Writing Secure PHP Applications

Writing
Secure
PHP
Applications
Chris Cornutt
Confoo 2013
@enygma
Wednesday, February 27, 2013

View Slide

Secure development is
broken.
Let’s ﬁx that...

View Slide

SQL injection is
ten years old.
XSS is
eleven years old.
why are they still a
problem?

View Slide

Conﬁdentiality Integrity
Availability

View Slide

We need to ﬁx
[insert exploit name here]

View Slide

WRONG

View Slide

Build security in from the start

View Slide

Security
Standards

View Slide

Security
Standards
Security
Testing

View Slide

Security
Standards
Security
Testing
Threat
Modeling

View Slide

Security
Standards
Security
Testing
Threat
Modeling
Secure
Architecture

View Slide

Security 101

View Slide

Defense in Depth

View Slide

Reduce Attack Surface

View Slide

Effective Auditing & Logging

View Slide

Simple > Complex

View Slide

Obscurity !== Security

View Slide

And now, the speciﬁcs...

View Slide

Input validation
/* Using built-in */
is_numeric(‘1234’); // true
ctype_digit(‘1234’); // false
filter_var(‘invalid.email.com’, FILTER_VALID_EMAIL); // false
/* Using 3rd party */
use Respect\Validation\Validator as v;
$validator = v::alnum->noWhitespace->length(1,15);
var_dump($validator->validate(‘thisisatest’); // true
?>
https://github.com/Respect/Validation

View Slide

Return fast
/* Bad practice */
function foo($bar)
{
if ($bar == true) {
/* Lots of code here... */
} else {
return false;
}
}
//-----------------------------------
/* Good practice */
function foo($bar)
{
if ($bar !== true) {
return false;
}
/* Lots of code here... */
}
?>

View Slide

Password hashing
/* in PHP 5.5+ */
$hash = password_hash($password, PASSWORD_BCRYPT, [‘cost’ =>
12]);
/* Prior to PHP 5.5+ */
$lib = new \PasswordLib\PasswordLib();
$hash = $lib->createPasswordHash($input);
\phpSec\Crypt\Hash::$_method = \phpSec\Crypt\Hash::BCRYPT;
$hash = \phpSec\Crypt\Hash::create($input);
$bcrypt = new \Zend\Crypt\Password\Bcrypt();
$hash = $bcrypt->create($input);
?>
https://github.com/icrmaxell/password_compat

View Slide

Encrypted sessions
/* Set custom session handler */
session_set_save_handler(
‘open’, ‘close’, ‘read’, ‘write’,
‘destroy’, ‘gc’
);
/* Using the handler interface */
class CustomSessionHandler extends SessionHandlerInterface
{
/* Code goes here */
}
$handler = new CustomSessionHandler();
session_set_save_handler($handler, true);
?>
https://github.com/enygma/shieldframework/blob/master/Shield/Session.php

View Slide

Least privilege
/* “Fail fast” for user handling */
function checkAccess($user, $resource)
{
if (!$user->allowed($resource) {
return false;
}
/* Other permission checking here */
}
/* “Fail least” for user handling */
function checkAccess($user, $resource)
{
if ($user == null) { return false; }
if ($resource == null) { return false; }
/* Other permission checking here */
}
?>

View Slide

Fail securely
/* Custom error handler */
set_error_handler(function($num, $str, $file, $line) {
echo ‘ERROR: [‘.$num.’] ‘.$str;
});
/* Custom exception handler */
set_exception_handler(function($exception) {
echo ‘Uncaught exception: ‘.$exception->getMessage();
});
?>

View Slide

Planning for the Future

View Slide

Developer Training

View Slide

Code Evaluation

View Slide

Secure Coding Standard

View Slide

Fixing secure development takes
more than just
knowing the problems.

View Slide

Thanks!
@enygma
http://websec.io
https://joind.in/7911

View Slide

Writing Secure PHP Applications

Writing Secure PHP Applications

Chris Cornutt

More Decks by Chris Cornutt

Other Decks in Technology

Featured

Transcript