A (PHP) Security State of Mind

Transcript

1. A (PHP) Security State of Mind Chris Cornutt True North

   PHP - Toronto, Nov. 2012 Saturday, November 3, 2012

2. The mantra of any good security engineer is: 'Security is

   a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. Bruce Schneier Cryptographer, Security Specialist and author of “Applied Cryptography” and “Secrets & Lies” Saturday, November 3, 2012

3. You can’t afford not to Saturday, November 3, 2012

4. first, the easy stuff Saturday, November 3, 2012

5. Repeat after me... Filter Input Escape Output and no, it’s

   not that easy Saturday, November 3, 2012

6. Fil tering Input Saturday, November 3, 2012

7. When filtering... One of the most difficult parts of an

   app PHP’s nature doesn’t help Type hinting can be useful Code defensively Fail fast, fail hard Saturday, November 3, 2012

8. Think about... There’s no “universal filtering” Be wary of Do-It-Alls

   Good design is by contract, be deliberate Whitelist, not blacklist Watch for multiple contexts (ex. in output & SQL) Saturday, November 3, 2012

9. Protect Yourself Know the “holes” in what you use Don’t

   trust it if you don’t know it Filter with impunity, don’t alter === don’t == All user data is tainted, especially superglobals Saturday, November 3, 2012

10. For example... $_SERVER PHP_SELF HTTP_HOST HTTP_USER_AGENT HTTP_ACCEPT HTTP_REFERER Current script

    filename Sent in the “Host” header Any value from the client “Accept” header “Referer” header Saturday, November 3, 2012

11. Validation + Filter ==  Data type Whitelisted characters Formatting

    (phone #, email, etc) Range (character or number) Required data Complex logic checking on... Saturday, November 3, 2012

12. <?php var_dump(filter_var('http://google.com',FILTER_VALIDATE_URL)); // true var_dump(filter_var('php://input',FILTER_VALIDATE_URL)); // true var_dump(filter_var('php://filter/read=convert.base64-encode/ resource=/etc/passwd',FILTER_VALIDATE_URL)); //

    true if (preg_match('/[0-9]{3}\-[a-zA-Z]{1,5}/',$data,$matches) !== false) { ! // match found! } var_dump(is_int('1234')); // false var_dump(ctype_digit('1234')); //true ?> Saturday, November 3, 2012

13. ESCAPING OUTPUT Saturday, November 3, 2012

14. When escaping... “Encoding” vs “Escaping” Internal functions htmlspecialchars (encoding!) htmlentities

    (encoding!) filter_var Most popular prevention for XSS Beware the Passive XSS Saturday, November 3, 2012

15. Framework Specific Zend\Escaper Symfony sfOutputEscaper Frameworks with default escaping in

    views Twig’s autoescaping Saturday, November 3, 2012

16. What to escape Anything from the user (duh) Anything from

    an external data source files logs database Session information Saturday, November 3, 2012

17. Contexts General output (usually text) HTML attributes Javascript code URL

    parameters SQL statements Inside XML or JSON Headers Saturday, November 3, 2012

18. FRONTEND THINKING Saturday, November 3, 2012

19. Javascript Don’t trust it. Period. Same-Origin vs Access-Control-Allow-Origin XSS can

    allow for JS injection Global nature, overrides are easy Saturday, November 3, 2012

20. Javascript Sandboxing in recent browsers Content Security Policy Saturday, November

    3, 2012

21. X-Content-Security-Policy: default-src 'none'; script-src 'self' js.mysite.com; style-src 'self' css.mysite.com; img-src

    'self' images.mysite.com "X-Content-Security-Policy-Report-Only: script-src 'self'; report- uri /evaluationviolation.php" http://websec.io/2012/10/02/Intro-to-Content-Security-Policy.html Saturday, November 3, 2012

22. Javascript Sandboxing in recent browsers Content Security Policy Beware of

    remote scripts Cross-Domain Resource Sharing vs Same-Origin Specific attacks like: JSON hijacking Clickjacking DOM injection WebSockets Saturday, November 3, 2012

23. HTML5 WebSQL injections OWASP HTML5 Security Cheat Sheet Prevention with

    headers: X-Frame-Options (non-IE) X-XSS-Protection (relfected) Strict-Transport-Security Content-Security-Policy Origin Recent abuse of Fullscreen API Saturday, November 3, 2012

24. HTML5 Frame busting Input validation (like URLs for Ajax) Check

    origin Iframe sandboxing html5sec.org Saturday, November 3, 2012

25. OTHER CONCERNS Saturday, November 3, 2012

26. Firewall Router WAF Application aka The Promised Land Server Saturday,

    November 3, 2012

27. Server Security Strong system passwords Lock it down Favor SSL

    (“HTTPS Everywhere”) Update, update and - oh yeah - update Shared resources/sessions https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Saturday, November 3, 2012

28. Network Security Block ports Lock it down Firewall/Route to restrict

    access Consider internal vs. external access Saturday, November 3, 2012

29. DEVELOP SECUREL Y Saturday, November 3, 2012

30. Consider... Never trust the user Implement security checks during development,

    not after Create a security policy all devs should follow Remember your attack surface Think like an attacker Saturday, November 3, 2012

31. Tools WebScarab - Capturing Proxy Burp Suite - Security Testing

    App Skipfish - Google’s Scanner WebGoat/DVWA To learn and test Saturday, November 3, 2012

32. You can’t afford not to Saturday, November 3, 2012

33. Chris Cornutt @enygma @phpdeveloper @websecquickfix http://websec.io https://joind.in/7420 Thanks! Saturday, November

    3, 2012