A (PHP) Security State of Mind

A (PHP) Security
State of Mind
Chris Cornutt
True North PHP - Toronto, Nov. 2012
Saturday, November 3, 2012

View Slide

The mantra of any good
security engineer is: 'Security
is a not a product, but a
process.'
It's more than designing
strong cryptography into a
system; it's designing the
entire system such that all
security measures, including
cryptography, work together.
Bruce Schneier
Cryptographer, Security Specialist and author of “Applied
Cryptography” and “Secrets & Lies”

View Slide

You can’t afford not to

View Slide

first, the easy stuff

View Slide

Repeat after me...
Filter Input
Escape Output
and no, it’s not that easy

View Slide

Fil
tering Input

View Slide

When ﬁltering...
One of the most difﬁcult parts of an app
PHP’s nature doesn’t help
Type hinting can be useful
Code defensively
Fail fast, fail hard

View Slide

Think about...
There’s no “universal ﬁltering”
Be wary of Do-It-Alls
Good design is by contract, be deliberate
Whitelist, not blacklist
Watch for multiple contexts (ex. in output & SQL)

View Slide

Protect Yourself
Know the “holes” in what you use
Don’t trust it if you don’t know it
Filter with impunity, don’t alter
=== don’t ==
All user data is tainted, especially superglobals

View Slide

For example... $_SERVER
PHP_SELF
HTTP_HOST
HTTP_USER_AGENT
HTTP_ACCEPT
HTTP_REFERER
Current script ﬁlename
Sent in the “Host” header
Any value from the client
“Accept” header
“Referer” header

View Slide

Validation + Filter == 
Data type
Whitelisted characters
Formatting (phone #, email, etc)
Range (character or number)
Required data
Complex logic checking
on...

View Slide

var_dump(filter_var('http://google.com',FILTER_VALIDATE_URL));
// true
var_dump(filter_var('php://input',FILTER_VALIDATE_URL));
// true
var_dump(filter_var('php://filter/read=convert.base64-encode/
resource=/etc/passwd',FILTER_VALIDATE_URL));
// true
if (preg_match('/[0-9]{3}\-[a-zA-Z]{1,5}/',$data,$matches) !== false) {
! // match found!
}
var_dump(is_int('1234')); // false
var_dump(ctype_digit('1234')); //true
?>

View Slide

ESCAPING OUTPUT

View Slide

When escaping...
“Encoding” vs “Escaping”
Internal functions
htmlspecialchars (encoding!)
htmlentities (encoding!)
ﬁlter_var
Most popular prevention for XSS
Beware the Passive XSS

View Slide

Framework Speciﬁc
Zend\Escaper
Symfony sfOutputEscaper
Frameworks with default escaping in views
Twig’s autoescaping

View Slide

What to escape
Anything from the user (duh)
Anything from an external data source
ﬁles
logs
database
Session information

View Slide

Contexts
General output (usually text)
HTML attributes
Javascript code
URL parameters
SQL statements
Inside XML or JSON
Headers

View Slide

FRONTEND THINKING

View Slide

Javascript
Don’t trust it. Period.
Same-Origin vs Access-Control-Allow-Origin
XSS can allow for JS injection
Global nature, overrides are easy

View Slide

Javascript
Sandboxing in recent browsers
Content Security Policy

View Slide

X-Content-Security-Policy: default-src 'none'; script-src 'self'
js.mysite.com; style-src 'self' css.mysite.com; img-src 'self'
images.mysite.com
"X-Content-Security-Policy-Report-Only: script-src 'self'; report-
uri /evaluationviolation.php"
http://websec.io/2012/10/02/Intro-to-Content-Security-Policy.html

View Slide

Javascript
Sandboxing in recent browsers
Content Security Policy
Beware of remote scripts
Cross-Domain Resource Sharing vs Same-Origin
Speciﬁc attacks like:
JSON hijacking
Clickjacking
DOM injection
WebSockets

View Slide

HTML5
WebSQL injections
OWASP HTML5 Security Cheat Sheet
Prevention with headers:
X-Frame-Options (non-IE)
X-XSS-Protection (relfected)
Strict-Transport-Security
Content-Security-Policy
Origin
Recent abuse of Fullscreen API

View Slide

HTML5
Frame busting
Input validation (like URLs for Ajax)
Check origin
Iframe sandboxing
html5sec.org

View Slide

A (PHP) Security State of Mind

A (PHP) Security State of Mind

Chris Cornutt

More Decks by Chris Cornutt

Other Decks in Programming

Featured

Transcript