Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A (PHP) Security State of Mind

Chris Cornutt
November 03, 2012

A (PHP) Security State of Mind

Given at True North PHP 2012

Chris Cornutt

November 03, 2012

More Decks by Chris Cornutt

Other Decks in Programming


  1. A (PHP) Security State of Mind Chris Cornutt True North

    PHP - Toronto, Nov. 2012 Saturday, November 3, 2012
  2. The mantra of any good security engineer is: 'Security is

    a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. Bruce Schneier Cryptographer, Security Specialist and author of “Applied Cryptography” and “Secrets & Lies” Saturday, November 3, 2012
  3. Repeat after me... Filter Input Escape Output and no, it’s

    not that easy Saturday, November 3, 2012
  4. When filtering... One of the most difficult parts of an

    app PHP’s nature doesn’t help Type hinting can be useful Code defensively Fail fast, fail hard Saturday, November 3, 2012
  5. Think about... There’s no “universal filtering” Be wary of Do-It-Alls

    Good design is by contract, be deliberate Whitelist, not blacklist Watch for multiple contexts (ex. in output & SQL) Saturday, November 3, 2012
  6. Protect Yourself Know the “holes” in what you use Don’t

    trust it if you don’t know it Filter with impunity, don’t alter === don’t == All user data is tainted, especially superglobals Saturday, November 3, 2012

    filename Sent in the “Host” header Any value from the client “Accept” header “Referer” header Saturday, November 3, 2012
  8. Validation + Filter ==  Data type Whitelisted characters Formatting

    (phone #, email, etc) Range (character or number) Required data Complex logic checking on... Saturday, November 3, 2012
  9. <?php var_dump(filter_var('http://google.com',FILTER_VALIDATE_URL)); // true var_dump(filter_var('php://input',FILTER_VALIDATE_URL)); // true var_dump(filter_var('php://filter/read=convert.base64-encode/ resource=/etc/passwd',FILTER_VALIDATE_URL)); //

    true if (preg_match('/[0-9]{3}\-[a-zA-Z]{1,5}/',$data,$matches) !== false) { ! // match found! } var_dump(is_int('1234')); // false var_dump(ctype_digit('1234')); //true ?> Saturday, November 3, 2012
  10. When escaping... “Encoding” vs “Escaping” Internal functions htmlspecialchars (encoding!) htmlentities

    (encoding!) filter_var Most popular prevention for XSS Beware the Passive XSS Saturday, November 3, 2012
  11. What to escape Anything from the user (duh) Anything from

    an external data source files logs database Session information Saturday, November 3, 2012
  12. Contexts General output (usually text) HTML attributes Javascript code URL

    parameters SQL statements Inside XML or JSON Headers Saturday, November 3, 2012
  13. Javascript Don’t trust it. Period. Same-Origin vs Access-Control-Allow-Origin XSS can

    allow for JS injection Global nature, overrides are easy Saturday, November 3, 2012
  14. X-Content-Security-Policy: default-src 'none'; script-src 'self' js.mysite.com; style-src 'self' css.mysite.com; img-src

    'self' images.mysite.com "X-Content-Security-Policy-Report-Only: script-src 'self'; report- uri /evaluationviolation.php" http://websec.io/2012/10/02/Intro-to-Content-Security-Policy.html Saturday, November 3, 2012
  15. Javascript Sandboxing in recent browsers Content Security Policy Beware of

    remote scripts Cross-Domain Resource Sharing vs Same-Origin Specific attacks like: JSON hijacking Clickjacking DOM injection WebSockets Saturday, November 3, 2012
  16. HTML5 WebSQL injections OWASP HTML5 Security Cheat Sheet Prevention with

    headers: X-Frame-Options (non-IE) X-XSS-Protection (relfected) Strict-Transport-Security Content-Security-Policy Origin Recent abuse of Fullscreen API Saturday, November 3, 2012
  17. HTML5 Frame busting Input validation (like URLs for Ajax) Check

    origin Iframe sandboxing html5sec.org Saturday, November 3, 2012
  18. Server Security Strong system passwords Lock it down Favor SSL

    (“HTTPS Everywhere”) Update, update and - oh yeah - update Shared resources/sessions https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Saturday, November 3, 2012
  19. Network Security Block ports Lock it down Firewall/Route to restrict

    access Consider internal vs. external access Saturday, November 3, 2012
  20. Consider... Never trust the user Implement security checks during development,

    not after Create a security policy all devs should follow Remember your attack surface Think like an attacker Saturday, November 3, 2012
  21. Tools WebScarab - Capturing Proxy Burp Suite - Security Testing

    App Skipfish - Google’s Scanner WebGoat/DVWA To learn and test Saturday, November 3, 2012