Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the Basics: Security with PHP

Chris Cornutt
February 27, 2013
Technology
3
600

Beyond the Basics: Security with PHP

You've seen some of the basics of securing your application - validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions & upload issues can be tricky. This session is a how-to on keeping your app safe.

Chris Cornutt

February 27, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
83
Pentesting for Developers
ccornutt
0
90
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
140
Pieces of Auth
ccornutt
0
280
Securing Legacy Applications
ccornutt
0
280
Build Security In
ccornutt
0
150
Introduction to Slim 3
ccornutt
0
140
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
220

Other Decks in Technology

See All in Technology
microCMSのエンジニア組織と文化
microcms
0
530
JUnitテストをCI環境で並列で実行する方法とその速度, スケーラビリティ
nabedge
3
240
APIによるレガシーシステムの改善
techtekt
0
120
バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset
yuya4
1
470
Exadata Database Service on Dedicated Infrastructure X9M / Exadata Database Service on [email protected] X9M / Exadata Database Machine 比較
oracle4engineer
PRO
0
2.5k
WOFFの紹介
mmclsntr
0
120
Exadata Database Cloud (Exadata Cloud Service) サービス技術詳細
oracle4engineer
PRO
0
29k
競プロ作問を支える技術
tsutaj
0
240
よくわかるフォルシアのエンジニア 旅行プラットフォーム部編
forcia_dev_pr
0
150
Vault Secrets Operator と Dynamic Secrets で安全にシークレットを使おう / Vault Secrets Operator and Dynamic Secrets
nnstt1
3
310
microCMS AI
microcms
0
520
ABEMAのRenderScript Intrinsics Replacement Toolkit 導入事例
takahana
0
270

Featured

See All Featured
The Mythical Team-Month
searls
211
41k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
9
5.3k
We Have a Design System, Now What?
morganepeng
38
6.2k
What's new in Ruby 2.0
geeforr
336
30k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.5k
The Art of Programming - Codeland 2020
erikaheidi
37
11k
The Invisible Customer
myddelton
113
12k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
Atom: Resistance is Futile
akmur
256
24k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
46
15k
Happy Clients
brianwarren
90
6k
The Cult of Friendly URLs
andyhume
70
5.2k

Transcript

  1. Beyond the Basics
    security with php
    confoo 2013
    Wednesday, February 27, 2013

    View Slide

  2. As a whole, PHP
    fails at security
    no security-focused center
    confoo 2013
    Wednesday, February 27, 2013

    View Slide

  3. It’s time to move
    beyond...
    complex applications require complex solutions
    confoo 2013
    Wednesday, February 27, 2013

    View Slide

  4. App security is
    complex
    confoo 2013
    threat, attack surface, defense in depth, least
    privilege, two-factor, identity, authorization,
    spoofing, disclosure, poisoning, enumeration,
    injection, fixation, vulnerability...
    Wednesday, February 27, 2013

    View Slide

  5. Look back
    Cross-Site Scripting
    SQL Injection
    Cross-Site Request Forgeries
    confoo 2013
    I
    Wednesday, February 27, 2013

    View Slide

  6. OWASP Top 10
    confoo 2013
    I
    A1 - Injection
    A2 - Cross-Site Scripting
    A3 - Broken Authentication/Session Management
    A4 - Insecure Direct Object References
    A5 - Cross-Site Request Forgery
    A6 - Security Misconfiguration
    A7 - Insecure Cryptographic Storage
    A8 - Failure to Restrict URL Access
    A9 - Insufficient Transport Layer
    A10 - Unvalidated Redirects and Forwards
    2010 Edition
    Wednesday, February 27, 2013

    View Slide

  7. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View Slide

  8. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View Slide

  9. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    Passive
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View Slide

  10. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    Passive
    DOM injection
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View Slide

  11. Cross-Site Scripting
    confoo 2013
    I
    http://mysite.com/query=
    Reflective
    Passive
    DOM injection
    Still relevant
    strip_tags, htmlentities
    Wednesday, February 27, 2013

    View Slide

  12. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    prepared statements,escaping
    Wednesday, February 27, 2013

    View Slide

  13. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    prepared statements,escaping
    Wednesday, February 27, 2013

    View Slide

  14. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    prepared statements,escaping
    Wednesday, February 27, 2013

    View Slide

  15. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    Validation
    prepared statements,escaping
    Wednesday, February 27, 2013

    View Slide

  16. SQL Injection
    confoo 2013
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    Validation
    Whitelist
    prepared statements,escaping
    Wednesday, February 27, 2013

    View Slide

  17. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View Slide

  18. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View Slide

  19. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View Slide

  20. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    Referrer check
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View Slide

  21. CSRF
    confoo 2013
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    Referrer check
    Replay attacks
    tokens, idempotent requests
    Wednesday, February 27, 2013

    View Slide

  22. Look forward
    XML Injection
    Mass Assignment
    Session Hijacking
    Password Storage
    Upload Handling
    confoo 2013
    I
    Wednesday, February 27, 2013

    View Slide

  23. XML Injection
    confoo 2013
    I

    ]>
    &foo;
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View Slide

  24. XML Injection
    confoo 2013
    I

    ]>
    &foo;
    Inject content
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View Slide

  25. XML Injection
    confoo 2013
    I

    ]>
    &foo;
    Inject content
    Expanded by default
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View Slide

  26. XML Injection
    confoo 2013
    I



    ]>
    &three;
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View Slide

  27. XML Injection
    confoo 2013
    I



    ]>
    &three;
    XML “bomb”
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View Slide

  28. XML Injection
    confoo 2013
    I



    ]>
    &three;
    XML “bomb”
    Denial of Service
    libxml_disable_entity_loader
    Wednesday, February 27, 2013

    View Slide

  29. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    filter, restrict
    Wednesday, February 27, 2013

    View Slide

  30. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    filter, restrict
    Wednesday, February 27, 2013

    View Slide

  31. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    Tricky to track
    filter, restrict
    Wednesday, February 27, 2013

    View Slide

  32. Mass Assignment
    confoo 2013
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    Tricky to track
    Laravel has “fillable” & “guarded”
    filter, restrict
    Wednesday, February 27, 2013

    View Slide

  33. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    session_set_save_handler
    Wednesday, February 27, 2013

    View Slide

  34. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    session_set_save_handler
    Wednesday, February 27, 2013

    View Slide

  35. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    session_set_save_handler
    Wednesday, February 27, 2013

    View Slide

  36. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    Encrypted sessions
    session_set_save_handler
    Wednesday, February 27, 2013

    View Slide

  37. Session Hijacking
    confoo 2013
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    Encrypted sessions
    Lock to IP
    session_set_save_handler
    Wednesday, February 27, 2013

    View Slide

  38. Password Storage
    confoo 2013
    I
    md5(“don’t do this”);
    sha1(“or this”);
    Hashing != Encryption
    Strong (or random) salts
    Bcrypt all the things
    ircmaxell/password_compat
    password_hash(“use this”, PASSWORD_BCRYPT,
    array(‘cost’=>7,‘salt’=>‘th1si5my54lt’));
    Wednesday, February 27, 2013

    View Slide

  39. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    move_uploaded_file
    Wednesday, February 27, 2013

    View Slide

  40. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    move_uploaded_file
    Wednesday, February 27, 2013

    View Slide

  41. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    move_uploaded_file
    Wednesday, February 27, 2013

    View Slide

  42. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    Secure location
    move_uploaded_file
    Wednesday, February 27, 2013

    View Slide

  43. Upload Handling
    confoo 2013
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    Secure location
    Block dangerous files
    move_uploaded_file
    Wednesday, February 27, 2013

    View Slide

  44. OWASP & Risk
    confoo 2013
    I
    Wednesday, February 27, 2013

    View Slide

  45. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    Wednesday, February 27, 2013

    View Slide

  46. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    Wednesday, February 27, 2013

    View Slide

  47. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    Wednesday, February 27, 2013

    View Slide

  48. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    +O : What’s next for Organizations
    Wednesday, February 27, 2013

    View Slide

  49. OWASP & Risk
    confoo 2013
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    +O : What’s next for Organizations
    +R : Notes about Risk
    Wednesday, February 27, 2013

    View Slide

  50. OWASP Top 10
    confoo 2013
    I
    A1 - Injection
    A2 - Broken Authentication/Session Management
    A3 - Cross-Site Scripting
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery
    A9 - Using Known Vulnerable Components
    A10 - Unvalidated Redirects and Forwards
    2013 Edition
    Wednesday, February 27, 2013

    View Slide

  51. Risk
    confoo 2013
    I
    Wednesday, February 27, 2013

    View Slide

  52. Risk
    confoo 2013
    I
    Exploitability
    Wednesday, February 27, 2013

    View Slide

  53. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Wednesday, February 27, 2013

    View Slide

  54. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Detectability
    Wednesday, February 27, 2013

    View Slide

  55. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Detectability Impact
    Wednesday, February 27, 2013

    View Slide

  56. Risk
    confoo 2013
    I
    Exploitability Prevalence
    Detectability Impact
    +
    Wednesday, February 27, 2013

    View Slide

  57. “Push left”
    encourage secure software development
    confoo 2013
    Wednesday, February 27, 2013

    View Slide

  58. Questions?
    @enygma
    confoo 2013
    https://joind.in/7956
    Wednesday, February 27, 2013

    View Slide