$30 off During Our Annual Pro Sale. View Details »

PHP Security, Redfined

Chris Cornutt
September 25, 2015

PHP Security, Redfined

Let’s be honest, PHP has had a rocky history with security. Over the years the language has been highly criticized for it’s lack of a focus on security and secure development practices. In more recent years, however, a resurgence has happened in the language and community, bringing secure development back into focus. With PHP 7 on the horizon, the language is making even more strides to improve some of its wayward ways of the past and reinvent itself. I’ll share practical code examples, tools, libraries and best practices that are making it easier than ever to keep PHP applications safe.

Come along with me as I guide you through both the language improvements and community encouragement making PHP a more secure place.

Chris Cornutt

September 25, 2015
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. PHP  Security,  Redefined
    Chris  Cornutt  -­‐  AppSec  USA  2015

    View Slide

  2. 2
    Chris  Cornutt
    PHP  developer  for  15+  years
    Focus  on  appsec  for  5+  years
    Application  Security  Engineer    
    @  Pardot  (Salesforce)
    @enygma  
    @securingphp

    View Slide

  3. A  BIT  OF  HISTORY

    View Slide

  4. PHP:  The  Language
    • Over  20  years  since  first  
    inception  
    • Used  by  over  80%  of  the  
    web  
    • Latest  is  PHP  5.6.x  
    • PHP  7  coming  late  2015  
    • PHP  5.3  is  still  most  
    widely  installed,  5.4  is  
    gaining
    4

    View Slide

  5. PHP:  The  Language
    • Support  schedule
    5
    http://php.net/supported-­‐versions.php
    PHP  5.4  no  longer  supported,  5.5  in  security  only  support  &  5.6  in  full  support

    View Slide

  6. COMMUNITY  LEADERS

    View Slide

  7. 7
    Scott  Arciszewski Ryan  Mauger Anthony  Ferrara Pádraic  Brady
    Elizabeth  Smith Ilia  Alshanetsky Beth  Tucker  Long Michelangelo  
           van  Dam
    Wim  Godden

    View Slide

  8. LIBRARIES  &  TOOLING

    View Slide

  9. Composer
    • The  missing  package  
    manager  for  PHP  (not  
    PEAR)  
    • Open  Source  project  
    • Use  has  exploded  
    • Packagist  
    • One  command  (install/
    update)  
    • No  vetting  of  packages
    9

    View Slide

  10. Frameworks
    • Major  frameworks  
    • Security  advisories  and  
    updates  
    • Paid  audit  of  Symfony  
    (v2)  
    • Update  to  database  of  
    vulnerable  components
    10

    View Slide

  11. Drupal
    • Started  15  years  ago  
    • Used  by  major  services  
    and  sites  
    • Renewed  security  efforts  
    • Dedicated  security  team  
    • Security  Advisories  
    • Reviews  of  core  and  
    contributed  components
    11
    https://www.drupal.org/security-­‐team

    View Slide

  12. WordPress
    • About  14  years  old  
    • Used  by  58%  of  sites  that  
    use  CMSes  
    [email protected]  
    • Security  advisories  and  
    updates  (core  &  contrib)  
    • Over  two  thirds  of  issues  
    are  with  plugins,  not  core
    12

    View Slide

  13. Libraries  &  Tooling
    ircmaxell/random-­‐lib  
    A  Library  For  Generating  Secure  Random  Numbers  
    padraic/SecurityMultiTool  
    A  multitool  library  offering  access  to  recommended  security  related  libraries,  standardized  
    implementations  of  security  defenses,  and  secure  implementations  of  commonly  performed  
    tasks.  
    respect/validation  
    The  most  awesome  validation  engine  ever  created  for  PHP  
    psecio/iniscan  
    A  scanner  to  evaluate  php.ini  security  
    sensiolabs/security-­‐checker  
    A  security  checker  for  your  composer.lock
    13

    View Slide

  14. Libraries  &  Tooling
    defuse/php-­‐encryption  
    Secure  PHP  Encryption  Library,  vetted  by  infosec  community  members  
    twigphp/Twig  
    The  flexible,  fast,  and  secure  template  language  for  PHP  
    14

    View Slide

  15. THE  CURRENT

    View Slide

  16. Native  Password  Hashing
    • Available  in  PHP  >=  5.5  
    • User-­‐friendly  crypt()  with  safer  defaults  
    • Bcrypt  by  default,  cost  of  10  
    • password_hash,  password_verify,  
    password_needs_rehash
    16

    View Slide

  17. Native  Password  Hashing
    17
    // old way, prone to flaws because users
    $pwdCrypt = crypt($input, '$2y$10$'.$salt);
    // to hash the password
    $hashed = password_hash($input, PASSWORD_DEFAULT);
    // to verify the password
    if (password_verify($inputPassword, $hashedPassword) {
    echo ‘Valid password!’
    }
    // password_needs_rehash

    View Slide

  18. Crypt()  Errors  with  No  Salt
    • PHP  >=  5.6  
    • Previously  allowed  no  salt  (d’oh)  
    • Now  throws  E_NOTICE
    18
    PHP Notice: crypt(): No salt parameter was specified. You
    must use a randomly generated salt and a strong hash
    function to produce a secure hash.

    View Slide

  19. OpenSSL  Updates
    • PHP  >=  5.6  
    • Verifies  peer  by  default  on  SSL/TLS  connections  
    • Support  for  x509  fingerprinting  
    • Default  ciphers  updated  (to  Mozilla  list),  
    OPENSSL_DEFAULT_STREAM_CIPHERS  
    • Compression  enabled  by  default
    19

    View Slide

  20. OpenSSL  Updates
    • Set  preferred  cipher  order  
    • Get  protocol  and  cipher  on  request  
    • SSL  context  options  for  forward  secrecy  
    • SSL/TLS  version  selection  
    • Generating,  extracting  verifying  public  key/
    challenges  (SPKAC)
    20

    View Slide

  21. OpenSSL:  CA  Path  &  File  Override
    • openssl.capath, openssl.cafile
    • Per-­‐case  basis  rather  than  global  
    • used  with  verify_peer
    21

    View Slide

  22. Timing  Safe  Hash  Comparison
    • PHP  >=  5.6  
    • ===  open  to  timing  attack  issues  
    • hash_equals
    22
    if (hash_equals($hash1, $hash2) === true) {
    echo ‘Party on Wayne!’;
    }

    View Slide

  23. Deprecation  of  /e  Regex  Modifier
    • PHP  >=  5.5  
    • /e  modifier  allowed  for  eval  
    • PHP  automatically  called  eval  on  match  string  
    • Deprecated  in  5.5.0  and  removed  in  PHP  7.0
    23
    PHP Deprecated: preg_replace(): The /e modifier is
    deprecated, use preg_replace_callback instead

    View Slide

  24. Strict  Session  Handling
    • PHP  >=  5.5  
    • session.use_strict_mode
    • Prevents  uninitialized  sessions  (IDs)  
    • New  session  is  started  regardless  of  what’s  
    sent  in  cookies  
    • Prevents  session  fixation
    24

    View Slide

  25. THE  FUTURE  (PHP  7)

    View Slide

  26. Scalar  Type  Hinting
    • Function-­‐level  type  hints  
    • array, callable and  class/interface  
    • now  includes  bool, int, float  and  
    string
    26
    declare(strict_types=1);
    function foo(\App\UserInterface $user, int $accountId)
    {
    /* awesome code goes here */
    }

    View Slide

  27. Return  Types
    • Enforces  correct  return  types  
    • Throws  TypeError  if  invalid  (on  strict)  
    • Unless  strict  is  enabled,  types  are  coerced
    27
    // coerced
    function sum($a, $b): float {
    return $a + $b;
    }
    declare(strict_types=1);
    function sum($a, $b): int {
    return $a + $b;
    }

    View Slide

  28. Native  CSPRNG
    • Natively  implemented  in  the  language  
    • Replaces  external  tools  &  libraries  
    • Replaces  poor  practices:  rand()  or  mt_rand()  
    • random_bytes  and  random_int  
    • Sources:  
    • CryptGenRandom  (Windows)  
    • arc4random_buf  (BSDish)  
    • /dev/arandom  or  /dev/urandom
    28

    View Slide

  29. Uniform  Variable  Syntax
    • Leads  to  less  errors  in  variable  interpretation  
    • Support  for:  
    • nested  double-­‐colon,  parentheses  
    • operations  on  (…)  expressions
    29
    $$foo['bar']['baz'] ${$foo['bar']['baz']} ($$foo)['bar']['baz']
    $foo->$bar['baz'] $foo->{$bar['baz']} ($foo->$bar)['baz']
    $foo->$bar['baz']() $foo->{$bar['baz']}() ($foo->$bar)['baz']()
    Foo::$bar['baz']() Foo::{$bar['baz']}() (Foo::$bar)['baz']()

    View Slide

  30. Unicode  Escape  Syntax
    • Use  Unicode  in  normal  strings  
    • supported  through  \u  escape  character  
    • better  Unicode  handling  in  normal  strings
    30
    $heart = "a \u{1F49A}";
    echo $heart.’ - ‘.strlen($heart);
    a - 6

    View Slide

  31. Engine  Exceptions
    • Fatal  errors  previously  terminated  execution  
    a.k.a  The  White  Page  of  Death  
    • Error  (formerly  EngineException)  replaces  
    Fatal  
    • Now  catchable  
    • Includes  TypeError, ParseError  and  
    AssertionError
    31

    View Slide

  32. Filtered  Unserialize
    • Problem:  destructor  called  in  unserialized  
    objects  
    • allowed_classes  option,  defaults  true  (BC)  
    • __PHP_Incomplete_Class
    32
    unserialize($data, ["allowed_classes" => true]);
    unserialize($data, ["allowed_classes" => false]);
    unserialize($data, ["allowed_classes" => [‘UserClass’] ]);

    View Slide

  33. …AND  SO

    View Slide

  34. 34
    WHY  IS  THIS  IMPORTANT?

    View Slide

  35. 35

    View Slide

  36. 36
    “As  investment  and  innovation  in  open  source  security  
    increases,  open  source  has  the  potential  to  become  
    safer  and  more  secure  than  ever  before,  making  it  more  
    desirable  for  companies  that  are  concerned  about  
    today’s  changing  threat  landscape.”  
    Sara  Purdon,  Protecode

    View Slide

  37. 37
    Thanks!
    @enygma
    Questions?

    View Slide