Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP Security, Redfined

Chris Cornutt
September 25, 2015

PHP Security, Redfined

Let’s be honest, PHP has had a rocky history with security. Over the years the language has been highly criticized for it’s lack of a focus on security and secure development practices. In more recent years, however, a resurgence has happened in the language and community, bringing secure development back into focus. With PHP 7 on the horizon, the language is making even more strides to improve some of its wayward ways of the past and reinvent itself. I’ll share practical code examples, tools, libraries and best practices that are making it easier than ever to keep PHP applications safe.

Come along with me as I guide you through both the language improvements and community encouragement making PHP a more secure place.

Chris Cornutt

September 25, 2015

More Decks by Chris Cornutt

Other Decks in Technology


  1. 2 Chris  Cornutt PHP  developer  for  15+  years Focus  on

     appsec  for  5+  years Application  Security  Engineer     @  Pardot  (Salesforce) @enygma   @securingphp
  2. PHP:  The  Language • Over  20  years  since  first  

    inception   • Used  by  over  80%  of  the   web   • Latest  is  PHP  5.6.x   • PHP  7  coming  late  2015   • PHP  5.3  is  still  most   widely  installed,  5.4  is   gaining 4
  3. PHP:  The  Language • Support  schedule 5 http://php.net/supported-­‐versions.php PHP  5.4

     no  longer  supported,  5.5  in  security  only  support  &  5.6  in  full  support
  4. 7 Scott  Arciszewski Ryan  Mauger Anthony  Ferrara Pádraic  Brady Elizabeth

     Smith Ilia  Alshanetsky Beth  Tucker  Long Michelangelo          van  Dam Wim  Godden
  5. Composer • The  missing  package   manager  for  PHP  (not

      PEAR)   • Open  Source  project   • Use  has  exploded   • Packagist   • One  command  (install/ update)   • No  vetting  of  packages 9
  6. Frameworks • Major  frameworks   • Security  advisories  and  

    updates   • Paid  audit  of  Symfony   (v2)   • Update  to  database  of   vulnerable  components 10
  7. Drupal • Started  15  years  ago   • Used  by

     major  services   and  sites   • Renewed  security  efforts   • Dedicated  security  team   • Security  Advisories   • Reviews  of  core  and   contributed  components 11 https://www.drupal.org/security-­‐team
  8. WordPress • About  14  years  old   • Used  by

     58%  of  sites  that   use  CMSes   • [email protected]   • Security  advisories  and   updates  (core  &  contrib)   • Over  two  thirds  of  issues   are  with  plugins,  not  core 12
  9. Libraries  &  Tooling ircmaxell/random-­‐lib   A  Library  For  Generating  Secure

     Random  Numbers   padraic/SecurityMultiTool   A  multitool  library  offering  access  to  recommended  security  related  libraries,  standardized   implementations  of  security  defenses,  and  secure  implementations  of  commonly  performed   tasks.   respect/validation   The  most  awesome  validation  engine  ever  created  for  PHP   psecio/iniscan   A  scanner  to  evaluate  php.ini  security   sensiolabs/security-­‐checker   A  security  checker  for  your  composer.lock 13
  10. Libraries  &  Tooling defuse/php-­‐encryption   Secure  PHP  Encryption  Library,  vetted

     by  infosec  community  members   twigphp/Twig   The  flexible,  fast,  and  secure  template  language  for  PHP   14
  11. Native  Password  Hashing • Available  in  PHP  >=  5.5  

    • User-­‐friendly  crypt()  with  safer  defaults   • Bcrypt  by  default,  cost  of  10   • password_hash,  password_verify,   password_needs_rehash 16
  12. Native  Password  Hashing 17 <?php // old way, prone to

    flaws because users $pwdCrypt = crypt($input, '$2y$10$'.$salt); // to hash the password $hashed = password_hash($input, PASSWORD_DEFAULT); // to verify the password if (password_verify($inputPassword, $hashedPassword) { echo ‘Valid password!’ } // password_needs_rehash
  13. Crypt()  Errors  with  No  Salt • PHP  >=  5.6  

    • Previously  allowed  no  salt  (d’oh)   • Now  throws  E_NOTICE 18 PHP Notice: crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.
  14. OpenSSL  Updates • PHP  >=  5.6   • Verifies  peer

     by  default  on  SSL/TLS  connections   • Support  for  x509  fingerprinting   • Default  ciphers  updated  (to  Mozilla  list),   OPENSSL_DEFAULT_STREAM_CIPHERS   • Compression  enabled  by  default 19
  15. OpenSSL  Updates • Set  preferred  cipher  order   • Get

     protocol  and  cipher  on  request   • SSL  context  options  for  forward  secrecy   • SSL/TLS  version  selection   • Generating,  extracting  verifying  public  key/ challenges  (SPKAC) 20
  16. OpenSSL:  CA  Path  &  File  Override • openssl.capath, openssl.cafile •

    Per-­‐case  basis  rather  than  global   • used  with  verify_peer 21
  17. Timing  Safe  Hash  Comparison • PHP  >=  5.6   •

    ===  open  to  timing  attack  issues   • hash_equals 22 if (hash_equals($hash1, $hash2) === true) { echo ‘Party on Wayne!’; }
  18. Deprecation  of  /e  Regex  Modifier • PHP  >=  5.5  

    • /e  modifier  allowed  for  eval   • PHP  automatically  called  eval  on  match  string   • Deprecated  in  5.5.0  and  removed  in  PHP  7.0 23 PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
  19. Strict  Session  Handling • PHP  >=  5.5   • session.use_strict_mode

    • Prevents  uninitialized  sessions  (IDs)   • New  session  is  started  regardless  of  what’s   sent  in  cookies   • Prevents  session  fixation 24
  20. Scalar  Type  Hinting • Function-­‐level  type  hints   • array,

    callable and  class/interface   • now  includes  bool, int, float  and   string 26 declare(strict_types=1); function foo(\App\UserInterface $user, int $accountId) { /* awesome code goes here */ }
  21. Return  Types • Enforces  correct  return  types   • Throws

     TypeError  if  invalid  (on  strict)   • Unless  strict  is  enabled,  types  are  coerced 27 // coerced function sum($a, $b): float { return $a + $b; } declare(strict_types=1); function sum($a, $b): int { return $a + $b; }
  22. Native  CSPRNG • Natively  implemented  in  the  language   •

    Replaces  external  tools  &  libraries   • Replaces  poor  practices:  rand()  or  mt_rand()   • random_bytes  and  random_int   • Sources:   • CryptGenRandom  (Windows)   • arc4random_buf  (BSDish)   • /dev/arandom  or  /dev/urandom 28
  23. Uniform  Variable  Syntax • Leads  to  less  errors  in  variable

     interpretation   • Support  for:   • nested  double-­‐colon,  parentheses   • operations  on  (…)  expressions 29 $$foo['bar']['baz'] ${$foo['bar']['baz']} ($$foo)['bar']['baz'] $foo->$bar['baz'] $foo->{$bar['baz']} ($foo->$bar)['baz'] $foo->$bar['baz']() $foo->{$bar['baz']}() ($foo->$bar)['baz']() Foo::$bar['baz']() Foo::{$bar['baz']}() (Foo::$bar)['baz']()
  24. Unicode  Escape  Syntax • Use  Unicode  in  normal  strings  

    • supported  through  \u  escape  character   • better  Unicode  handling  in  normal  strings 30 $heart = "a \u{1F49A}"; echo $heart.’ - ‘.strlen($heart); a - 6
  25. Engine  Exceptions • Fatal  errors  previously  terminated  execution   a.k.a

     The  White  Page  of  Death   • Error  (formerly  EngineException)  replaces   Fatal   • Now  catchable   • Includes  TypeError, ParseError  and   AssertionError 31
  26. Filtered  Unserialize • Problem:  destructor  called  in  unserialized   objects

      • allowed_classes  option,  defaults  true  (BC)   • __PHP_Incomplete_Class 32 unserialize($data, ["allowed_classes" => true]); unserialize($data, ["allowed_classes" => false]); unserialize($data, ["allowed_classes" => [‘UserClass’] ]);
  27. 35

  28. 36 “As  investment  and  innovation  in  open  source  security  

    increases,  open  source  has  the  potential  to  become   safer  and  more  secure  than  ever  before,  making  it  more   desirable  for  companies  that  are  concerned  about   today’s  changing  threat  landscape.”   Sara  Purdon,  Protecode