Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the Basics: Security with PHP

Beyond the Basics: Security with PHP

You've seen some of the basics of securing your application - validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions and upload issues can be tricky. This session is a how-to on keeping your app safe beyond XSS, CSRF and SQL injections.

Given at php|tek 2013

Chris Cornutt

May 16, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. Beyond the Basics
    security with php
    tek 2013
    Thursday, May 16, 2013

    View Slide

  2. As a whole, PHP
    fails at security
    no security-focused center
    tek 2013
    Thursday, May 16, 2013

    View Slide

  3. It’s time to move
    beyond...
    complex applications require complex solutions
    tek 2013
    Thursday, May 16, 2013

    View Slide

  4. App security is
    complex
    threat, attack surface, defense in depth, least
    privilege, two-factor, identity, authorization,
    spoofing, disclosure, poisoning, enumeration,
    injection, fixation, vulnerability...
    tek 2013
    Thursday, May 16, 2013

    View Slide

  5. Look back
    Cross-Site Scripting
    SQL Injection
    Cross-Site Request Forgeries
    I
    tek 2013
    Thursday, May 16, 2013

    View Slide

  6. OWASP Top 10
    I
    A1 - Injection
    A2 - Cross-Site Scripting
    A3 - Broken Authentication/Session Management
    A4 - Insecure Direct Object References
    A5 - Cross-Site Request Forgery
    A6 - Security Misconfiguration
    A7 - Insecure Cryptographic Storage
    A8 - Failure to Restrict URL Access
    A9 - Insufficient Transport Layer
    A10 - Unvalidated Redirects and Forwards
    2010 Edition
    tek 2013
    Thursday, May 16, 2013

    View Slide

  7. Cross-Site Scripting
    I
    http://mysite.com/query=
    Reflective
    Passive
    DOM injection
    Still relevant
    strip_tags, htmlentities
    tek 2013
    Thursday, May 16, 2013

    View Slide

  8. Cross-Site Scripting
    I
    $result = strip_tags($_GET[‘query’]);
    strip_tags(‘<b>test’); // not filtered
    htmlentities($_GET[‘query’]);
    ?>
    tek 2013
    Thursday, May 16, 2013

    View Slide

  9. SQL Injection
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    Validation
    Whitelist
    prepared statements,escaping
    tek 2013
    Thursday, May 16, 2013

    View Slide

  10. SQL Injection
    I
    $dbh = new PDO($dsn, $user, $password);
    $stmt = $dbh->prepare(‘select title from posts where name
    = :name’);
    $stmt->bindParam(‘name’, $name, PDO::PARAM_STR);
    $stmt->execute();
    ?>
    http://php.net/pdo
    tek 2013
    Thursday, May 16, 2013

    View Slide

  11. CSRF
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    Referrer check
    Replay attacks
    tokens, idempotent requests
    tek 2013
    Thursday, May 16, 2013

    View Slide

  12. Look forward
    XML Injection
    Mass Assignment
    Session Hijacking
    Password Storage
    Upload Handling
    I
    tek 2013
    Thursday, May 16, 2013

    View Slide

  13. XML Injection
    I

    ]>
    &foo;
    Inject content
    Expanded by default
    libxml_disable_entity_loader
    tek 2013
    Thursday, May 16, 2013

    View Slide

  14. XML Injection
    I



    ]>
    &three;
    XML “bomb”
    Denial of Service
    libxml_disable_entity_loader
    tek 2013
    Thursday, May 16, 2013

    View Slide

  15. Mass Assignment
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    Tricky to track
    Laravel has “fillable” & “guarded”
    filter, restrict
    tek 2013
    Thursday, May 16, 2013

    View Slide

  16. Session Hijacking
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    Encrypted sessions
    Lock to IP
    session_set_save_handler
    tek 2013
    Thursday, May 16, 2013

    View Slide

  17. Session Hijacking
    I
    class SessionHandler implements SessionHandlerInterface
    {
    // implementation
    }
    $handler = new SessionHandler();
    session_set_save_handler($handler, true);
    ?>
    tek 2013
    Thursday, May 16, 2013

    View Slide

  18. Password Storage
    I
    md5(“don’t do this”);
    sha1(“or this”);
    Hashing != Encryption
    Strong (or random) salts
    Bcrypt all the things
    ircmaxell/password_compat
    password_hash(“use this”, PASSWORD_BCRYPT,
    array(‘cost’=>7,‘salt’=>‘th1si5my54lt’));
    tek 2013
    Thursday, May 16, 2013

    View Slide

  19. Upload Handling
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    Secure location
    Block dangerous files
    move_uploaded_file
    tek 2013
    Thursday, May 16, 2013

    View Slide

  20. OWASP & Risk
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    +O : What’s next for Organizations
    +R : Notes about Risk
    tek 2013
    Thursday, May 16, 2013

    View Slide

  21. OWASP Top 10
    I
    A1 - Injection
    A2 - Broken Authentication/Session Management
    A3 - Cross-Site Scripting
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery
    A9 - Using Known Vulnerable Components
    A10 - Unvalidated Redirects and Forwards
    2013 Edition
    tek 2013
    Thursday, May 16, 2013

    View Slide

  22. Risk
    I
    Exploitability Prevalence
    Detectability Impact
    +
    tek 2013
    Thursday, May 16, 2013

    View Slide

  23. “Push left”
    minimize risk, integrate early
    encourage secure software development
    tek 2013
    Thursday, May 16, 2013

    View Slide

  24. Questions?
    @enygma
    https://joind.in/8149
    tek 2013
    Thursday, May 16, 2013

    View Slide