Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the Basics: Security with PHP

224dac66704579d941e927965a6220a2?s=47 Chris Cornutt
February 27, 2013

Beyond the Basics: Security with PHP

You've seen some of the basics of securing your application - validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions & upload issues can be tricky. This session is a how-to on keeping your app safe.

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

February 27, 2013
Tweet

Transcript

  1. Beyond the Basics security with php confoo 2013 Wednesday, February

    27, 2013
  2. As a whole, PHP fails at security no security-focused center

    confoo 2013 Wednesday, February 27, 2013
  3. It’s time to move beyond... complex applications require complex solutions

    confoo 2013 Wednesday, February 27, 2013
  4. App security is complex confoo 2013 threat, attack surface, defense

    in depth, least privilege, two-factor, identity, authorization, spoofing, disclosure, poisoning, enumeration, injection, fixation, vulnerability... Wednesday, February 27, 2013
  5. Look back Cross-Site Scripting SQL Injection Cross-Site Request Forgeries confoo

    2013 I Wednesday, February 27, 2013
  6. OWASP Top 10 confoo 2013 I A1 - Injection A2

    - Cross-Site Scripting A3 - Broken Authentication/Session Management A4 - Insecure Direct Object References A5 - Cross-Site Request Forgery A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer A10 - Unvalidated Redirects and Forwards 2010 Edition Wednesday, February 27, 2013
  7. Cross-Site Scripting confoo 2013 I http://mysite.com/query=<img src=javascript:alert(‘xss’)> strip_tags, htmlentities Wednesday,

    February 27, 2013
  8. Cross-Site Scripting confoo 2013 I http://mysite.com/query=<img src=javascript:alert(‘xss’)> Reflective strip_tags, htmlentities

    Wednesday, February 27, 2013
  9. Cross-Site Scripting confoo 2013 I http://mysite.com/query=<img src=javascript:alert(‘xss’)> Reflective Passive strip_tags,

    htmlentities Wednesday, February 27, 2013
  10. Cross-Site Scripting confoo 2013 I http://mysite.com/query=<img src=javascript:alert(‘xss’)> Reflective Passive DOM

    injection strip_tags, htmlentities Wednesday, February 27, 2013
  11. Cross-Site Scripting confoo 2013 I http://mysite.com/query=<img src=javascript:alert(‘xss’)> Reflective Passive DOM

    injection Still relevant strip_tags, htmlentities Wednesday, February 27, 2013
  12. SQL Injection confoo 2013 I “update users set admin =

    “.$_GET[‘admin’] prepared statements,escaping Wednesday, February 27, 2013
  13. SQL Injection confoo 2013 I “update users set admin =

    “.$_GET[‘admin’] Too easy to do wrong prepared statements,escaping Wednesday, February 27, 2013
  14. SQL Injection confoo 2013 I “update users set admin =

    “.$_GET[‘admin’] Too easy to do wrong Blind versus Known prepared statements,escaping Wednesday, February 27, 2013
  15. SQL Injection confoo 2013 I “update users set admin =

    “.$_GET[‘admin’] Too easy to do wrong Blind versus Known Validation prepared statements,escaping Wednesday, February 27, 2013
  16. SQL Injection confoo 2013 I “update users set admin =

    “.$_GET[‘admin’] Too easy to do wrong Blind versus Known Validation Whitelist prepared statements,escaping Wednesday, February 27, 2013
  17. CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 tokens, idempotent requests Wednesday,

    February 27, 2013
  18. CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens tokens, idempotent requests

    Wednesday, February 27, 2013
  19. CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user

    trust tokens, idempotent requests Wednesday, February 27, 2013
  20. CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user

    trust Referrer check tokens, idempotent requests Wednesday, February 27, 2013
  21. CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user

    trust Referrer check Replay attacks tokens, idempotent requests Wednesday, February 27, 2013
  22. Look forward XML Injection Mass Assignment Session Hijacking Password Storage

    Upload Handling confoo 2013 I Wednesday, February 27, 2013
  23. XML Injection confoo 2013 I <!DOCTYPE root [ <!ENTITY foo

    SYSTEM “http://test.com/bad.txt”> ]> <test><testing>&foo;</testing></test> libxml_disable_entity_loader Wednesday, February 27, 2013
  24. XML Injection confoo 2013 I <!DOCTYPE root [ <!ENTITY foo

    SYSTEM “http://test.com/bad.txt”> ]> <test><testing>&foo;</testing></test> Inject content libxml_disable_entity_loader Wednesday, February 27, 2013
  25. XML Injection confoo 2013 I <!DOCTYPE root [ <!ENTITY foo

    SYSTEM “http://test.com/bad.txt”> ]> <test><testing>&foo;</testing></test> Inject content Expanded by default libxml_disable_entity_loader Wednesday, February 27, 2013
  26. XML Injection confoo 2013 I <!DOCTYPE root [ <!ENTITY one

    “one”> <!ENTITY two “&one;&one;&one;&one;”> <!ENTITY three “&two;&two;&two;&two;”> ]> <test><testing>&three;</testing></test> libxml_disable_entity_loader Wednesday, February 27, 2013
  27. XML Injection confoo 2013 I <!DOCTYPE root [ <!ENTITY one

    “one”> <!ENTITY two “&one;&one;&one;&one;”> <!ENTITY three “&two;&two;&two;&two;”> ]> <test><testing>&three;</testing></test> XML “bomb” libxml_disable_entity_loader Wednesday, February 27, 2013
  28. XML Injection confoo 2013 I <!DOCTYPE root [ <!ENTITY one

    “one”> <!ENTITY two “&one;&one;&one;&one;”> <!ENTITY three “&two;&two;&two;&two;”> ]> <test><testing>&three;</testing></test> XML “bomb” Denial of Service libxml_disable_entity_loader Wednesday, February 27, 2013
  29. Mass Assignment confoo 2013 I <?php $_POST[‘admin’] = true; $user

    = new \User(); $user->values($_POST); ?> filter, restrict Wednesday, February 27, 2013
  30. Mass Assignment confoo 2013 I <?php $_POST[‘admin’] = true; $user

    = new \User(); $user->values($_POST); ?> Spotlighted in Rails filter, restrict Wednesday, February 27, 2013
  31. Mass Assignment confoo 2013 I <?php $_POST[‘admin’] = true; $user

    = new \User(); $user->values($_POST); ?> Spotlighted in Rails Tricky to track filter, restrict Wednesday, February 27, 2013
  32. Mass Assignment confoo 2013 I <?php $_POST[‘admin’] = true; $user

    = new \User(); $user->values($_POST); ?> Spotlighted in Rails Tricky to track Laravel has “fillable” & “guarded” filter, restrict Wednesday, February 27, 2013
  33. Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 session_set_save_handler Wednesday, February 27,

    2013
  34. Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation session_set_save_handler Wednesday, February

    27, 2013
  35. Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking session_set_save_handler Wednesday,

    February 27, 2013
  36. Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking Encrypted sessions

    session_set_save_handler Wednesday, February 27, 2013
  37. Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking Encrypted sessions

    Lock to IP session_set_save_handler Wednesday, February 27, 2013
  38. Password Storage confoo 2013 I md5(“don’t do this”); sha1(“or this”);

    Hashing != Encryption Strong (or random) salts Bcrypt all the things ircmaxell/password_compat password_hash(“use this”, PASSWORD_BCRYPT, array(‘cost’=>7,‘salt’=>‘th1si5my54lt’)); Wednesday, February 27, 2013
  39. Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” move_uploaded_file

    Wednesday, February 27, 2013
  40. Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict

    extensions/mime types move_uploaded_file Wednesday, February 27, 2013
  41. Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict

    extensions/mime types Validate filename move_uploaded_file Wednesday, February 27, 2013
  42. Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict

    extensions/mime types Validate filename Secure location move_uploaded_file Wednesday, February 27, 2013
  43. Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict

    extensions/mime types Validate filename Secure location Block dangerous files move_uploaded_file Wednesday, February 27, 2013
  44. OWASP & Risk confoo 2013 I Wednesday, February 27, 2013

  45. OWASP & Risk confoo 2013 I 2013 Edition Wednesday, February

    27, 2013
  46. OWASP & Risk confoo 2013 I 2013 Edition +D :

    What’s next for Developers Wednesday, February 27, 2013
  47. OWASP & Risk confoo 2013 I 2013 Edition +D :

    What’s next for Developers +V : What’s next for Validators Wednesday, February 27, 2013
  48. OWASP & Risk confoo 2013 I 2013 Edition +D :

    What’s next for Developers +V : What’s next for Validators +O : What’s next for Organizations Wednesday, February 27, 2013
  49. OWASP & Risk confoo 2013 I 2013 Edition +D :

    What’s next for Developers +V : What’s next for Validators +O : What’s next for Organizations +R : Notes about Risk Wednesday, February 27, 2013
  50. OWASP Top 10 confoo 2013 I A1 - Injection A2

    - Broken Authentication/Session Management A3 - Cross-Site Scripting A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards 2013 Edition Wednesday, February 27, 2013
  51. Risk confoo 2013 I Wednesday, February 27, 2013

  52. Risk confoo 2013 I Exploitability Wednesday, February 27, 2013

  53. Risk confoo 2013 I Exploitability Prevalence Wednesday, February 27, 2013

  54. Risk confoo 2013 I Exploitability Prevalence Detectability Wednesday, February 27,

    2013
  55. Risk confoo 2013 I Exploitability Prevalence Detectability Impact Wednesday, February

    27, 2013
  56. Risk confoo 2013 I Exploitability Prevalence Detectability Impact + Wednesday,

    February 27, 2013
  57. “Push left” encourage secure software development confoo 2013 Wednesday, February

    27, 2013
  58. Questions? @enygma confoo 2013 https://joind.in/7956 Wednesday, February 27, 2013