Tweet
Tweet

Slide 1

Slide 1 text

CakeFest 2023 Los Angeles Workshop 1

Slide 2

Slide 2 text

Workshop 1 • 3h session • Quick CakePHP intro • Authentication • Security • OWASP Top 10 • Code https:/ /bit.ly/3PwZcBr • Database https:/ /bit.ly/3EVN7B0 • Slides

Slide 3

Slide 3 text

About Jorge González https:/ /phpc.social/@steinkel • VP at CakeDC [email protected] https:/ /www.cakedc.com

Slide 4

Slide 4 text

CakePHP Introduction • Setting up a development environment • Example application • Baking our application CRUD • API

Slide 5

Slide 5 text

Setup dev environment • Requirements $ sudo apt install -y php-cli php-intl php-mbstring php-sqlite3 zip php-zip // setup composer 5

Slide 6

Slide 6 text

Other dev environment • Watch Alejandro's talk on Saturday :) 6

Slide 7

Slide 7 text

CakePHP application setup • Using composer + PHP builtin server 7

Slide 8

Slide 8 text

Composer • Create a CakePHP 5 project • https:/ /github.com/cakephp/app • composer install • run App\Console\Installer::postInstall $ composer create-project cakephp/app cakefest2023 Installing... … Do you want to remove the existing VCS (.git, .svn..) history? [Y,n]? ←Y $ cd cakefest # get to the latest version $ composer require cakephp/cakephp:5.x-dev cakephp/chronos:3.x-dev {skeleton} 8

Slide 9

Slide 9 text

Start the built-in server $ bin/cake server -H 0.0.0.0 9

Slide 10

Slide 10 text

Configuration • Application class • CakePHP Bootstrap • config/bootstrap.php • config/app.php • Configure default datasource via environment 10

Slide 11

Slide 11 text

MVC CakePHP Reusability Model Table Entity Behavior View View Template Theme Layout Element Block Helper Controller Controller Action Component Other Cell, Mailer, Command Middleware CakePHP Concepts • Application level • Across applications: Plugin and Middleware 11

Slide 12

Slide 12 text

• dd() • Debugger • Logger • The query log • Step by step Debug 12

Slide 13

Slide 13 text

• Database download URL: • Or, use a migration • Import schema Database schema 13

Slide 14

Slide 14 text

14 Database conventions • Plurals • Underscores • _id • Foreign Keys?

Slide 15

Slide 15 text

$ bin/cake bake all --everything Bake Shell • Build a CRUD for our tables 15

Slide 16

Slide 16 text

API • Use built-in features for a simple REST API 16

Slide 17

Slide 17 text

Authentication • Form based login

Slide 18

Slide 18 text

• AuthenticationMiddleware::process() • AuthenticationService::authenticate() • First valid result wins • Persist the identity if not stateless • Redirect based on unauthenticated or login redirect The authentication process 18

Slide 19

Slide 19 text

• Password based identifiers • Session and Form authenticators Auth Configuration 19

Slide 20

Slide 20 text

• Adding a login and logout actions to UsersController • Preparing a login template Login action 20

Slide 21

Slide 21 text

• bin/cake add_user -u admin -p password User creation via Command 21

Slide 22

Slide 22 text

• Access authentication results • Check identity • Finish the login action • Add logout Log the user in 22

Slide 23

Slide 23 text

• Set up and ensure all actions go through authorization check Authorization 23

Slide 24

Slide 24 text

Security in CakePHP

Slide 25

Slide 25 text

• Access authentication results • Check identity • Finish the login action • Add logout ?General concepts 25

Slide 26

Slide 26 text

• Configuration • How CSRF works? • Example CSRF 26

Slide 27

Slide 27 text

• Configuration • How FormProtection works? • Example FormProtection 27

Slide 28

Slide 28 text

• Allowed list of Entity properties to be patched • `hidden` for serialization leaks Entity allowed 28

Slide 29

Slide 29 text

• composer require paragonie/csp-builder https:/ /github.com/paragonie/csp-builder • Example CSP 29

Slide 30

Slide 30 text

• See https:/ /developer.mozilla.org/en-US/docs/Web/HTTP/Headers • See https:/ /infosec.mozilla.org/guidelines/web_security.html • See https:/ /www.permissionspolicy.com/ • Example Security Headers 30

Slide 31

Slide 31 text

• Configuration • Example HTTPS Enforcer 31

Slide 32

Slide 32 text

• Configuration • Example CORS 32

Slide 33

Slide 33 text

• Validate user input • Escape output • Fail hard • Audit / log suspicious activity • Log auth related activity • Enforce 2FA General best practices 33

Slide 34

Slide 34 text

OWASP top 10 OWASP Top 10:2021

Slide 35

Slide 35 text

A01 Broken Access Control - OWASP Top 10:2021 Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. #1 35

Slide 36

Slide 36 text

Scenario #2: An attacker simply forces browses to target URLs. Admin rights are required for access to the admin page. ● 1. FormSecurity ● 2. Authorization ● 3. CSP Headers ● 4. Use Java #1 ? 36

Slide 37

Slide 37 text

#1 37 Ensure Authorization is in place for all actions ● 1. FormSecurity ● 2. Authorization ● 3. CSP Headers ● 4. Use Java

Slide 38

Slide 38 text

A02 Cryptographic Failures - OWASP Top 10:2021 The first thing is to determine the protection needs of data in transit and at rest… #2 38

Slide 39

Slide 39 text

Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text. ● 1. Escape template variables ● 2. Enforce HTTPS ● 3. Encrypt data before save ● 4. Use Python #2 ? 39

Slide 40

Slide 40 text

Example: secure column encryption ● 1. Escape template variables ● 2. Enforce HTTPS ● 3. Encrypt data before save ● 4. Use Python #2 40

Slide 41

Slide 41 text

A03 Injection - OWASP Top 10:2021 Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. #3 41

Slide 42

Slide 42 text

#3 ? 42 Scenario #1: An application uses untrusted data in the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); ● 1. Use the ORM properly ● 2. Use CSP headers ● 3. Filter input ● 4. Use ChatGPT to build all your SQL queries

Slide 43

Slide 43 text

#3 43 Scenario #1: An application uses untrusted data in the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); ● 1. Use the ORM properly ● 2. Use CSP headers ● 3. Filter input ● 4. Use ChatGPT to build all your SQL queries

Slide 44

Slide 44 text

A04 Insecure Design - OWASP Top 10:2021 An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. #4 44

Slide 45

Slide 45 text

#4 ? 45 Scenario #1: A credential recovery workflow might include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? ● 1. Use stronger password algorithm ● 2. Remove the feature completely ● 3. Add sound and videos ● 4. Use MongoDB

Slide 46

Slide 46 text

#4 ? 46 Scenario #1: A credential recovery workflow might include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? ● 1. Use stronger password algorithm ● 2. Remove the feature completely ● 3. Add sound and videos ● 4. Use MongoDB

Slide 47

Slide 47 text

A05 Security Misconfiguration - OWASP Top 10:2021 #5 47

Slide 48

Slide 48 text

#5 ? 48 Scenario #3: The application server's configuration allows detailed error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" ● 1. Ensure we provide no details about underlying stack ● 2. Update to the latest version always ● 3. Add security headers ● 4. Say you are using another framework

Slide 49

Slide 49 text

#5 49 Scenario #3: The application server's configuration allows detailed error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" ● 1. Ensure we provide no details about underlying stack ● 2. Update to the latest version always ● 3. Add security headers ● 4. Say you are using another framework

Slide 50

Slide 50 text

A06 Vulnerable and Outdated Components - OWASP Top 10:2021 Vulnerable Components are a known issue that we struggle to test and assess risk #6 50

Slide 51

Slide 51 text

#6 ? 51 Scenario #1: Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" ● 1. Always use secure libraries ● 2. Validate, track patch dependencies ● 3. Don't use Composer ● 4. Use NodeJS

Slide 52

Slide 52 text

#6 52 Scenario #1: Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" ● 1. Always use secure libraries ● 2. Validate, track patch dependencies ● 3. Don't use Composer ● 4. Use NodeJS

Slide 53

Slide 53 text

A07 Identification and Authentication Failures - OWASP Top 10:2021 Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. #7 53

Slide 54

Slide 54 text

#7 ? 54 Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. "Password1" ● 1. Rotate passwords every 3 days ● 2. Rotate passwords every 7 days ● 3. Use MFA (Multi Factor Authentication) ● 4. Encrypt passwords with at least 8096 bits

Slide 55

Slide 55 text

#7 55 Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. "Password1" ● 1. Rotate passwords every 3 days ● 2. Rotate passwords every 7 days ● 3. Use MFA (Multi Factor Authentication) ● 4. Encrypt passwords with at least 8096 bits

Slide 56

Slide 56 text

A08 Software and Data Integrity Failures - OWASP Top 10:2021 Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources. #8 56

Slide 57

Slide 57 text

#8 ? 57 Scenario #1 Update without signing: Many home routers, set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" ● 1. Remove external dependencies not needed ● 2. Install packages from trusted sources only ● 3. Remove all packages, copy everything to your plugins folder

Slide 58

Slide 58 text

#8 58 Scenario #1 Update without signing: Many home routers, set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" ● 1. Remove external dependencies not needed ● 2. Install packages from trusted sources only ● 3. Remove all packages, copy everything to your plugins folder

Slide 59

Slide 59 text

A09 Security Logging and Monitoring Failures - OWASP Top 10:2021 Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test. Detecting and responding to breaches is critical. #9 59

Slide 60

Slide 60 text

#9 ? 60 Scenario #1: A website operator couldn't detect a breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. ● 1. Add logs to relevant/sensitive actions in the site ● 2. Add logs to suspicious activityin the site ● 3. Add logs to all actions on the site ● 4. Add logs to all actions on the site, including all mouse x,y change events

Slide 61

Slide 61 text

#9 61 Scenario #1: A website operator couldn't detect a breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. ● 1. Add logs to relevant/sensitive actions in the site ● 2. Add logs to suspicious activityin the site ● 3. Add logs to all actions on the site ● 4. Add logs to all actions on the site, including all mouse x,y change events

Slide 62

Slide 62 text

A10 Server Side Request Forgery (SSRF) - OWASP Top 10:2021 SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). #10 62

Slide 63

Slide 63 text

#10 ? 63 Scenario #2: Sensitive data exposure – Attackers can access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ ● 1. Use a deny list and strong regular expressions to validate domains ● 2. Sanitize all target IP addresses ● 3. Validate target domains with a positive allow list ● 4. Block all traffic using a firewall

Slide 64

Slide 64 text

#10 64 Scenario #2: Sensitive data exposure – Attackers can access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ ● 1. Use a deny list and strong regular expressions to validate domains ● 2. Sanitize all target IP addresses ● 3. Validate target domains with a positive allow list ● 4. Block all traffic using a firewall

Slide 65

Slide 65 text

Questions ?

Slide 66

Slide 66 text

Thank You ありがとうございました。 Gracias

Slide 67

Slide 67 text

• ??? Extra ball Keeping it high 67

Slide 68

Slide 68 text

• Configuration • Example ?Cookies and Session 68

Slide 69

Slide 69 text

Security tools & scanners Worth checking your sites before going live • https:/ /owasp.org/www-community/Vulnerability_Scanning_Tools