Little Bobby Tables Isn't Welcome Here

Little Bobby Tables Isn't Welcome Here

PHP security workshop from php[tek] 2018.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

May 30, 2018
Tweet

Transcript

  1. None
  2. None
  3. Little Bobby Tables Isn't Welcome Here php[tek] 2018 ∙ Eric

    Mann
  4. Today's Agenda • Introductions and Setup • OWASP • ASR1

    – Injection Exercise • ASR 2 – Broken Authentication Exercise • ASR 3 – Sensitive Data Exposure Exercise • ASR 4 – XML External Entities
  5. Today's Agenda • ASR 5 - Broken Access Control Exercise

    • ASR 6 – Security Misconfiguration • ASR 7 – Cross-site Scripting Exercise • ASR 8 – Insecure Deserialization • ASR 9 – Using Components with Known Vulnerabilities • ASR 10 – Insufficient Logging & Monitoring • Responsible Disclosure
  6. INTRODUCTIONS AND SETUP Getting Started

  7. Introduction • Who am I? • Who are you? •

    What are you hoping to learn this week? • Project overview • Project requirements • PHP, SQLite, (Docker, maybe)
  8. Setup • Clone the project repository git clone https://github.com/ericmann/bobby-tables.git php-owasp

    • Run the "smoke test" script in the repo to test your system cd php-owasp && php smoke.php cd php-owasp && ./dockphp smoke.php
  9. OWASP

  10. OWASP • Open Web Application Security Project • International non-profit

    est ~2001 • Coordinates training, guidelines, development checklists • Polls and publishes "top ten" application security risks • Updated every ~3 years • Last published in late 2018 • Results based on feedback and in-the-wild experiences surveyed from > 500 developers • Data spans info about > 100,000 real world applications • The OWASP Top Ten is not exhaustive!
  11. ASR 1 - Injection

  12. Injection

  13. Injection Injection flaws, such as SQL, OS, and LDAP injection

    occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. • Injected SQL • Injected CLI
  14. Injection • Run the demo application php -S localhost:8888 -t

    asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject yourself as a speaker into the database • Now … fix the injection attack by parameterizing your statement
  15. Injection • Run the same demo application php -S localhost:8888

    -t asr1-injection • Visit the files interface in a browser and download my PDF http://localhost:8888/get/?file=evolution.pdf • Use the vulnerability to "liberate" your private SSH key curl http://localhost:8888/?file=;cat ~/.ssh/id_rsa • Now … fix the injection attack by sanitizing the filename
  16. ASR 2 – Broken Authentication

  17. Broken Authentication Application functions related to authentication and session management

    are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities. • Authentication bypass • Unauthorized impersonation
  18. Broken Authentication • Run the demo application php -S localhost:8888

    -t asr2-broken-authentication • Visit the query interface in a browser http://localhost:8888/ • Log in as "reader" with the password "1234567" • Modify your cookies to impersonate "admin" • Now … fix the impersonation attack by leveraging server storage
  19. ASR 3 – Sensitive Data Exposure

  20. Sensitive Data Exposure Many web applications do not adequately protect

    sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. • Example: Equifax
  21. Sensitive Data Exposure

  22. Sensitive Data Exposure

  23. Sensitive Data Exposure • Open /asr3-data-exposure in your editor •

    View the "encrypted" secret message text file • Modify the secret text to say something else • Now … use Libsodium to actually encrypt the text
  24. ASR 4 – XML External Entities

  25. XML External Entities XML eXternal Entity injection (XXE) is a

    type of attack against an application that parses XML input. This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser. • Data exposure • Simple DOS attacks
  26. XML External Entities <?xml version="1.0"?> <!DOCTYPE info [<!ENTITY name "php[architect]">]>

    <info> <author>Friend of &name;</author> <publisher>&name;</publisher> <copyright>&name; - 2017</copyright> </info>
  27. XML External Entities <?xml version="1.0"?> <!DOCTYPE info [<!ENTITY name SYSTEM

    "php://filter/read=convert.base64- encode/resource=/var/www/config.ini">]> <info> <author>Friend of &name;</author> <publisher>&name;</publisher> <copyright>&name; - 2017</copyright> </info>
  28. XML External Entities - FIX <?php // ... $xml =

    ... $default = libxml_disable_entity_loader(true); $dom = new DOMDocument(); $dom->loadXML($xml);
  29. XML External Entities <?xml version="1.0"?> <!DOCTYPE bomb [ <!ENTITY x0

    "BOOM!"> <!ENTITY x1 "&x0;&x0;"> <!ENTITY x2 "&x1;&x1;"> <!ENTITY x3 "&x2;&x2;"> <!ENTITY x4 "&x3;&x3;"> <!-- ... Repeat for entities from x5 through x98 --> <!ENTITY x99 "&x98;&x98;"> <!ENTITY bomb "&x99;&x99;"> ]> <info> <kablewy>&bomb;</kablewy> </info>
  30. ASR 5 – Broken Access Control

  31. Broken Access Control Restrictions on what authenticated users are allowed

    to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. • Authentication != Authorization
  32. Broken Authentication • Run the demo application php -S localhost:8888

    -t asr5-broken-access • Visit the query interface in a browser http://localhost:8888/ • Log in as "bob" with the password "bobisevil" • Modify your form to target Alice's user ID (4) – change her favorite ice cream • Verify it changed – Alice's password is "aliceisnice" • Now … fix the attack by verifying user IDs match authentication
  33. ASR 6 – Security Misconfiguration

  34. Security Misconfiguration Good security requires having a secure configuration defined

    and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
  35. Security Misconfiguration • Server tokens • Server name • Directory

    traversal • SSL certificates • Remote include • allow_url_fopen • allow_url_include • Display errors • disable_functions • exec • passthru • shell_exec • system • proc_open • popen • parse_ini_file • show_source • eval • create_function
  36. ASR 7 – Cross-site Scripting

  37. Cross-site Scripting XSS flaws occur whenever an application takes untrusted

    data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Stored • Reflected
  38. Cross-site Scripting • Run the demo application php -S localhost:8888

    -t asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject malicious JavaScript by searching for: <img src=x onerror=alert("hi") /> • Now … fix the injection attack by parameterizing your statement
  39. ASR 8 – Insecure Deserialization

  40. Insecure Deserialization Native formats usually offer more features than JSON

    or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. • Denial of service • Access control • Remote code execution
  41. Insecure Deserialization $request = file_get_contents('php://input'); $args = json_decode($request); $response =

    [ 'name' => $args['name'], 'email' => $args['email'] ]; echo json_encode($response);
  42. ASR 9 – Using Components with Known Vulnerabilities

  43. Using Components with Known Vulnerabilities

  44. ASR 10 – Insufficient Logging & Monitoring

  45. Insufficient Logging & Monitoring Exploitation of insufficient logging and monitoring

    is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. • Attackers' attempts go unnoticed • Insider threats exploit access
  46. Responsible Disclosure

  47. Questions?

  48. None