PHP  Security,  Redefined Chris  Cornutt  -­‐  AppSec  USA  2015 

2 Chris  Cornutt PHP  developer  for  15+  years Focus  on  appsec  for  5+  years Application  Security  Engineer     @  Pardot  (Salesforce) @enygma   @securingphp 

A  BIT  OF  HISTORY 

PHP:  The  Language • Over  20  years  since  first   inception   • Used  by  over  80%  of  the   web   • Latest  is  PHP  5.6.x   • PHP  7  coming  late  2015   • PHP  5.3  is  still  most   widely  installed,  5.4  is   gaining 4 

PHP:  The  Language • Support  schedule 5 http://php.net/supported-­‐versions.php PHP  5.4  no  longer  supported,  5.5  in  security  only  support  &  5.6  in  full  support 

COMMUNITY  LEADERS 

7 Scott  Arciszewski Ryan  Mauger Anthony  Ferrara Pádraic  Brady Elizabeth  Smith Ilia  Alshanetsky Beth  Tucker  Long Michelangelo          van  Dam Wim  Godden 

LIBRARIES  &  TOOLING 

Composer • The  missing  package   manager  for  PHP  (not   PEAR)   • Open  Source  project   • Use  has  exploded   • Packagist   • One  command  (install/ update)   • No  vetting  of  packages 9 

Frameworks • Major  frameworks   • Security  advisories  and   updates   • Paid  audit  of  Symfony   (v2)   • Update  to  database  of   vulnerable  components 10 

Drupal • Started  15  years  ago   • Used  by  major  services   and  sites   • Renewed  security  efforts   • Dedicated  security  team   • Security  Advisories   • Reviews  of  core  and   contributed  components 11 https://www.drupal.org/security-­‐team 

WordPress • About  14  years  old   • Used  by  58%  of  sites  that   use  CMSes   • [email protected]   • Security  advisories  and   updates  (core  &  contrib)   • Over  two  thirds  of  issues   are  with  plugins,  not  core 12 

Libraries  &  Tooling ircmaxell/random-­‐lib   A  Library  For  Generating  Secure  Random  Numbers   padraic/SecurityMultiTool   A  multitool  library  offering  access  to  recommended  security  related  libraries,  standardized   implementations  of  security  defenses,  and  secure  implementations  of  commonly  performed   tasks.   respect/validation   The  most  awesome  validation  engine  ever  created  for  PHP   psecio/iniscan   A  scanner  to  evaluate  php.ini  security   sensiolabs/security-­‐checker   A  security  checker  for  your  composer.lock 13 

Libraries  &  Tooling defuse/php-­‐encryption   Secure  PHP  Encryption  Library,  vetted  by  infosec  community  members   twigphp/Twig   The  flexible,  fast,  and  secure  template  language  for  PHP   14 

THE  CURRENT 

Native  Password  Hashing • Available  in  PHP  >=  5.5   • User-­‐friendly  crypt()  with  safer  defaults   • Bcrypt  by  default,  cost  of  10   • password_hash,  password_verify,   password_needs_rehash 16 

Native  Password  Hashing 17

Crypt()  Errors  with  No  Salt • PHP  >=  5.6   • Previously  allowed  no  salt  (d’oh)   • Now  throws  E_NOTICE 18 PHP Notice: crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash. 

OpenSSL  Updates • PHP  >=  5.6   • Verifies  peer  by  default  on  SSL/TLS  connections   • Support  for  x509  fingerprinting   • Default  ciphers  updated  (to  Mozilla  list),   OPENSSL_DEFAULT_STREAM_CIPHERS   • Compression  enabled  by  default 19 

OpenSSL  Updates • Set  preferred  cipher  order   • Get  protocol  and  cipher  on  request   • SSL  context  options  for  forward  secrecy   • SSL/TLS  version  selection   • Generating,  extracting  verifying  public  key/ challenges  (SPKAC) 20 

OpenSSL:  CA  Path  &  File  Override • openssl.capath, openssl.cafile • Per-­‐case  basis  rather  than  global   • used  with  verify_peer 21 

Timing  Safe  Hash  Comparison • PHP  >=  5.6   • ===  open  to  timing  attack  issues   • hash_equals 22 if (hash_equals($hash1, $hash2) === true) { echo ‘Party on Wayne!’; } 

Deprecation  of  /e  Regex  Modifier • PHP  >=  5.5   • /e  modifier  allowed  for  eval   • PHP  automatically  called  eval  on  match  string   • Deprecated  in  5.5.0  and  removed  in  PHP  7.0 23 PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead 

Strict  Session  Handling • PHP  >=  5.5   • session.use_strict_mode • Prevents  uninitialized  sessions  (IDs)   • New  session  is  started  regardless  of  what’s   sent  in  cookies   • Prevents  session  fixation 24 

THE  FUTURE  (PHP  7) 

Scalar  Type  Hinting • Function-­‐level  type  hints   • array, callable and  class/interface   • now  includes  bool, int, float  and   string 26 declare(strict_types=1); function foo(\App\UserInterface $user, int $accountId) { /* awesome code goes here */ } 

Return  Types • Enforces  correct  return  types   • Throws  TypeError  if  invalid  (on  strict)   • Unless  strict  is  enabled,  types  are  coerced 27 // coerced function sum($a, $b): float { return $a + $b; } declare(strict_types=1); function sum($a, $b): int { return $a + $b; } 

Native  CSPRNG • Natively  implemented  in  the  language   • Replaces  external  tools  &  libraries   • Replaces  poor  practices:  rand()  or  mt_rand()   • random_bytes  and  random_int   • Sources:   • CryptGenRandom  (Windows)   • arc4random_buf  (BSDish)   • /dev/arandom  or  /dev/urandom 28 

Uniform  Variable  Syntax • Leads  to  less  errors  in  variable  interpretation   • Support  for:   • nested  double-­‐colon,  parentheses   • operations  on  (…)  expressions 29 $$foo['bar']['baz'] ${$foo['bar']['baz']} ($$foo)['bar']['baz'] $foo->$bar['baz'] $foo->{$bar['baz']} ($foo->$bar)['baz'] $foo->$bar['baz']() $foo->{$bar['baz']}() ($foo->$bar)['baz']() Foo::$bar['baz']() Foo::{$bar['baz']}() (Foo::$bar)['baz']() 

Unicode  Escape  Syntax • Use  Unicode  in  normal  strings   • supported  through  \u  escape  character   • better  Unicode  handling  in  normal  strings 30 $heart = "a \u{1F49A}"; echo $heart.’ - ‘.strlen($heart); a - 6 

Engine  Exceptions • Fatal  errors  previously  terminated  execution   a.k.a  The  White  Page  of  Death   • Error  (formerly  EngineException)  replaces   Fatal   • Now  catchable   • Includes  TypeError, ParseError  and   AssertionError 31 

Filtered  Unserialize • Problem:  destructor  called  in  unserialized   objects   • allowed_classes  option,  defaults  true  (BC)   • __PHP_Incomplete_Class 32 unserialize($data, ["allowed_classes" => true]); unserialize($data, ["allowed_classes" => false]); unserialize($data, ["allowed_classes" => [‘UserClass’] ]); 

…AND  SO 

34 WHY  IS  THIS  IMPORTANT? 

35 

36 “As  investment  and  innovation  in  open  source  security   increases,  open  source  has  the  potential  to  become   safer  and  more  secure  than  ever  before,  making  it  more   desirable  for  companies  that  are  concerned  about   today’s  changing  threat  landscape.”   Sara  Purdon,  Protecode 

37 Thanks! @enygma Questions?