Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Little Bobby Tables Isn't Welcome Here

Little Bobby Tables Isn't Welcome Here

PHP security workshop from php[tek] 2018.

Eric Mann

May 30, 2018

More Decks by Eric Mann

Other Decks in Technology


  1. Today's Agenda • Introductions and Setup • OWASP • ASR1

    – Injection Exercise • ASR 2 – Broken Authentication Exercise • ASR 3 – Sensitive Data Exposure Exercise • ASR 4 – XML External Entities
  2. Today's Agenda • ASR 5 - Broken Access Control Exercise

    • ASR 6 – Security Misconfiguration • ASR 7 – Cross-site Scripting Exercise • ASR 8 – Insecure Deserialization • ASR 9 – Using Components with Known Vulnerabilities • ASR 10 – Insufficient Logging & Monitoring • Responsible Disclosure
  3. Introduction • Who am I? • Who are you? •

    What are you hoping to learn this week? • Project overview • Project requirements • PHP, SQLite, (Docker, maybe)
  4. Setup • Clone the project repository git clone https://github.com/ericmann/bobby-tables.git php-owasp

    • Run the "smoke test" script in the repo to test your system cd php-owasp && php smoke.php cd php-owasp && ./dockphp smoke.php
  5. OWASP • Open Web Application Security Project • International non-profit

    est ~2001 • Coordinates training, guidelines, development checklists • Polls and publishes "top ten" application security risks • Updated every ~3 years • Last published in late 2018 • Results based on feedback and in-the-wild experiences surveyed from > 500 developers • Data spans info about > 100,000 real world applications • The OWASP Top Ten is not exhaustive!
  6. Injection Injection flaws, such as SQL, OS, and LDAP injection

    occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. • Injected SQL • Injected CLI
  7. Injection • Run the demo application php -S localhost:8888 -t

    asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject yourself as a speaker into the database • Now … fix the injection attack by parameterizing your statement
  8. Injection • Run the same demo application php -S localhost:8888

    -t asr1-injection • Visit the files interface in a browser and download my PDF http://localhost:8888/get/?file=evolution.pdf • Use the vulnerability to "liberate" your private SSH key curl http://localhost:8888/?file=;cat ~/.ssh/id_rsa • Now … fix the injection attack by sanitizing the filename
  9. Broken Authentication Application functions related to authentication and session management

    are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities. • Authentication bypass • Unauthorized impersonation
  10. Broken Authentication • Run the demo application php -S localhost:8888

    -t asr2-broken-authentication • Visit the query interface in a browser http://localhost:8888/ • Log in as "reader" with the password "1234567" • Modify your cookies to impersonate "admin" • Now … fix the impersonation attack by leveraging server storage
  11. Sensitive Data Exposure Many web applications do not adequately protect

    sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. • Example: Equifax
  12. Sensitive Data Exposure • Open /asr3-data-exposure in your editor •

    View the "encrypted" secret message text file • Modify the secret text to say something else • Now … use Libsodium to actually encrypt the text
  13. XML External Entities XML eXternal Entity injection (XXE) is a

    type of attack against an application that parses XML input. This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser. • Data exposure • Simple DOS attacks
  14. XML External Entities <?xml version="1.0"?> <!DOCTYPE info [<!ENTITY name "php[architect]">]>

    <info> <author>Friend of &name;</author> <publisher>&name;</publisher> <copyright>&name; - 2017</copyright> </info>
  15. XML External Entities <?xml version="1.0"?> <!DOCTYPE info [<!ENTITY name SYSTEM

    "php://filter/read=convert.base64- encode/resource=/var/www/config.ini">]> <info> <author>Friend of &name;</author> <publisher>&name;</publisher> <copyright>&name; - 2017</copyright> </info>
  16. XML External Entities - FIX <?php // ... $xml =

    ... $default = libxml_disable_entity_loader(true); $dom = new DOMDocument(); $dom->loadXML($xml);
  17. XML External Entities <?xml version="1.0"?> <!DOCTYPE bomb [ <!ENTITY x0

    "BOOM!"> <!ENTITY x1 "&x0;&x0;"> <!ENTITY x2 "&x1;&x1;"> <!ENTITY x3 "&x2;&x2;"> <!ENTITY x4 "&x3;&x3;"> <!-- ... Repeat for entities from x5 through x98 --> <!ENTITY x99 "&x98;&x98;"> <!ENTITY bomb "&x99;&x99;"> ]> <info> <kablewy>&bomb;</kablewy> </info>
  18. Broken Access Control Restrictions on what authenticated users are allowed

    to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. • Authentication != Authorization
  19. Broken Authentication • Run the demo application php -S localhost:8888

    -t asr5-broken-access • Visit the query interface in a browser http://localhost:8888/ • Log in as "bob" with the password "bobisevil" • Modify your form to target Alice's user ID (4) – change her favorite ice cream • Verify it changed – Alice's password is "aliceisnice" • Now … fix the attack by verifying user IDs match authentication
  20. Security Misconfiguration Good security requires having a secure configuration defined

    and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
  21. Security Misconfiguration • Server tokens • Server name • Directory

    traversal • SSL certificates • Remote include • allow_url_fopen • allow_url_include • Display errors • disable_functions • exec • passthru • shell_exec • system • proc_open • popen • parse_ini_file • show_source • eval • create_function
  22. Cross-site Scripting XSS flaws occur whenever an application takes untrusted

    data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Stored • Reflected
  23. Cross-site Scripting • Run the demo application php -S localhost:8888

    -t asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject malicious JavaScript by searching for: <img src=x onerror=alert("hi") /> • Now … fix the injection attack by parameterizing your statement
  24. Insecure Deserialization Native formats usually offer more features than JSON

    or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. • Denial of service • Access control • Remote code execution
  25. Insecure Deserialization $request = file_get_contents('php://input'); $args = json_decode($request); $response =

    [ 'name' => $args['name'], 'email' => $args['email'] ]; echo json_encode($response);
  26. Insufficient Logging & Monitoring Exploitation of insufficient logging and monitoring

    is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. • Attackers' attempts go unnoticed • Insider threats exploit access