Tweet
Tweet

Slide 1

Slide 1 text

A (PHP) Security State of Mind Chris Cornutt True North PHP - Toronto, Nov. 2012 Saturday, November 3, 2012

Slide 2

Slide 2 text

The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. Bruce Schneier Cryptographer, Security Specialist and author of “Applied Cryptography” and “Secrets & Lies” Saturday, November 3, 2012

Slide 3

Slide 3 text

You can’t afford not to Saturday, November 3, 2012

Slide 4

Slide 4 text

first, the easy stuff Saturday, November 3, 2012

Slide 5

Slide 5 text

Repeat after me... Filter Input Escape Output and no, it’s not that easy Saturday, November 3, 2012

Slide 6

Slide 6 text

Fil tering Input Saturday, November 3, 2012

Slide 7

Slide 7 text

When filtering... One of the most difficult parts of an app PHP’s nature doesn’t help Type hinting can be useful Code defensively Fail fast, fail hard Saturday, November 3, 2012

Slide 8

Slide 8 text

Think about... There’s no “universal filtering” Be wary of Do-It-Alls Good design is by contract, be deliberate Whitelist, not blacklist Watch for multiple contexts (ex. in output & SQL) Saturday, November 3, 2012

Slide 9

Slide 9 text

Protect Yourself Know the “holes” in what you use Don’t trust it if you don’t know it Filter with impunity, don’t alter === don’t == All user data is tainted, especially superglobals Saturday, November 3, 2012

Slide 10

Slide 10 text

For example... $_SERVER PHP_SELF HTTP_HOST HTTP_USER_AGENT HTTP_ACCEPT HTTP_REFERER Current script filename Sent in the “Host” header Any value from the client “Accept” header “Referer” header Saturday, November 3, 2012

Slide 11

Slide 11 text

Validation + Filter ==  Data type Whitelisted characters Formatting (phone #, email, etc) Range (character or number) Required data Complex logic checking on... Saturday, November 3, 2012

Slide 12

Slide 12 text

Saturday, November 3, 2012

Slide 13

Slide 13 text

ESCAPING OUTPUT Saturday, November 3, 2012

Slide 14

Slide 14 text

When escaping... “Encoding” vs “Escaping” Internal functions htmlspecialchars (encoding!) htmlentities (encoding!) filter_var Most popular prevention for XSS Beware the Passive XSS Saturday, November 3, 2012

Slide 15

Slide 15 text

Framework Specific Zend\Escaper Symfony sfOutputEscaper Frameworks with default escaping in views Twig’s autoescaping Saturday, November 3, 2012

Slide 16

Slide 16 text

What to escape Anything from the user (duh) Anything from an external data source files logs database Session information Saturday, November 3, 2012

Slide 17

Slide 17 text

Contexts General output (usually text) HTML attributes Javascript code URL parameters SQL statements Inside XML or JSON Headers Saturday, November 3, 2012

Slide 18

Slide 18 text

FRONTEND THINKING Saturday, November 3, 2012

Slide 19

Slide 19 text

Javascript Don’t trust it. Period. Same-Origin vs Access-Control-Allow-Origin XSS can allow for JS injection Global nature, overrides are easy Saturday, November 3, 2012

Slide 20

Slide 20 text

Javascript Sandboxing in recent browsers Content Security Policy Saturday, November 3, 2012

Slide 21

Slide 21 text

X-Content-Security-Policy: default-src 'none'; script-src 'self' js.mysite.com; style-src 'self' css.mysite.com; img-src 'self' images.mysite.com "X-Content-Security-Policy-Report-Only: script-src 'self'; report- uri /evaluationviolation.php" http://websec.io/2012/10/02/Intro-to-Content-Security-Policy.html Saturday, November 3, 2012

Slide 22

Slide 22 text

Javascript Sandboxing in recent browsers Content Security Policy Beware of remote scripts Cross-Domain Resource Sharing vs Same-Origin Specific attacks like: JSON hijacking Clickjacking DOM injection WebSockets Saturday, November 3, 2012

Slide 23

Slide 23 text

HTML5 WebSQL injections OWASP HTML5 Security Cheat Sheet Prevention with headers: X-Frame-Options (non-IE) X-XSS-Protection (relfected) Strict-Transport-Security Content-Security-Policy Origin Recent abuse of Fullscreen API Saturday, November 3, 2012

Slide 24

Slide 24 text

HTML5 Frame busting Input validation (like URLs for Ajax) Check origin Iframe sandboxing html5sec.org Saturday, November 3, 2012

Slide 25

Slide 25 text

OTHER CONCERNS Saturday, November 3, 2012

Slide 26

Slide 26 text

Firewall Router WAF Application aka The Promised Land Server Saturday, November 3, 2012

Slide 27

Slide 27 text

Server Security Strong system passwords Lock it down Favor SSL (“HTTPS Everywhere”) Update, update and - oh yeah - update Shared resources/sessions https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Saturday, November 3, 2012

Slide 28

Slide 28 text

Network Security Block ports Lock it down Firewall/Route to restrict access Consider internal vs. external access Saturday, November 3, 2012

Slide 29

Slide 29 text

DEVELOP SECUREL Y Saturday, November 3, 2012

Slide 30

Slide 30 text

Consider... Never trust the user Implement security checks during development, not after Create a security policy all devs should follow Remember your attack surface Think like an attacker Saturday, November 3, 2012

Slide 31

Slide 31 text

Tools WebScarab - Capturing Proxy Burp Suite - Security Testing App Skipfish - Google’s Scanner WebGoat/DVWA To learn and test Saturday, November 3, 2012

Slide 32

Slide 32 text

You can’t afford not to Saturday, November 3, 2012

Slide 33

Slide 33 text

Chris Cornutt @enygma @phpdeveloper @websecquickfix http://websec.io https://joind.in/7420 Thanks! Saturday, November 3, 2012