Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Little Bobby Tables Isn't Welcome Here

Little Bobby Tables Isn't Welcome Here

PHP security workshop from php[tek] 2018.

Eric Mann

May 30, 2018
Tweet

More Decks by Eric Mann

Other Decks in Technology

Transcript

  1. Little Bobby Tables Isn't Welcome Here
    php[tek] 2018 ∙ Eric Mann

    View full-size slide

  2. Today's Agenda
    • Introductions and Setup
    • OWASP
    • ASR1 – Injection
    Exercise
    • ASR 2 – Broken Authentication
    Exercise
    • ASR 3 – Sensitive Data Exposure
    Exercise
    • ASR 4 – XML External Entities

    View full-size slide

  3. Today's Agenda
    • ASR 5 - Broken Access Control
    Exercise
    • ASR 6 – Security Misconfiguration
    • ASR 7 – Cross-site Scripting
    Exercise
    • ASR 8 – Insecure Deserialization
    • ASR 9 – Using Components with Known Vulnerabilities
    • ASR 10 – Insufficient Logging & Monitoring
    • Responsible Disclosure

    View full-size slide

  4. INTRODUCTIONS AND SETUP
    Getting Started

    View full-size slide

  5. Introduction
    • Who am I?
    • Who are you?
    • What are you hoping to learn this week?
    • Project overview
    • Project requirements
    • PHP, SQLite, (Docker, maybe)

    View full-size slide

  6. Setup
    • Clone the project repository
    git clone https://github.com/ericmann/bobby-tables.git php-owasp
    • Run the "smoke test" script in the repo to test your system
    cd php-owasp && php smoke.php
    cd php-owasp && ./dockphp smoke.php

    View full-size slide

  7. OWASP
    • Open Web Application Security Project
    • International non-profit est ~2001
    • Coordinates training, guidelines, development checklists
    • Polls and publishes "top ten" application security risks
    • Updated every ~3 years
    • Last published in late 2018
    • Results based on feedback and in-the-wild experiences surveyed from >
    500 developers
    • Data spans info about > 100,000 real world applications
    • The OWASP Top Ten is not exhaustive!

    View full-size slide

  8. ASR 1 - Injection

    View full-size slide

  9. Injection
    Injection flaws, such as SQL, OS, and LDAP injection occur when
    untrusted data is sent to an interpreter as part of a command or
    query. The attacker's hostile data can trick the interpreter into
    executing unintended commands or accessing data without proper
    authorization.
    • Injected SQL
    • Injected CLI

    View full-size slide

  10. Injection
    • Run the demo application
    php -S localhost:8888 -t asr1-injection
    • Visit the query interface in a browser
    http://localhost:8888/query
    • Inject yourself as a speaker into the database
    • Now … fix the injection attack by parameterizing your statement

    View full-size slide

  11. Injection
    • Run the same demo application
    php -S localhost:8888 -t asr1-injection
    • Visit the files interface in a browser and download my PDF
    http://localhost:8888/get/?file=evolution.pdf
    • Use the vulnerability to "liberate" your private SSH key
    curl http://localhost:8888/?file=;cat ~/.ssh/id_rsa
    • Now … fix the injection attack by sanitizing the filename

    View full-size slide

  12. ASR 2 – Broken Authentication

    View full-size slide

  13. Broken Authentication
    Application functions related to authentication and session
    management are often not implemented correctly, allowing attackers
    to compromise passwords, keys, or session tokens, or to exploit other
    implementation flaws to assume other users' identities.
    • Authentication bypass
    • Unauthorized impersonation

    View full-size slide

  14. Broken Authentication
    • Run the demo application
    php -S localhost:8888 -t asr2-broken-authentication
    • Visit the query interface in a browser
    http://localhost:8888/
    • Log in as "reader" with the password "1234567"
    • Modify your cookies to impersonate "admin"
    • Now … fix the impersonation attack by leveraging server storage

    View full-size slide

  15. ASR 3 – Sensitive Data Exposure

    View full-size slide

  16. Sensitive Data Exposure
    Many web applications do not adequately protect sensitive data, such
    as credit cards, tax IDs, and authentication credentials. Attackers may
    steal or modify such weakly protected data to conduct credit card
    fraud, identity theft, or other crimes. Sensitive data deserves extra
    protection such as encryption at rest or in transit, as well as special
    precautions when exchanged with the browser.
    • Example: Equifax

    View full-size slide

  17. Sensitive Data Exposure

    View full-size slide

  18. Sensitive Data Exposure

    View full-size slide

  19. Sensitive Data Exposure
    • Open /asr3-data-exposure in your editor
    • View the "encrypted" secret message text file
    • Modify the secret text to say something else
    • Now … use Libsodium to actually encrypt the text

    View full-size slide

  20. ASR 4 – XML External Entities

    View full-size slide

  21. XML External Entities
    XML eXternal Entity injection (XXE) is a type of attack against an
    application that parses XML input. This attack occurs when untrusted
    XML input containing a reference to an external entity is processed by
    a weakly configured XML parser.
    • Data exposure
    • Simple DOS attacks

    View full-size slide

  22. XML External Entities

    ]>

    Friend of &name;
    &name;
    &name; - 2017

    View full-size slide

  23. XML External Entities

    "php://filter/read=convert.base64-
    encode/resource=/var/www/config.ini">]>

    Friend of &name;
    &name;
    &name; - 2017

    View full-size slide

  24. XML External Entities - FIX
    // ...
    $xml = ...
    $default = libxml_disable_entity_loader(true);
    $dom = new DOMDocument();
    $dom->loadXML($xml);

    View full-size slide

  25. XML External Entities









    ]>

    &bomb;

    View full-size slide

  26. ASR 5 – Broken Access Control

    View full-size slide

  27. Broken Access Control
    Restrictions on what authenticated users are allowed to do are not
    properly enforced. Attackers can exploit these flaws to access
    unauthorized functionality and/or data, such as access other users'
    accounts, view sensitive files, modify other users' data, change
    access rights, etc.
    • Authentication != Authorization

    View full-size slide

  28. Broken Authentication
    • Run the demo application
    php -S localhost:8888 -t asr5-broken-access
    • Visit the query interface in a browser
    http://localhost:8888/
    • Log in as "bob" with the password "bobisevil"
    • Modify your form to target Alice's user ID (4) – change her favorite
    ice cream
    • Verify it changed – Alice's password is "aliceisnice"
    • Now … fix the attack by verifying user IDs match authentication

    View full-size slide

  29. ASR 6 – Security Misconfiguration

    View full-size slide

  30. Security Misconfiguration
    Good security requires having a secure configuration defined and
    deployed for the application, frameworks, application server, web
    server, database server, and platform. Secure settings should be
    defined, implemented, and maintained, as defaults are often
    insecure. Additionally, software should be kept up to date.

    View full-size slide

  31. Security Misconfiguration
    • Server tokens
    • Server name
    • Directory traversal
    • SSL certificates
    • Remote include
    • allow_url_fopen
    • allow_url_include
    • Display errors
    • disable_functions
    • exec
    • passthru
    • shell_exec
    • system
    • proc_open
    • popen
    • parse_ini_file
    • show_source
    • eval
    • create_function

    View full-size slide

  32. ASR 7 – Cross-site Scripting

    View full-size slide

  33. Cross-site Scripting
    XSS flaws occur whenever an application takes untrusted data and
    sends it to a web browser without proper validation or escaping. XSS
    allows attackers to execute scripts in the victim's browser which can
    hijack user sessions, deface web sites, or redirect the user to
    malicious sites.
    • Stored
    • Reflected

    View full-size slide

  34. Cross-site Scripting
    • Run the demo application
    php -S localhost:8888 -t asr1-injection
    • Visit the query interface in a browser
    http://localhost:8888/query
    • Inject malicious JavaScript by searching for:

    • Now … fix the injection attack by parameterizing your statement

    View full-size slide

  35. ASR 8 – Insecure Deserialization

    View full-size slide

  36. Insecure Deserialization
    Native formats usually offer more features than JSON or XML,
    including customizability of the serialization process. Unfortunately,
    the features of these native deserialization mechanisms can be
    repurposed for malicious effect when operating on untrusted data.
    • Denial of service
    • Access control
    • Remote code execution

    View full-size slide

  37. Insecure Deserialization
    $request = file_get_contents('php://input');
    $args = json_decode($request);
    $response = [
    'name' => $args['name'],
    'email' => $args['email']
    ];
    echo json_encode($response);

    View full-size slide

  38. ASR 9 – Using Components with Known Vulnerabilities

    View full-size slide

  39. Using Components with Known Vulnerabilities

    View full-size slide

  40. ASR 10 – Insufficient Logging & Monitoring

    View full-size slide

  41. Insufficient Logging & Monitoring
    Exploitation of insufficient logging and monitoring is the bedrock of
    nearly every major incident. Attackers rely on the lack of monitoring
    and timely response to achieve their goals without being detected.
    • Attackers' attempts go unnoticed
    • Insider threats exploit access

    View full-size slide

  42. Responsible Disclosure

    View full-size slide