Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security Update: Top Vulnerabilities

Eric Mann
October 24, 2019

Web Application Security Update: Top Vulnerabilities

The Open Web Application Security Project (OWASP) curates a list of the top ten security risks for web applications and how to mitigate them. The ever-changing world of web development created a challenge for the 2017 list, which needs to combine both existing approaches and modern trends in web development. This Talk will have a look at each item in the list from a PHP perspective, demonstrate what can go wrong, and make sure that this won’t happen in our web sites.

The Open Web Application Security Project (OWASP) curates a list of the top ten application security risks for web applications. It is a great place to start when developing a strong security stance for your application and team. Security is an ever-changing world and it's important to keep up to date with modern trends in mitigating vulnerabilities.

With the attendees, we will look at each item in the list, and show:
- How to detect the risk in your own code
- How to patch or prevent the risk
- Practical resources for taking further actions to protect your stack

Eric Mann

October 24, 2019
Tweet

More Decks by Eric Mann

Other Decks in Technology

Transcript

  1. Web Application Security
    Update: Top Vulnerabilities
    Eric Mann

    View full-size slide

  2. ASR 1 - Injection

    View full-size slide

  3. The attacker's hostile data can
    trick the interpreter into
    executing unintended
    commands or accessing data
    without proper authorization.

    View full-size slide

  4. xkcd: Exploits of a Mom - https://xkcd.com/327/

    View full-size slide

  5. $db = new \PDO(...);
    $name = $_POST['name'];
    $sql = "SELECT * FROM users WHERE email='$name'";
    foreach($db->query($sql) as $user) {
    // ...
    }
    curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
    SELECT * FROM users WHERE email='[email protected]' OR 1=1;--'

    View full-size slide

  6. $db = new \PDO(...);
    $name = $_POST['name'];
    $sql = "SELECT * FROM users WHERE email=:email";
    $statement = $db->prepare($sql);
    $params = [':email' => $name];
    foreach($db->execute($statement, $params) as $user) {
    // ...
    }
    curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
    SELECT * FROM users WHERE email='[email protected]\' OR 1=1;--'

    View full-size slide

  7. function serve_file($filename) {
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"{$filename}\"");
    header("Content-Length: 11111");
    passthru("cat /home/uploads/" . $filename);
    exit();
    }
    curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
    cat /home/uploads/;cat /etc/letsencrypt/site.com/privkey.pem

    View full-size slide

  8. function serve_file($filename) {
    // Sanitize the filename before it's used
    $sanitized = basename($filename);
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"{$sanitized}\"");
    header("Content-Length: 11111");
    $path = "/home/uploads/{$sanitized}";
    passthru('cat ' . escapeshellarg($path));
    exit();
    }
    curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
    cat /home/uploads/privkey.pem

    View full-size slide

  9. ASR 2 - Broken
    Authentication

    View full-size slide

  10. Application functions related
    to authentication and session
    management are often not
    implemented correctly...

    View full-size slide

  11. Client-side Sessions
    Don’t trust the user to store sensitive information
    Don’t trust information provided by the user
    Don’t store sensitive information with an untrusted party
    Don’t use cookies to store sensitive data
    (If you are using cookies, use secure cookies - but only store identifiers)

    View full-size slide

  12. Password Management
    Passwords should NEVER be stored in plaintext.
    Passwords should NEVER be stored with encryption.
    Passwords should ONLY be stored using one-way hashes.
    Try to avoid passwords in the first place...

    View full-size slide

  13. (Full image slide. No text)

    View full-size slide

  14. Problems with JWT
    Leaking sensitive information
    The `none` algorithm is required by the spec
    Algorithm confusion - RSA vs HMAC
    Weak algorithms are allowed

    View full-size slide

  15. What you should do
    Only store session data on the server
    Ensure strong authentication protects user identities
    Lock down insecure algorithms and primitives
    Only use trusted third-party library implementations

    View full-size slide

  16. ASR 3 - Sensitive Data
    Exposure

    View full-size slide

  17. Many web applications do not
    adequately protect sensitive
    data, such as credit cards, tax
    IDs, and authentication
    credentials.

    View full-size slide

  18. Photo borrowed from Schneier on Security:
    https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html

    View full-size slide

  19. Sensitive Data Retention
    What data do you retain?
    Why do you need this data in the first place?
    Who has access to the data?
    Where are backups stored?
    Who has access to the data via the backup system?

    View full-size slide

  20. Encoding is not
    encryption!

    View full-size slide

  21. function encodeString($str) {
    for ($i = 0; $i < 5; $i++) {
    $str = strrev(base64_encode($str));
    }
    return $str;
    }
    function decodeString($str) {
    for ($i = 0; $i < 5; $i++) {
    $str = base64_decode(strrev($str));
    }
    return $str;
    }
    encodeString('this is a secret');
    QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP

    View full-size slide

  22. ASR 4 - XML External
    Entities

    View full-size slide

  23. Untrusted XML input
    containing a reference to an
    external entity is processed by
    a weakly configured XML
    parser ...

    View full-size slide


  24. ]>

    Friend of &name;
    &name;
    &name; - 2019

    "php://filter/read=convert.base64-encode/resource=/var/www/config.ini">]>

    &info;

    View full-size slide

  25. $default = libxml_disable_entity_loader(true);
    $dom = new DOMDocument();
    $dom->loadXML($xml);
    // Do things with XML
    // Restore the previous value
    libxml_disable_entity_loader($default);
    What you should do

    View full-size slide

  26. ASR 5 - Broken Access
    Control

    View full-size slide

  27. Restrictions on what
    authenticated users are
    allowed to do are not properly
    enforced.

    View full-size slide

  28. $app->post( '/profile',
    function ($request, $response, $args) {
    if (!isset($_SESSION['user_id']) ||
    !$this->users->get($_SESSION['user_id'])) {
    return $response->withRedirect('/?error=notloggedin');
    }
    $userID = $request->getParam('user_id');
    $fname = $request->getParam('fname');
    $lname = $request->getParam('lname');
    $email = $request->getParam('email');
    // Retrieve the user's account from the database (via the app container)
    $user = $this->users->get(intval($userID));
    $user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING);
    $user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING);
    $user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL);
    $this->users->update($user);
    }
    );

    View full-size slide

  29. United Airlines experienced this vulnerability in their mobile app in 2015 -
    https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability//

    View full-size slide

  30. ASR 6 - Security
    Misconfiguration

    View full-size slide

  31. Secure settings should be
    defined, implemented, and
    maintained, as defaults are
    often insecure.

    View full-size slide

  32. PHP Settings
    Disable error display (display_errors)
    Disable remote includes (allow_url_fopen and allow_url_include)
    Set reasonable resource maximums (upload_max_filesize and memory_limit)
    Leverage the disable_functions directive to block dangerous functions:
    exec, passthru, shell_exec, system, proc_open, popen,
    parse_ini_file, show_source, eval, create_function

    View full-size slide

  33. Webserver Settings (Nginx / Apache / etc)
    Disable server tokens and signature disclosure
    Configure a static server name (don’t trust potentially malicious HOST headers)
    Disable directory traversal
    ALWAYS configure strong SSL certificates for secure access
    Return proper error codes

    View full-size slide

  34. Database (MySQL) Settings
    Set an appropriate bind-address
    Ensure users are configured from the correct host, not a % wildcard
    Limit user permissions on the database to just what the application needs

    View full-size slide

  35. ASR 7 - Cross-Site
    Scripting (XSS)

    View full-size slide

  36. An application takes
    untrusted data and sends it to
    a web browser without
    proper validation or escaping.

    View full-size slide


  37. Search results for: ""




    title; ?>



    No results for ''



    Search results for:
    No results for ''

    View full-size slide



  38. Search results for: ""



    title; ?>



    No results for ''



    Search results for: ""
    No results for ''

    View full-size slide

  39. ASR 8 - Insecure
    Deserialization

    View full-size slide

  40. Languages’ native
    deserialization mechanisms
    can be repurposed for
    malicious effect when
    operating on untrusted data.

    View full-size slide

  41. class CartCache {
    $cache_file;
    $data = [];
    // ...
    /**
    * Automatically purge the cache file from disk to clean up
    */
    public function __destruct() {
    $file = "/var/www/cache/tmp/carts/{$this->cache_file}";
    if ($this->cleanup && file_exists($file)) {
    @unlink($file);
    }
    }
    }
    $data = unserialize($_GET['data']);
    https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i
    ndex.php";s:4:"data";a:0:{}}

    View full-size slide

  42. Do not pass untrusted user
    input to unserialize()
    regardless of the options
    value of allowed_classes.

    View full-size slide

  43. ASR 9 - Using
    Components with
    Known Vulnerabilities

    View full-size slide

  44. Applications using
    components with known
    vulnerabilities may undermine
    application defenses and
    enable a range of possible
    attacks and impacts.

    View full-size slide

  45. Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need

    View full-size slide

  46. Custom error messages can help demonstrate when a security hole has been plugged. Or
    annoy those who were exploiting it in the first place...

    View full-size slide

  47. Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need
    Only run current, supported versions of PHP!!!

    View full-size slide

  48. ASR 10 - Insufficient
    Logging & Monitoring

    View full-size slide

  49. Attackers rely on the lack of
    monitoring and timely
    response to achieve their
    goals without being detected.

    View full-size slide

  50. It’s Important to Track:
    What happened
    When it happened
    Where it happened (in terms of code and the IP of the server)
    To whom it happened
    What input triggered the event

    View full-size slide

  51. Event Classes
    Input Validation Errors
    Output Validation Errors
    Authentication Events
    Authorization (Access Control) Failures
    Application Errors
    Application Startup/Shutdown
    High-risk Operations

    View full-size slide

  52. Want to know more?
    Security Principles for PHP Applications
    Available online and in print through php[architect]

    View full-size slide

  53. Thank you
    [email protected] | 503.925.6266

    View full-size slide