasp.org/index.php/Secure_Coding_Principles
Most Common AttacksAnd how to avoid them
NWO-PUG 5September 20, 2011
OWASP Top 10
1. Injection2. Cross-Site Scripting3. Broken Authentication and Session
Management4. Insecure Direct Object References5. Cross-Site Request Forgery6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure To Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards
NWO-PUG 6
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
September 20, 2011
Injection
NWO-PUG 7September 20, 2011
What is Injection?
When a user or service corrupts a command due to improper validation of input
September 20, 2011 NWO-PUG 8
Many Shapes and Sizes
SQL Injection Command Injection HTML Injection
September 20, 2011 NWO-PUG 9
Protecting against Injections Attacks
Filter user input Escape anything not hard-coded Ignore $_REQUEST
NWO-PUG 10September 20, 2011
SQL Injection
NWO-PUG 11September 20, 2011
A Bit More Real Life
NWO-PUG 12September 20, 2011
Protecting against SQL Injection
Use PDO and prepared statements
NWO-PUG 13September 20, 2011
Command Injection
When your script calls an external program, users can run code
NWO-PUG 14September 20, 2011
Protecting against Command Injection
If allowing the user to specify commands, use escapeshellcmd()
If allowing the user to specify arguments, use escapeshellarg()
NWO-PUG 15September 20, 2011
HTML/Script Injection
HTML Injection: When user input is used to create new markup that the application did not expect
Script Injection: When user input is used to add new scripting to a page
NWO-PUG 16September 20, 2011
HTML/Script Injection
NWO-PUG 17September 20, 2011
Protecting against HTML/Script Injection
Decide if you really need to take HTML input
If you do: Use an HTML cleaner like Tidy or
htmLawed Create a whitelist of allowed tags
If you don’t: Use htmlentities()/htmlspecialchars()
NWO-PUG 18September 20, 2011
Cross Site ScriptingOr XSS
NWO-PUG 19September 20, 2011
What is it?
When a user injects a script into a page or extra JS into a command to send information to another site
September 20, 2011 NWO-PUG 20
How to avoid XSS?
Since this is an injection attack, use the same steps as a HTML/Script injection
NWO-PUG 21September 20, 2011
Broken Authentication and Session Management
NWO-PUG 22September 20, 2011
What is it?
Insecure storing of credentials Session IDs exposed via URL Session fixation attacks
September 20, 2011 NWO-PUG 23
Storing Credentials
Hash with a salt using the hash() command
Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not
recommended for secure hashing If you have to use the raw data, encrypt
using mcrypt() Use AES256 (RIJNDAEL 256)
NWO-PUG 24September 20, 2011
Session IDs in URL
Commonly used when cookies can’t be enabled
Make sure the following is set in your php.ini:
session.use_trans_id = 0session.use_only_cookies = 1
NWO-PUG 25September 20, 2011
Session Fixation
What happens if your users don’t log out?
Use sessions to detect login status
NWO-PUG 26September 20, 2011
Insecure Direct Object References
NWO-PUG 27September 20, 2011
What is it?
Making sure that what the user is accessing they have access to.
Should be handled by checking authorization when accessed, or mapping
This is not an injection attack, but a logic attack
September 20, 2011 NWO-PUG 28
An Example
NWO-PUG 29September 20, 2011
How to Avoid
Always check to make sure the user has authorization to access the resource
Map variables/whitelist to make it harder
NWO-PUG 30September 20, 2011
Cross Site Request ForgeryOr CSRF Attacks
NWO-PUG 31September 20, 2011
What is it?
When unauthorized commands are sent to and from a trusted website
In days gone by, this would be done with Referral checking, but don’t trust referrer information
September 20, 2011 NWO-PUG 32
An example – Bank Transfer
A bank transfer is done via $_GET variables
User is authenticated but not logged out
NWO-PUG 33September 20, 2011
How to avoid this
Include a hidden element in the form with a one-time value
NWO-PUG 34September 20, 2011
Security Misconfiguration
NWO-PUG 35September 20, 2011
Beyond the scope of programming
Check for server hardening guidelines for your OS
Password rotation practices Understanding your settings
Keep your stack up to date!
September 20, 2011 NWO-PUG 36
Insecure Cryptographic Storage
NWO-PUG 37September 20, 2011
More of a logic problem
Encrypting data in the database, but leaving it unencrypted during output
Using unsalted hashes
September 20, 2011 NWO-PUG 38
How to avoid this
Like when storing credentials, use a salt whenever hashing information
Only decrypt data when it is needed
NWO-PUG 39September 20, 2011
Failure to Restrict URL Access
NWO-PUG 40September 20, 2011
What is it?
When users can gain access to parts of the application just through URL manipulation
When the app doesn’t check authorization properly
September 20, 2011 NWO-PUG 41
Security through Obscurity
Don’t trust that just because a user doesn’t know a URL, they can’t get to it
Fuzzers can find all kinds of things, especially if the app is common
NWO-PUG 42September 20, 2011
How to avoid this
ALWAYS check authorization. The extra CPU cycles are worth it.
NWO-PUG 43September 20, 2011
Insufficient Transport Layer Protection
NWO-PUG 44September 20, 2011
Not using SSL when you should
If your data is sensitive, use SSL Are your logins behind SSL?
There isn’t really an excuse. You can get an SSL cert for $9/year.
September 20, 2011 NWO-PUG 45
Unvalidated Redirects and Forwards
NWO-PUG 46September 20, 2011
What is it?
When an app doesn’t properly validate that the redirect destination is valid
September 20, 2011 NWO-PUG 47
Putting it Together
NWO-PUG 48September 20, 2011
Attacking from Multiple Fronts
Attackers will employ many different vectors in an attack
HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions
Script injection can lead to Session hijacking
September 20, 2011 NWO-PUG 49
Remember…
1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly
September 20, 2011 NWO-PUG 50
https://www.owasp.org/index.php/Secure_Coding_Principles
Questions?
September 20, 2011 NWO-PUG 51