Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the Basics: Security with PHP

Chris Cornutt
May 16, 2013
Technology
1
640

Beyond the Basics: Security with PHP

You've seen some of the basics of securing your application - validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions and upload issues can be tricky. This session is a how-to on keeping your app safe beyond XSS, CSRF and SQL injections.

Given at php|tek 2013

Chris Cornutt

May 16, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
87
Pentesting for Developers
ccornutt
0
95
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
280
Securing Legacy Applications
ccornutt
0
290
Build Security In
ccornutt
0
150
Introduction to Slim 3
ccornutt
0
140
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
230

Other Decks in Technology

See All in Technology
モチベーションサイクルという観点でQAをしよう
mixi_engineers
PRO
1
150
【IoT-Tech Meetup #5】IoTとは?WireGuard概要とIoTで通信を守る理由
soracom
PRO
0
120
サーバーレスは死なぬ!みんなEDA(Event Driven Architecture)として使ってるでしょ?
cyberarchitect
5
1.9k
コツコツととのえるLTの段取り/engineers_lt
nishiuma
4
140
DDD e Team Topologies como estes conceitos podem te dar pistas de como montar seus times de engenharia!!!
claudioed
2
340
監視とオブザーバビリティ 〜 悩む前に確認しておくべきこと / 20230926-ssmjp-monitoring-and-observability
opelab
9
1.2k
【IoT-Tech Meetup #5】WireGuardを動かす環境やハードウェア紹介
soracom
PRO
0
120
Java 21 Overview
line_developers
PRO
2
260
360度写真を使った 屋内地図の作成
kawajiritakayuki
0
150
F0推定アルゴリズムHarvestは中で何をしているのか
nagiss
2
320
Fivetranでデータ移動を自動化する
hankehly
0
130
KARTEのAPIサーバ化
line_developers
PRO
1
250

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
48
5.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
Infographics Made Easy
chrislema
236
17k
Product Roadmaps are Hard
iamctodd
42
8.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
[RailsConf 2023] Rails as a piece of cake
palkan
15
2.8k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
The Mythical Team-Month
searls
212
41k
Making Projects Easy
brettharned
104
5.1k
Navigating Team Friction
lara
177
12k
Practical Orchestrator
shlominoach
179
9.3k
A better future with KSS
kneath
230
16k

Transcript

  1. Beyond the Basics
    security with php
    tek 2013
    Thursday, May 16, 2013

    View Slide

  2. As a whole, PHP
    fails at security
    no security-focused center
    tek 2013
    Thursday, May 16, 2013

    View Slide

  3. It’s time to move
    beyond...
    complex applications require complex solutions
    tek 2013
    Thursday, May 16, 2013

    View Slide

  4. App security is
    complex
    threat, attack surface, defense in depth, least
    privilege, two-factor, identity, authorization,
    spoofing, disclosure, poisoning, enumeration,
    injection, fixation, vulnerability...
    tek 2013
    Thursday, May 16, 2013

    View Slide

  5. Look back
    Cross-Site Scripting
    SQL Injection
    Cross-Site Request Forgeries
    I
    tek 2013
    Thursday, May 16, 2013

    View Slide

  6. OWASP Top 10
    I
    A1 - Injection
    A2 - Cross-Site Scripting
    A3 - Broken Authentication/Session Management
    A4 - Insecure Direct Object References
    A5 - Cross-Site Request Forgery
    A6 - Security Misconfiguration
    A7 - Insecure Cryptographic Storage
    A8 - Failure to Restrict URL Access
    A9 - Insufficient Transport Layer
    A10 - Unvalidated Redirects and Forwards
    2010 Edition
    tek 2013
    Thursday, May 16, 2013

    View Slide

  7. Cross-Site Scripting
    I
    http://mysite.com/query=
    Reflective
    Passive
    DOM injection
    Still relevant
    strip_tags, htmlentities
    tek 2013
    Thursday, May 16, 2013

    View Slide

  8. Cross-Site Scripting
    I
    $result = strip_tags($_GET[‘query’]);
    strip_tags(‘<b>test’); // not filtered
    htmlentities($_GET[‘query’]);
    ?>
    tek 2013
    Thursday, May 16, 2013

    View Slide

  9. SQL Injection
    I
    “update users set admin = “.$_GET[‘admin’]
    Too easy to do wrong
    Blind versus Known
    Validation
    Whitelist
    prepared statements,escaping
    tek 2013
    Thursday, May 16, 2013

    View Slide

  10. SQL Injection
    I
    $dbh = new PDO($dsn, $user, $password);
    $stmt = $dbh->prepare(‘select title from posts where name
    = :name’);
    $stmt->bindParam(‘name’, $name, PDO::PARAM_STR);
    $stmt->execute();
    ?>
    http://php.net/pdo
    tek 2013
    Thursday, May 16, 2013

    View Slide

  11. CSRF
    I
    GET /transfer?from=123&to=456&amt=100000
    Tokens
    Exploit of user trust
    Referrer check
    Replay attacks
    tokens, idempotent requests
    tek 2013
    Thursday, May 16, 2013

    View Slide

  12. Look forward
    XML Injection
    Mass Assignment
    Session Hijacking
    Password Storage
    Upload Handling
    I
    tek 2013
    Thursday, May 16, 2013

    View Slide

  13. XML Injection
    I

    ]>
    &foo;
    Inject content
    Expanded by default
    libxml_disable_entity_loader
    tek 2013
    Thursday, May 16, 2013

    View Slide

  14. XML Injection
    I



    ]>
    &three;
    XML “bomb”
    Denial of Service
    libxml_disable_entity_loader
    tek 2013
    Thursday, May 16, 2013

    View Slide

  15. Mass Assignment
    I
    $_POST[‘admin’] = true;
    $user = new \User();
    $user->values($_POST);
    ?>
    Spotlighted in Rails
    Tricky to track
    Laravel has “fillable” & “guarded”
    filter, restrict
    tek 2013
    Thursday, May 16, 2013

    View Slide

  16. Session Hijacking
    I
    PHPSESSID=56fc3e2c96dc3030b11722caf474da81
    Fixation
    Sidejacking
    Encrypted sessions
    Lock to IP
    session_set_save_handler
    tek 2013
    Thursday, May 16, 2013

    View Slide

  17. Session Hijacking
    I
    class SessionHandler implements SessionHandlerInterface
    {
    // implementation
    }
    $handler = new SessionHandler();
    session_set_save_handler($handler, true);
    ?>
    tek 2013
    Thursday, May 16, 2013

    View Slide

  18. Password Storage
    I
    md5(“don’t do this”);
    sha1(“or this”);
    Hashing != Encryption
    Strong (or random) salts
    Bcrypt all the things
    ircmaxell/password_compat
    password_hash(“use this”, PASSWORD_BCRYPT,
    array(‘cost’=>7,‘salt’=>‘th1si5my54lt’));
    tek 2013
    Thursday, May 16, 2013

    View Slide

  19. Upload Handling
    I
    content-disposition: form-data; name=”file1”;
    filename=”../../../etc/passwd”
    Restrict extensions/mime types
    Validate filename
    Secure location
    Block dangerous files
    move_uploaded_file
    tek 2013
    Thursday, May 16, 2013

    View Slide

  20. OWASP & Risk
    I
    2013 Edition
    +D : What’s next for Developers
    +V : What’s next for Validators
    +O : What’s next for Organizations
    +R : Notes about Risk
    tek 2013
    Thursday, May 16, 2013

    View Slide

  21. OWASP Top 10
    I
    A1 - Injection
    A2 - Broken Authentication/Session Management
    A3 - Cross-Site Scripting
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery
    A9 - Using Known Vulnerable Components
    A10 - Unvalidated Redirects and Forwards
    2013 Edition
    tek 2013
    Thursday, May 16, 2013

    View Slide

  22. Risk
    I
    Exploitability Prevalence
    Detectability Impact
    +
    tek 2013
    Thursday, May 16, 2013

    View Slide

  23. “Push left”
    minimize risk, integrate early
    encourage secure software development
    tek 2013
    Thursday, May 16, 2013

    View Slide

  24. Questions?
    @enygma
    https://joind.in/8149
    tek 2013
    Thursday, May 16, 2013

    View Slide