CakeFest 2023 Workshop 1

Transcript

1. CakeFest 2023 Los Angeles Workshop 1

2. Workshop 1 • 3h session • Quick CakePHP intro •

   Authentication • Security • OWASP Top 10 • Code https:/ /bit.ly/3PwZcBr • Database https:/ /bit.ly/3EVN7B0 • Slides

3. About Jorge González https:/ /phpc.social/@steinkel • VP at CakeDC [email protected]

   https:/ /www.cakedc.com

4. CakePHP Introduction • Setting up a development environment • Example

   application • Baking our application CRUD • API

5. Setup dev environment • Requirements $ sudo apt install -y

   php-cli php-intl php-mbstring php-sqlite3 zip php-zip // setup composer 5

6. Other dev environment • Watch Alejandro's talk on Saturday :)

   6

7. CakePHP application setup • Using composer + PHP builtin server

   7

8. Composer • Create a CakePHP 5 project • https:/ /github.com/cakephp/app

   • composer install • run App\Console\Installer::postInstall $ composer create-project cakephp/app cakefest2023 Installing... … Do you want to remove the existing VCS (.git, .svn..) history? [Y,n]? ←Y $ cd cakefest # get to the latest version $ composer require cakephp/cakephp:5.x-dev cakephp/chronos:3.x-dev {skeleton} 8

9. Start the built-in server $ bin/cake server -H 0.0.0.0 9

10. Configuration • Application class • CakePHP Bootstrap • config/bootstrap.php •

    config/app.php • Configure default datasource via environment 10

11. MVC CakePHP Reusability Model Table Entity Behavior View View Template

    Theme Layout Element Block Helper Controller Controller Action Component Other Cell, Mailer, Command Middleware CakePHP Concepts • Application level • Across applications: Plugin and Middleware 11

12. • dd() • Debugger • Logger • The query log

    • Step by step Debug 12

13. • Database download URL: • Or, use a migration •

    Import schema Database schema 13

14. 14 Database conventions • Plurals • Underscores • _id •

    Foreign Keys?

15. $ bin/cake bake all --everything Bake Shell • Build a

    CRUD for our tables 15

16. API • Use built-in features for a simple REST API

    16

17. Authentication • Form based login

18. • AuthenticationMiddleware::process() • AuthenticationService::authenticate() • First valid result wins •

    Persist the identity if not stateless • Redirect based on unauthenticated or login redirect The authentication process 18

19. • Password based identifiers • Session and Form authenticators Auth

    Configuration 19

20. • Adding a login and logout actions to UsersController •

    Preparing a login template Login action 20

21. • bin/cake add_user -u admin -p password User creation via

    Command 21

22. • Access authentication results • Check identity • Finish the

    login action • Add logout Log the user in 22

23. • Set up and ensure all actions go through authorization

    check Authorization 23

24. Security in CakePHP

25. • Access authentication results • Check identity • Finish the

    login action • Add logout ?General concepts 25

26. • Configuration • How CSRF works? • Example CSRF 26

27. • Configuration • How FormProtection works? • Example FormProtection 27

28. • Allowed list of Entity properties to be patched •

    `hidden` for serialization leaks Entity allowed 28

29. • composer require paragonie/csp-builder https:/ /github.com/paragonie/csp-builder • Example CSP 29

30. • See https:/ /developer.mozilla.org/en-US/docs/Web/HTTP/Headers • See https:/ /infosec.mozilla.org/guidelines/web_security.html • See

    https:/ /www.permissionspolicy.com/ • Example Security Headers 30

31. • Configuration • Example HTTPS Enforcer 31

32. • Configuration • Example CORS 32

33. • Validate user input • Escape output • Fail hard

    • Audit / log suspicious activity • Log auth related activity • Enforce 2FA General best practices 33

34. OWASP top 10 OWASP Top 10:2021

35. A01 Broken Access Control - OWASP Top 10:2021 Access control

    enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. #1 35

36. Scenario #2: An attacker simply forces browses to target URLs.

    Admin rights are required for access to the admin page. • 1. FormSecurity • 2. Authorization • 3. CSP Headers • 4. Use Java #1 ? 36

37. #1 37 Ensure Authorization is in place for all actions

    • 1. FormSecurity • 2. Authorization • 3. CSP Headers • 4. Use Java

38. A02 Cryptographic Failures - OWASP Top 10:2021 The first thing

    is to determine the protection needs of data in transit and at rest… #2 38

39. Scenario #1: An application encrypts credit card numbers in a

    database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text. • 1. Escape template variables • 2. Enforce HTTPS • 3. Encrypt data before save • 4. Use Python #2 ? 39

40. Example: secure column encryption • 1. Escape template variables •

    2. Enforce HTTPS • 3. Encrypt data before save • 4. Use Python #2 40

41. A03 Injection - OWASP Top 10:2021 Some of the more

    common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. #3 41

42. #3 ? 42 Scenario #1: An application uses untrusted data

    in the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); • 1. Use the ORM properly • 2. Use CSP headers • 3. Filter input • 4. Use ChatGPT to build all your SQL queries

43. #3 43 Scenario #1: An application uses untrusted data in

    the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); • 1. Use the ORM properly • 2. Use CSP headers • 3. Filter input • 4. Use ChatGPT to build all your SQL queries

44. A04 Insecure Design - OWASP Top 10:2021 An insecure design

    cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. #4 44

45. #4 ? 45 Scenario #1: A credential recovery workflow might

    include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? • 1. Use stronger password algorithm • 2. Remove the feature completely • 3. Add sound and videos • 4. Use MongoDB

46. #4 ? 46 Scenario #1: A credential recovery workflow might

    include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? • 1. Use stronger password algorithm • 2. Remove the feature completely • 3. Add sound and videos • 4. Use MongoDB

47. A05 Security Misconfiguration - OWASP Top 10:2021 #5 47

48. #5 ? 48 Scenario #3: The application server's configuration allows

    detailed error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" • 1. Ensure we provide no details about underlying stack • 2. Update to the latest version always • 3. Add security headers • 4. Say you are using another framework

49. #5 49 Scenario #3: The application server's configuration allows detailed

    error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" • 1. Ensure we provide no details about underlying stack • 2. Update to the latest version always • 3. Add security headers • 4. Say you are using another framework

50. A06 Vulnerable and Outdated Components - OWASP Top 10:2021 Vulnerable

    Components are a known issue that we struggle to test and assess risk #6 50

51. #6 ? 51 Scenario #1: Components typically run with the

    same privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" • 1. Always use secure libraries • 2. Validate, track patch dependencies • 3. Don't use Composer • 4. Use NodeJS

52. #6 52 Scenario #1: Components typically run with the same

    privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" • 1. Always use secure libraries • 2. Validate, track patch dependencies • 3. Don't use Composer • 4. Use NodeJS

53. A07 Identification and Authentication Failures - OWASP Top 10:2021 Confirmation

    of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. #7 53

54. #7 ? 54 Scenario #1: Credential stuffing, the use of

    lists of known passwords, is a common attack. "Password1" • 1. Rotate passwords every 3 days • 2. Rotate passwords every 7 days • 3. Use MFA (Multi Factor Authentication) • 4. Encrypt passwords with at least 8096 bits

55. #7 55 Scenario #1: Credential stuffing, the use of lists

    of known passwords, is a common attack. "Password1" • 1. Rotate passwords every 3 days • 2. Rotate passwords every 7 days • 3. Use MFA (Multi Factor Authentication) • 4. Encrypt passwords with at least 8096 bits

56. A08 Software and Data Integrity Failures - OWASP Top 10:2021

    Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources. #8 56

57. #8 ? 57 Scenario #1 Update without signing: Many home

    routers, set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" • 1. Remove external dependencies not needed • 2. Install packages from trusted sources only • 3. Remove all packages, copy everything to your plugins folder

58. #8 58 Scenario #1 Update without signing: Many home routers,

    set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" • 1. Remove external dependencies not needed • 2. Install packages from trusted sources only • 3. Remove all packages, copy everything to your plugins folder

59. A09 Security Logging and Monitoring Failures - OWASP Top 10:2021

    Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test. Detecting and responding to breaches is critical. #9 59

60. #9 ? 60 Scenario #1: A website operator couldn't detect

    a breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. • 1. Add logs to relevant/sensitive actions in the site • 2. Add logs to suspicious activityin the site • 3. Add logs to all actions on the site • 4. Add logs to all actions on the site, including all mouse x,y change events

61. #9 61 Scenario #1: A website operator couldn't detect a

    breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. • 1. Add logs to relevant/sensitive actions in the site • 2. Add logs to suspicious activityin the site • 3. Add logs to all actions on the site • 4. Add logs to all actions on the site, including all mouse x,y change events

62. A10 Server Side Request Forgery (SSRF) - OWASP Top 10:2021

    SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). #10 62

63. #10 ? 63 Scenario #2: Sensitive data exposure – Attackers

    can access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ • 1. Use a deny list and strong regular expressions to validate domains • 2. Sanitize all target IP addresses • 3. Validate target domains with a positive allow list • 4. Block all traffic using a firewall

64. #10 64 Scenario #2: Sensitive data exposure – Attackers can

    access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ • 1. Use a deny list and strong regular expressions to validate domains • 2. Sanitize all target IP addresses • 3. Validate target domains with a positive allow list • 4. Block all traffic using a firewall

65. Questions ?

66. Thank You ありがとうございました。 Gracias

67. • ??? Extra ball Keeping it high 67

68. • Configuration • Example ?Cookies and Session 68

69. Security tools & scanners Worth checking your sites before going

    live • https:/ /owasp.org/www-community/Vulnerability_Scanning_Tools