Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the Basics: Security with PHP

Beyond the Basics: Security with PHP

You've seen some of the basics of securing your application - validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions and upload issues can be tricky. This session is a how-to on keeping your app safe beyond XSS, CSRF and SQL injections.

Given at php|tek 2013

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

May 16, 2013
Tweet

Transcript

  1. Beyond the Basics security with php tek 2013 Thursday, May

    16, 2013
  2. As a whole, PHP fails at security no security-focused center

    tek 2013 Thursday, May 16, 2013
  3. It’s time to move beyond... complex applications require complex solutions

    tek 2013 Thursday, May 16, 2013
  4. App security is complex threat, attack surface, defense in depth,

    least privilege, two-factor, identity, authorization, spoofing, disclosure, poisoning, enumeration, injection, fixation, vulnerability... tek 2013 Thursday, May 16, 2013
  5. Look back Cross-Site Scripting SQL Injection Cross-Site Request Forgeries I

    tek 2013 Thursday, May 16, 2013
  6. OWASP Top 10 I A1 - Injection A2 - Cross-Site

    Scripting A3 - Broken Authentication/Session Management A4 - Insecure Direct Object References A5 - Cross-Site Request Forgery A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer A10 - Unvalidated Redirects and Forwards 2010 Edition tek 2013 Thursday, May 16, 2013
  7. Cross-Site Scripting I http://mysite.com/query=<img src=javascript:alert(‘xss’)> Reflective Passive DOM injection Still

    relevant strip_tags, htmlentities tek 2013 Thursday, May 16, 2013
  8. Cross-Site Scripting I <?php $result = strip_tags($_GET[‘query’]); strip_tags(‘&lt;b>test</b>’); // not

    filtered htmlentities($_GET[‘query’]); ?> tek 2013 Thursday, May 16, 2013
  9. SQL Injection I “update users set admin = “.$_GET[‘admin’] Too

    easy to do wrong Blind versus Known Validation Whitelist prepared statements,escaping tek 2013 Thursday, May 16, 2013
  10. SQL Injection I <?php $dbh = new PDO($dsn, $user, $password);

    $stmt = $dbh->prepare(‘select title from posts where name = :name’); $stmt->bindParam(‘name’, $name, PDO::PARAM_STR); $stmt->execute(); ?> http://php.net/pdo tek 2013 Thursday, May 16, 2013
  11. CSRF I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user trust Referrer

    check Replay attacks tokens, idempotent requests tek 2013 Thursday, May 16, 2013
  12. Look forward XML Injection Mass Assignment Session Hijacking Password Storage

    Upload Handling I tek 2013 Thursday, May 16, 2013
  13. XML Injection I <!DOCTYPE root [ <!ENTITY foo SYSTEM “http://test.com/bad.txt”>

    ]> <test><testing>&foo;</testing></test> Inject content Expanded by default libxml_disable_entity_loader tek 2013 Thursday, May 16, 2013
  14. XML Injection I <!DOCTYPE root [ <!ENTITY one “one”> <!ENTITY

    two “&one;&one;&one;&one;”> <!ENTITY three “&two;&two;&two;&two;”> ]> <test><testing>&three;</testing></test> XML “bomb” Denial of Service libxml_disable_entity_loader tek 2013 Thursday, May 16, 2013
  15. Mass Assignment I <?php $_POST[‘admin’] = true; $user = new

    \User(); $user->values($_POST); ?> Spotlighted in Rails Tricky to track Laravel has “fillable” & “guarded” filter, restrict tek 2013 Thursday, May 16, 2013
  16. Session Hijacking I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking Encrypted sessions Lock to

    IP session_set_save_handler tek 2013 Thursday, May 16, 2013
  17. Session Hijacking I <?php class SessionHandler implements SessionHandlerInterface { //

    implementation } $handler = new SessionHandler(); session_set_save_handler($handler, true); ?> tek 2013 Thursday, May 16, 2013
  18. Password Storage I md5(“don’t do this”); sha1(“or this”); Hashing !=

    Encryption Strong (or random) salts Bcrypt all the things ircmaxell/password_compat password_hash(“use this”, PASSWORD_BCRYPT, array(‘cost’=>7,‘salt’=>‘th1si5my54lt’)); tek 2013 Thursday, May 16, 2013
  19. Upload Handling I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict extensions/mime types

    Validate filename Secure location Block dangerous files move_uploaded_file tek 2013 Thursday, May 16, 2013
  20. OWASP & Risk I 2013 Edition +D : What’s next

    for Developers +V : What’s next for Validators +O : What’s next for Organizations +R : Notes about Risk tek 2013 Thursday, May 16, 2013
  21. OWASP Top 10 I A1 - Injection A2 - Broken

    Authentication/Session Management A3 - Cross-Site Scripting A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards 2013 Edition tek 2013 Thursday, May 16, 2013
  22. Risk I Exploitability Prevalence Detectability Impact + tek 2013 Thursday,

    May 16, 2013
  23. “Push left” minimize risk, integrate early encourage secure software development

    tek 2013 Thursday, May 16, 2013
  24. Questions? @enygma https://joind.in/8149 tek 2013 Thursday, May 16, 2013