$30 off During Our Annual Pro Sale. View Details »

PHP Security, Redfined

Chris Cornutt
September 25, 2015
Technology
0
230

PHP Security, Redfined

Let’s be honest, PHP has had a rocky history with security. Over the years the language has been highly criticized for it’s lack of a focus on security and secure development practices. In more recent years, however, a resurgence has happened in the language and community, bringing secure development back into focus. With PHP 7 on the horizon, the language is making even more strides to improve some of its wayward ways of the past and reinvent itself. I’ll share practical code examples, tools, libraries and best practices that are making it easier than ever to keep PHP applications safe.

Come along with me as I guide you through both the language improvements and community encouragement making PHP a more secure place.

Chris Cornutt

September 25, 2015
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
90
Pentesting for Developers
ccornutt
0
98
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
290
Securing Legacy Applications
ccornutt
0
310
Build Security In
ccornutt
0
160
Introduction to Slim 3
ccornutt
0
140
Securing Legacy Applications
ccornutt
0
32
PHP Security Bootcamp
ccornutt
2
210

Other Decks in Technology

See All in Technology
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.4k
AWS re:Invent 2023に参加してきた ~Amazon Inspectorのアップデートを添えて~ / AWS re:Invent 2023 Participation Bulletin with Amazon Inspector Updates
yuj1osm
0
250
【Microsoft社員が振り返る】Microsoft Ignite
yutoy
1
540
Japan.R2023_いろんな可視化ツールあるけどggplotて何がいいの?- 複数ツールで比較してみた!-
wakamatsu_takumu
1
550
Go Getでのchecksum不一致に遭遇した話とその対応
replu
0
280
Bedrock & Amazon Q のアプデ、結局これって○○でいう××のこと?? 生成AIトレンドを俯瞰しながら解説!
minorun365
PRO
0
130
ECサイト向け決済機能の開発で学んだ外部決済サービスの活用ポイント
k1style
1
200
Notionへのデータ移行を成功させる5つのポイント - NIFTY Tech Day 2023
niftycorp
0
130
Azure OpenAI Serviceの採用と挑戦 - Azure AI Hub meetup #1
cimadai
1
300
生成AIでシステム開発はどう変わるか
etaroid
18
7.7k
AutoGenで作るLLM Agen
peisuke
1
350
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
120

Featured

See All Featured
Designing Experiences People Love
moore
133
23k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
1
290
Optimising Largest Contentful Paint
csswizardry
6
2k
The Cult of Friendly URLs
andyhume
71
5.4k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Producing Creativity
orderedlist
PRO
335
38k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.7k
Atom: Resistance is Futile
akmur
257
24k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k

Transcript

  1. PHP  Security,  Redefined
    Chris  Cornutt  -­‐  AppSec  USA  2015

    View Slide

  2. 2
    Chris  Cornutt
    PHP  developer  for  15+  years
    Focus  on  appsec  for  5+  years
    Application  Security  Engineer    
    @  Pardot  (Salesforce)
    @enygma  
    @securingphp

    View Slide

  3. A  BIT  OF  HISTORY

    View Slide

  4. PHP:  The  Language
    • Over  20  years  since  first  
    inception  
    • Used  by  over  80%  of  the  
    web  
    • Latest  is  PHP  5.6.x  
    • PHP  7  coming  late  2015  
    • PHP  5.3  is  still  most  
    widely  installed,  5.4  is  
    gaining
    4

    View Slide

  5. PHP:  The  Language
    • Support  schedule
    5
    http://php.net/supported-­‐versions.php
    PHP  5.4  no  longer  supported,  5.5  in  security  only  support  &  5.6  in  full  support

    View Slide

  6. COMMUNITY  LEADERS

    View Slide

  7. 7
    Scott  Arciszewski Ryan  Mauger Anthony  Ferrara Pádraic  Brady
    Elizabeth  Smith Ilia  Alshanetsky Beth  Tucker  Long Michelangelo  
           van  Dam
    Wim  Godden

    View Slide

  8. LIBRARIES  &  TOOLING

    View Slide

  9. Composer
    • The  missing  package  
    manager  for  PHP  (not  
    PEAR)  
    • Open  Source  project  
    • Use  has  exploded  
    • Packagist  
    • One  command  (install/
    update)  
    • No  vetting  of  packages
    9

    View Slide

  10. Frameworks
    • Major  frameworks  
    • Security  advisories  and  
    updates  
    • Paid  audit  of  Symfony  
    (v2)  
    • Update  to  database  of  
    vulnerable  components
    10

    View Slide

  11. Drupal
    • Started  15  years  ago  
    • Used  by  major  services  
    and  sites  
    • Renewed  security  efforts  
    • Dedicated  security  team  
    • Security  Advisories  
    • Reviews  of  core  and  
    contributed  components
    11
    https://www.drupal.org/security-­‐team

    View Slide

  12. WordPress
    • About  14  years  old  
    • Used  by  58%  of  sites  that  
    use  CMSes  
    [email protected]  
    • Security  advisories  and  
    updates  (core  &  contrib)  
    • Over  two  thirds  of  issues  
    are  with  plugins,  not  core
    12

    View Slide

  13. Libraries  &  Tooling
    ircmaxell/random-­‐lib  
    A  Library  For  Generating  Secure  Random  Numbers  
    padraic/SecurityMultiTool  
    A  multitool  library  offering  access  to  recommended  security  related  libraries,  standardized  
    implementations  of  security  defenses,  and  secure  implementations  of  commonly  performed  
    tasks.  
    respect/validation  
    The  most  awesome  validation  engine  ever  created  for  PHP  
    psecio/iniscan  
    A  scanner  to  evaluate  php.ini  security  
    sensiolabs/security-­‐checker  
    A  security  checker  for  your  composer.lock
    13

    View Slide

  14. Libraries  &  Tooling
    defuse/php-­‐encryption  
    Secure  PHP  Encryption  Library,  vetted  by  infosec  community  members  
    twigphp/Twig  
    The  flexible,  fast,  and  secure  template  language  for  PHP  
    14

    View Slide

  15. THE  CURRENT

    View Slide

  16. Native  Password  Hashing
    • Available  in  PHP  >=  5.5  
    • User-­‐friendly  crypt()  with  safer  defaults  
    • Bcrypt  by  default,  cost  of  10  
    • password_hash,  password_verify,  
    password_needs_rehash
    16

    View Slide

  17. Native  Password  Hashing
    17
    // old way, prone to flaws because users
    $pwdCrypt = crypt($input, '$2y$10$'.$salt);
    // to hash the password
    $hashed = password_hash($input, PASSWORD_DEFAULT);
    // to verify the password
    if (password_verify($inputPassword, $hashedPassword) {
    echo ‘Valid password!’
    }
    // password_needs_rehash

    View Slide

  18. Crypt()  Errors  with  No  Salt
    • PHP  >=  5.6  
    • Previously  allowed  no  salt  (d’oh)  
    • Now  throws  E_NOTICE
    18
    PHP Notice: crypt(): No salt parameter was specified. You
    must use a randomly generated salt and a strong hash
    function to produce a secure hash.

    View Slide

  19. OpenSSL  Updates
    • PHP  >=  5.6  
    • Verifies  peer  by  default  on  SSL/TLS  connections  
    • Support  for  x509  fingerprinting  
    • Default  ciphers  updated  (to  Mozilla  list),  
    OPENSSL_DEFAULT_STREAM_CIPHERS  
    • Compression  enabled  by  default
    19

    View Slide

  20. OpenSSL  Updates
    • Set  preferred  cipher  order  
    • Get  protocol  and  cipher  on  request  
    • SSL  context  options  for  forward  secrecy  
    • SSL/TLS  version  selection  
    • Generating,  extracting  verifying  public  key/
    challenges  (SPKAC)
    20

    View Slide

  21. OpenSSL:  CA  Path  &  File  Override
    • openssl.capath, openssl.cafile
    • Per-­‐case  basis  rather  than  global  
    • used  with  verify_peer
    21

    View Slide

  22. Timing  Safe  Hash  Comparison
    • PHP  >=  5.6  
    • ===  open  to  timing  attack  issues  
    • hash_equals
    22
    if (hash_equals($hash1, $hash2) === true) {
    echo ‘Party on Wayne!’;
    }

    View Slide

  23. Deprecation  of  /e  Regex  Modifier
    • PHP  >=  5.5  
    • /e  modifier  allowed  for  eval  
    • PHP  automatically  called  eval  on  match  string  
    • Deprecated  in  5.5.0  and  removed  in  PHP  7.0
    23
    PHP Deprecated: preg_replace(): The /e modifier is
    deprecated, use preg_replace_callback instead

    View Slide

  24. Strict  Session  Handling
    • PHP  >=  5.5  
    • session.use_strict_mode
    • Prevents  uninitialized  sessions  (IDs)  
    • New  session  is  started  regardless  of  what’s  
    sent  in  cookies  
    • Prevents  session  fixation
    24

    View Slide

  25. THE  FUTURE  (PHP  7)

    View Slide

  26. Scalar  Type  Hinting
    • Function-­‐level  type  hints  
    • array, callable and  class/interface  
    • now  includes  bool, int, float  and  
    string
    26
    declare(strict_types=1);
    function foo(\App\UserInterface $user, int $accountId)
    {
    /* awesome code goes here */
    }

    View Slide

  27. Return  Types
    • Enforces  correct  return  types  
    • Throws  TypeError  if  invalid  (on  strict)  
    • Unless  strict  is  enabled,  types  are  coerced
    27
    // coerced
    function sum($a, $b): float {
    return $a + $b;
    }
    declare(strict_types=1);
    function sum($a, $b): int {
    return $a + $b;
    }

    View Slide

  28. Native  CSPRNG
    • Natively  implemented  in  the  language  
    • Replaces  external  tools  &  libraries  
    • Replaces  poor  practices:  rand()  or  mt_rand()  
    • random_bytes  and  random_int  
    • Sources:  
    • CryptGenRandom  (Windows)  
    • arc4random_buf  (BSDish)  
    • /dev/arandom  or  /dev/urandom
    28

    View Slide

  29. Uniform  Variable  Syntax
    • Leads  to  less  errors  in  variable  interpretation  
    • Support  for:  
    • nested  double-­‐colon,  parentheses  
    • operations  on  (…)  expressions
    29
    $$foo['bar']['baz'] ${$foo['bar']['baz']} ($$foo)['bar']['baz']
    $foo->$bar['baz'] $foo->{$bar['baz']} ($foo->$bar)['baz']
    $foo->$bar['baz']() $foo->{$bar['baz']}() ($foo->$bar)['baz']()
    Foo::$bar['baz']() Foo::{$bar['baz']}() (Foo::$bar)['baz']()

    View Slide

  30. Unicode  Escape  Syntax
    • Use  Unicode  in  normal  strings  
    • supported  through  \u  escape  character  
    • better  Unicode  handling  in  normal  strings
    30
    $heart = "a \u{1F49A}";
    echo $heart.’ - ‘.strlen($heart);
    a - 6

    View Slide

  31. Engine  Exceptions
    • Fatal  errors  previously  terminated  execution  
    a.k.a  The  White  Page  of  Death  
    • Error  (formerly  EngineException)  replaces  
    Fatal  
    • Now  catchable  
    • Includes  TypeError, ParseError  and  
    AssertionError
    31

    View Slide

  32. Filtered  Unserialize
    • Problem:  destructor  called  in  unserialized  
    objects  
    • allowed_classes  option,  defaults  true  (BC)  
    • __PHP_Incomplete_Class
    32
    unserialize($data, ["allowed_classes" => true]);
    unserialize($data, ["allowed_classes" => false]);
    unserialize($data, ["allowed_classes" => [‘UserClass’] ]);

    View Slide

  33. …AND  SO

    View Slide

  34. 34
    WHY  IS  THIS  IMPORTANT?

    View Slide

  35. 35

    View Slide

  36. 36
    “As  investment  and  innovation  in  open  source  security  
    increases,  open  source  has  the  potential  to  become  
    safer  and  more  secure  than  ever  before,  making  it  more  
    desirable  for  companies  that  are  concerned  about  
    today’s  changing  threat  landscape.”  
    Sara  Purdon,  Protecode

    View Slide

  37. 37
    Thanks!
    @enygma
    Questions?

    View Slide