Web application security

Transcript

1. Web Application Security PHP REBOOT Kapil Sharma PHP REBOOT 1

2. Introduction Kapil Sharma Technical Architect, Eastern Enterprise (DBA Ansh Systems)

   Working in Web Application development since last 10 years Twitter: @KapilSharmaInfo Personal Website: www.kapilsharma.info Blog: blog.kapilsharma.info Kapil Sharma PHP REBOOT 2

3. Web Application Important factors for Web Application Performance Maintainability Scalability

   Reliability Security (Probably most important, still most ignored by developers) Kapil Sharma PHP REBOOT 3

4. Why me? My web application is small. I have few

   users. There is no money transaction on my app. I do not store any confidential information of users. Then why the hell someone hack my site. Kapil Sharma PHP REBOOT 4

5. Kapil Sharma PHP REBOOT 5

6. Web Application Security Web Application security is not language specific

   but a common topic for all programming language. This session, in general, is applicable to any web application programming language, but our examples are in PHP. Kapil Sharma PHP REBOOT 6

7. PHP Features To make development easier, PHP provide many features.

   One of the feature that attracted more attention, from security point of view, is ‘register_globals’ Kapil Sharma PHP REBOOT 7

8. register_globals: What is it? Supposed to make PHP application development

   easy. By default, it is ‘off’ since PHP 4.2 (We will shortly see why?) It convert all incoming data into global variables. For example http://www.example.com/page.php?abc=xyz If register_globals is ‘on’, PHP will create following variable $abc = “xyz”; Kapil Sharma PHP REBOOT 8

9. Register globals: Disadvantages Having all incoming data converted into variables.

   It might make development easy but it is not free. Biggest disadvantage, we never know from where variable data is coming. In previous example, we can say if data came from GET/POST, cookie, or HTML Form etc. Kapil Sharma PHP REBOOT 9 Cont..

10. Register globals: Disadvantages Along with that, for ignorant programmers, it

    is a security threat (We will see it shortly) It is not recommended to use ‘register_globals’ and it was turned-off by default in php.ini since PHP version 4.2 As replacement, use another more specific global variables like $_GET, $_POST, $_COOKIE, $_FILES, $_SERVER, $_ENV, $_REQUEST Kapil Sharma PHP REBOOT 10

11. Register globals: security issue ‘register_globals’ was a feature enhancement in

    PHP, aimed to make PHP easier for programmers. It is not a security threat in itself. A programmer must make a mistake before it become security threat. Lets check with an example. Kapil Sharma PHP REBOOT 11

12. Register globals: security issue Is there any problem in this

    code? If (isAdminUser()) { $admin = true; } if ($admin) { //load admin panel. } Kapil Sharma PHP REBOOT 12 $admin = true; $admin = false; NEVER TAKE A DECISION BASED ON A VARIABLE WHICH MIGHT NOT BE INITIALIZED. http://www.example.com/admin.php?admin=1 Register globals will generate following variable for this code $admin = 1; Which, after PHP’s internal type casting, will be: $admin = true;

13. OWAPS Open Web Application Security Project. OWASP is a worldwide

    not-for-profit charitable organization focused on improving the security of software. Kapil Sharma PHP REBOOT 13

14. OWAPS: Recommendation U.S. Federal Trade Commission strongly recommends that all

    companies use the OWASP Top Ten and ensure that their partners do the same. U.S. Defense Information Systems Agency lists OWASP Top Ten as part of the Defense Information Technology Security Certification and Accreditation (C & A) Process (DITSCAP) The Payment Card Industry (PCI) standards has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. Kapil Sharma PHP REBOOT 14

15. OWASP Top Ten The OWASP Top Ten is a powerful

    awareness document for web application security. It is list of the ten Most Critical Web Application Security Risks And for each Risk it provides: A description Example vulnerabilities Example attacks Guidance on how to avoid References to OWASP and other related resources Kapil Sharma PHP REBOOT 15

16. OWASP Top 10 (in 2013) A1 Injection A2 Broken Authentication

    and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Kapil Sharma PHP REBOOT 16

17. A1: Injection SQL Injection is one of most common injection

    but there are more injection possible. Kapil Sharma PHP REBOOT 17 LDAP Injection NoSQL Injection File Injection (OS) Command Injection

18. SQL Injection In data driven web application, it is common

    to allow user to set filter on data. Such application use dynamic SQL queries, driven by user input. SQL Injection need two mistakes from developer: A failure to filter data (Filter Input) and Failure to escape data Kapil Sharma PHP REBOOT 18

19. SQL Injection example (Basic) $sql = "SELECT * FROM Users

    WHERE user_id = " . $userID; userId = 10 OR 1=1 SELECT * FROM Users WHERE user_id = 10 OR 1=1 Kapil Sharma PHP REBOOT 19

20. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT

    count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; Kapil Sharma PHP REBOOT 20

21. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT

    count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = ' SELECT count(*) FROM users WHERE username = ''' AND password = '<md5 hash>' Kapil Sharma PHP REBOOT 21

22. SQL Injection example You have an error in your SQL

    syntax. Check the manual that corresponds to your MySQL version for the right syntax to use near 'WHERE username = ''' AND password = 'a0b339d7c… Kapil Sharma PHP REBOOT 22

23. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT

    count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = kapil' or 'a' = 'a' -- Kapil Sharma PHP REBOOT 23

24. SQL Injection protection Filter data Escape data mysqli_real_escape_string Prepared statements

    (prefer PDO) ORM Doctrine Propel Eloquent Kapil Sharma PHP REBOOT 24

25. A2: Broken Authentication and Session Management What is Authentication? Session?

    Cookie? Kapil Sharma PHP REBOOT 25

26. A2: Broken Authentication and Session Management You are vulnerable to

    Broken Authentication and Session Management if: Password not hashed/encrypted in database. No wrong password limit (Brute Force attack) Session id exposed in URL No session timeout. Session id vulnerable to session fixation. Kapil Sharma PHP REBOOT 26

27. Session Hijecking http://website.kom/ <script>document.c ookie=”sessionid=ab cd”;</script> http://website.kon/ <meta http- equiv=Set-Cookie

    content=”sessionid= abcd”> Kapil Sharma PHP REBOOT 27

28. Securing Session with PHP http://php.net/manual/en/session.security.php Kapil Sharma PHP REBOOT 28

29. Securing Session with PHP static protected function preventHijacking() { if(!isset($_SESSION['IpAddress'])

    || !isset($_SESSION['userAgent'])) return false; if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) return false; if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) return false; return true; } Kapil Sharma PHP REBOOT 29

30. Authentication Use proven and opensource component/bundle/module/library Zend Framework: Zend_Auth &

    Zend_Acl Synfony: Security Component Laravel: Illuminate\Auth (Security) Aura: Aura.Auth Cake PHP: AuthComponent Code Igniter: TankAuth (3rd party) Kapil Sharma PHP REBOOT 30

31. A3: Cross Site Scripting (XSS) Kapil Sharma PHP REBOOT 31

32. XSS Types Persistent Non-Persistent Kapil Sharma PHP REBOOT 32

33. Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>";

    echo "<a href="http://mysite.com/">Click to Download</a>"; Kapil Sharma PHP REBOOT 33

34. Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>";

    echo "<a href="http://mysite.com/">Click to Download</a>"; index.php?name=<script>windo w.onload = function() {var link=document.getElementsByT agName("a");link[0].href="http: //attacker.com/";}</script> Kapil Sharma PHP REBOOT 34 Escape output

35. Cross Site Request Forgery (CSRF) In XSS, hacker trick user

    playing is real server. In CSRF, hacker trick server playing as real end user. Kapil Sharma PHP REBOOT 35

36. Cross Site Request Forgery (CSRF) Example User login to his

    back at www.mybank.com. User login to another site at www.hacker.com. Code <h1>Hi innocent user</h1> Check image below <img src="www.mybank.com/transfer?to=hacker&amount=1000 0&remark=hacked"> Kapil Sharma PHP REBOOT 36

37. Preventing CSRF Always use post for forms. Always check referrer.

    Synchronize Token Secret and unique token <input type="hidden" name="csrftoken" value=“Random unique value"> Validate that token at server side. Kapil Sharma PHP REBOOT 37

38. Security best practices If we remember few best practices, we

    could be safe against most of the security threats. Lets go through these best practices. Kapil Sharma PHP REBOOT 38

39. Error reporting Property Development Production error_reporting E_ALL | E_STRICT E_ALL

    | E_STRICT display_errors On Off log_errors Off/On On error_log Error log path Error log path Kapil Sharma PHP REBOOT 39

40. KISS (Keep It Simple, Stupid) Flashy, hard to read code

    = Mistake Mistake = Security vulnerability The KISS principle states that most systems work best if they are kept simple rather than made complicated. (source: wikipedia) Keep It Short and Simple. Keep It Simple and Straightforward. Kapil Sharma PHP REBOOT 40

41. DRY (Don’t Repeat Yourself) Major refactoring principle: Don’t Repeat Yourself.

    Kapil Sharma PHP REBOOT 41

42. Defense in depth Well known principle among security professionals. Always

    have a backup plan. Kapil Sharma PHP REBOOT 42

43. Least Privileges Identify what privileges a user will need to

    perform his task. Never give more then needed privileges. Kapil Sharma PHP REBOOT 43

44. Minimal Data Exposure Data exposure to remotes must be minimal.

    Remote = Browser, Database, Web Services. Getting CC info -> SSL Display again for verification -> SSL, Strip1234-XXXX-XXXX-4321 Always know and keep track of sensitive data. Kapil Sharma PHP REBOOT 44

45. Track Data Keep track of Data: What the data is?

    Where the Data is? From where the Data is coming? Where the Data is going? Kapil Sharma PHP REBOOT 45

46. Filter Input Save CSRF, Injection, Session Hijacking etc. Consider data

    from Session and database as input. Never correct invalid data. Consider data is invalid until you proved it is valid. Kapil Sharma PHP REBOOT 46

47. Filter Input (Core PHP) filter_input($type, $variable_name[,$filter[,$options]]) ZF: Zend_Filter_Input, Zend_Filter Symfony:

    Allow YAML, Annotation, XML and PHP filters. Kapil Sharma PHP REBOOT 47

48. Escape Output Identify output, is it entered by user? Escape

    if yes. Escape it Htmlentities Zend Framework. Zend_View’s escape $this->escape($userInput) Symfony/twig escape all the data by default. Laravel 4/blade {{{ raw }}}, {{escaped}} Yii CHtml::encode(strip_tags()) Kapil Sharma PHP REBOOT 48

49. Conclusion: Never forget about Proper error reporting Proper php.ini settings

    KISS DRY Defense in Depth Least priviledges Minimal Data Exposure Track Data Filter Input Escape Output Kapil Sharma PHP REBOOT 49

50. Kapil Sharma PHP REBOOT 50