A (PHP) Security State of Mind

224dac66704579d941e927965a6220a2?s=47 Chris Cornutt
November 03, 2012

A (PHP) Security State of Mind

Given at True North PHP 2012

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

November 03, 2012
Tweet

Transcript

  1. A (PHP) Security State of Mind Chris Cornutt True North

    PHP - Toronto, Nov. 2012 Saturday, November 3, 2012
  2. The mantra of any good security engineer is: 'Security is

    a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. Bruce Schneier Cryptographer, Security Specialist and author of “Applied Cryptography” and “Secrets & Lies” Saturday, November 3, 2012
  3. You can’t afford not to Saturday, November 3, 2012

  4. first, the easy stuff Saturday, November 3, 2012

  5. Repeat after me... Filter Input Escape Output and no, it’s

    not that easy Saturday, November 3, 2012
  6. Fil tering Input Saturday, November 3, 2012

  7. When filtering... One of the most difficult parts of an

    app PHP’s nature doesn’t help Type hinting can be useful Code defensively Fail fast, fail hard Saturday, November 3, 2012
  8. Think about... There’s no “universal filtering” Be wary of Do-It-Alls

    Good design is by contract, be deliberate Whitelist, not blacklist Watch for multiple contexts (ex. in output & SQL) Saturday, November 3, 2012
  9. Protect Yourself Know the “holes” in what you use Don’t

    trust it if you don’t know it Filter with impunity, don’t alter === don’t == All user data is tainted, especially superglobals Saturday, November 3, 2012
  10. For example... $_SERVER PHP_SELF HTTP_HOST HTTP_USER_AGENT HTTP_ACCEPT HTTP_REFERER Current script

    filename Sent in the “Host” header Any value from the client “Accept” header “Referer” header Saturday, November 3, 2012
  11. Validation + Filter ==  Data type Whitelisted characters Formatting

    (phone #, email, etc) Range (character or number) Required data Complex logic checking on... Saturday, November 3, 2012
  12. <?php var_dump(filter_var('http://google.com',FILTER_VALIDATE_URL)); // true var_dump(filter_var('php://input',FILTER_VALIDATE_URL)); // true var_dump(filter_var('php://filter/read=convert.base64-encode/ resource=/etc/passwd',FILTER_VALIDATE_URL)); //

    true if (preg_match('/[0-9]{3}\-[a-zA-Z]{1,5}/',$data,$matches) !== false) { ! // match found! } var_dump(is_int('1234')); // false var_dump(ctype_digit('1234')); //true ?> Saturday, November 3, 2012
  13. ESCAPING OUTPUT Saturday, November 3, 2012

  14. When escaping... “Encoding” vs “Escaping” Internal functions htmlspecialchars (encoding!) htmlentities

    (encoding!) filter_var Most popular prevention for XSS Beware the Passive XSS Saturday, November 3, 2012
  15. Framework Specific Zend\Escaper Symfony sfOutputEscaper Frameworks with default escaping in

    views Twig’s autoescaping Saturday, November 3, 2012
  16. What to escape Anything from the user (duh) Anything from

    an external data source files logs database Session information Saturday, November 3, 2012
  17. Contexts General output (usually text) HTML attributes Javascript code URL

    parameters SQL statements Inside XML or JSON Headers Saturday, November 3, 2012
  18. FRONTEND THINKING Saturday, November 3, 2012

  19. Javascript Don’t trust it. Period. Same-Origin vs Access-Control-Allow-Origin XSS can

    allow for JS injection Global nature, overrides are easy Saturday, November 3, 2012
  20. Javascript Sandboxing in recent browsers Content Security Policy Saturday, November

    3, 2012
  21. X-Content-Security-Policy: default-src 'none'; script-src 'self' js.mysite.com; style-src 'self' css.mysite.com; img-src

    'self' images.mysite.com "X-Content-Security-Policy-Report-Only: script-src 'self'; report- uri /evaluationviolation.php" http://websec.io/2012/10/02/Intro-to-Content-Security-Policy.html Saturday, November 3, 2012
  22. Javascript Sandboxing in recent browsers Content Security Policy Beware of

    remote scripts Cross-Domain Resource Sharing vs Same-Origin Specific attacks like: JSON hijacking Clickjacking DOM injection WebSockets Saturday, November 3, 2012
  23. HTML5 WebSQL injections OWASP HTML5 Security Cheat Sheet Prevention with

    headers: X-Frame-Options (non-IE) X-XSS-Protection (relfected) Strict-Transport-Security Content-Security-Policy Origin Recent abuse of Fullscreen API Saturday, November 3, 2012
  24. HTML5 Frame busting Input validation (like URLs for Ajax) Check

    origin Iframe sandboxing html5sec.org Saturday, November 3, 2012
  25. OTHER CONCERNS Saturday, November 3, 2012

  26. Firewall Router WAF Application aka The Promised Land Server Saturday,

    November 3, 2012
  27. Server Security Strong system passwords Lock it down Favor SSL

    (“HTTPS Everywhere”) Update, update and - oh yeah - update Shared resources/sessions https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Saturday, November 3, 2012
  28. Network Security Block ports Lock it down Firewall/Route to restrict

    access Consider internal vs. external access Saturday, November 3, 2012
  29. DEVELOP SECUREL Y Saturday, November 3, 2012

  30. Consider... Never trust the user Implement security checks during development,

    not after Create a security policy all devs should follow Remember your attack surface Think like an attacker Saturday, November 3, 2012
  31. Tools WebScarab - Capturing Proxy Burp Suite - Security Testing

    App Skipfish - Google’s Scanner WebGoat/DVWA To learn and test Saturday, November 3, 2012
  32. You can’t afford not to Saturday, November 3, 2012

  33. Chris Cornutt @enygma @phpdeveloper @websecquickfix http://websec.io https://joind.in/7420 Thanks! Saturday, November

    3, 2012