Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the Basics: Security with PHP

Chris Cornutt
February 27, 2013

Beyond the Basics: Security with PHP

You've seen some of the basics of securing your application - validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions & upload issues can be tricky. This session is a how-to on keeping your app safe.

Chris Cornutt

February 27, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. Beyond the Basics
    security with php
    confoo 2013
    Wednesday, February 27, 2013

    View full-size slide

  2. As a whole, PHP
    fails at security
    no security-focused center
    confoo 2013
    Wednesday, February 27, 2013

    View full-size slide

  3. It’s time to move
    beyond...
    complex applications require complex solutions
    confoo 2013
    Wednesday, February 27, 2013

    View full-size slide

  4. App security is
    complex
    confoo 2013
    threat, attack surface, defense in depth, least
    privilege, two-factor, identity, authorization,
    spoofing, disclosure, poisoning, enumeration,
    injection, fixation, vulnerability...
    Wednesday, February 27, 2013

    View full-size slide

  5. Look back
    Cross-Site Scripting
    SQL Injection
    Cross-Site Request Forgeries
    confoo 2013
    I
    Wednesday, February 27, 2013

    View full-size slide

  6. OWASP Top 10
    confoo 2013
    I
    A1 - Injection
    A2 - Cross-Site Scripting
    A3 - Broken Authentication/Session Management
    A4 - Insecure Direct Object References
    A5 - Cross-Site Request Forgery
    A6 - Security Misconfiguration
    A7 - Insecure Cryptographic Storage
    A8 - Failure to Restrict URL Access
    A9 - Insufficient Transport Layer
    A10 - Unvalidated Redirects and Forwards
    2010 Edition
    Wednesday, February 27, 2013

    View full-size slide

  7. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View full-size slide

  8. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View full-size slide

  9. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    Passive
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View full-size slide

  10. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    Passive
    DOM injection
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View full-size slide

  11. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    Passive
    DOM injection
    Still relevant
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View full-size slide

  12. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    prepared statements,escaping
    Wednesday, February 27, 2013

    View full-size slide

  13. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    prepared statements,escaping
    Wednesday, February 27, 2013

    View full-size slide

  14. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    prepared statements,escaping
    Wednesday, February 27, 2013

    View full-size slide

  15. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    Validation
    prepared statements,escaping
    Wednesday, February 27, 2013

    View full-size slide

  16. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    Validation
    Whitelist
    prepared statements,escaping
    Wednesday, February 27, 2013

    View full-size slide

  17. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View full-size slide

  18. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View full-size slide

  19. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View full-size slide

  20. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    Referrer check
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View full-size slide

  21. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    Referrer check
    Replay attacks
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View full-size slide

  22. Look forward
    XML Injection
    Mass Assignment
    Session Hijacking
    Password Storage
    Upload Handling
    confoo 2013
    I
    Wednesday, February 27, 2013

    View full-size slide

  23. XML Injection
    confoo 2013
    I

    ]>
    &foo;
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View full-size slide

  24. XML Injection
    confoo 2013
    I

    ]>
    &foo;
    Inject content
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View full-size slide

  25. XML Injection
    confoo 2013
    I

    ]>
    &foo;
    Inject content
    Expanded by default
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View full-size slide

  26. XML Injection
    confoo 2013
    I



    ]>
    &three;
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View full-size slide

  27. XML Injection
    confoo 2013
    I



    ]>
    &three;
    XML “bomb”
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View full-size slide

  28. XML Injection
    confoo 2013
    I



    ]>
    &three;
    XML “bomb”
    Denial of Service
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View full-size slide

  29. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    filter, restrict
    Wednesday, February 27, 2013

    View full-size slide

  30. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    filter, restrict
    Wednesday, February 27, 2013

    View full-size slide

  31. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    Tricky to track
    filter, restrict
    Wednesday, February 27, 2013

    View full-size slide

  32. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    Tricky to track
    Laravel has “fillable” & “guarded”
    filter, restrict
    Wednesday, February 27, 2013

    View full-size slide

  33. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    session_set_save_handler
    Wednesday, February 27, 2013

    View full-size slide

  34. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    session_set_save_handler
    Wednesday, February 27, 2013

    View full-size slide

  35. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    session_set_save_handler
    Wednesday, February 27, 2013

    View full-size slide

  36. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    Encrypted sessions
    session_set_save_handler
    Wednesday, February 27, 2013

    View full-size slide

  37. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    Encrypted sessions
    Lock to IP
    session_set_save_handler
    Wednesday, February 27, 2013

    View full-size slide

  38. Password Storage
    confoo 2013
    I
    md5(“don’t do this”);
    sha1(“or this”);
    Hashing != Encryption
    Strong (or random) salts
    Bcrypt all the things
    ircmaxell/password_compat
    password_hash(“use this”, PASSWORD_BCRYPT,
    array(‘cost’=>7,‘salt’=>‘th1si5my54lt’));
    Wednesday, February 27, 2013

    View full-size slide

  39. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    move_uploaded_file
    Wednesday, February 27, 2013

    View full-size slide

  40. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    move_uploaded_file
    Wednesday, February 27, 2013

    View full-size slide

  41. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    move_uploaded_file
    Wednesday, February 27, 2013

    View full-size slide

  42. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    Secure location
    move_uploaded_file
    Wednesday, February 27, 2013

    View full-size slide

  43. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    Secure location
    Block dangerous files
    move_uploaded_file
    Wednesday, February 27, 2013

    View full-size slide

  44. OWASP & Risk
    confoo 2013
    I
    Wednesday, February 27, 2013

    View full-size slide

  45. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    Wednesday, February 27, 2013

    View full-size slide

  46. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    Wednesday, February 27, 2013

    View full-size slide

  47. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    Wednesday, February 27, 2013

    View full-size slide

  48. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    +O : What’s next for Organizations
    Wednesday, February 27, 2013

    View full-size slide

  49. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    +O : What’s next for Organizations
    +R : Notes about Risk
    Wednesday, February 27, 2013

    View full-size slide

  50. OWASP Top 10
    confoo 2013
    I
    A1 - Injection
    A2 - Broken Authentication/Session Management
    A3 - Cross-Site Scripting
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery
    A9 - Using Known Vulnerable Components
    A10 - Unvalidated Redirects and Forwards
    2013 Edition
    Wednesday, February 27, 2013

    View full-size slide

  51. Risk
    confoo 2013
    I
    Wednesday, February 27, 2013

    View full-size slide

  52. Risk
    confoo 2013
    I
    Exploitability
    Wednesday, February 27, 2013

    View full-size slide

  53. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Wednesday, February 27, 2013

    View full-size slide

  54. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Detectability
    Wednesday, February 27, 2013

    View full-size slide

  55. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Detectability Impact
    Wednesday, February 27, 2013

    View full-size slide

  56. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Detectability Impact
    +
    Wednesday, February 27, 2013

    View full-size slide

  57. “Push left”
    encourage secure software development
    confoo 2013
    Wednesday, February 27, 2013

    View full-size slide

  58. Questions?
    @enygma
    confoo 2013
    https://joind.in/7956
    Wednesday, February 27, 2013

    View full-size slide