php security tips

PHP Security

September 20, 2011 NWO-PUG 1

E-mail: chris@ctankersley.comTwitter: @dragonmantankIdenti.ca: dragonmantank

Who are you and why are you in my house?

Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a

few that some do TL;DR

https://github.com/dragonmantank

NWO-PUG 2September 20, 2011

The Parts of SecurityIt’s more than just a username/password

NWO-PUG 3September 20, 2011

What is Secure Programming?

1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly

September 20, 2011 NWO-PUG 4

https://www.owasp.org/index.php/Secure_Coding_Principles

Most Common AttacksAnd how to avoid them

NWO-PUG 5September 20, 2011

OWASP Top 10

1. Injection2. Cross-Site Scripting3. Broken Authentication and Session

Management4. Insecure Direct Object References5. Cross-Site Request Forgery6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure To Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards

NWO-PUG 6

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

September 20, 2011

Injection

NWO-PUG 7September 20, 2011

What is Injection?

When a user or service corrupts a command due to improper validation of input

September 20, 2011 NWO-PUG 8

Many Shapes and Sizes

SQL Injection Command Injection HTML Injection

September 20, 2011 NWO-PUG 9

Protecting against Injections Attacks

Filter user input Escape anything not hard-coded Ignore $_REQUEST

NWO-PUG 10September 20, 2011

SQL Injection

NWO-PUG 11September 20, 2011

A Bit More Real Life

NWO-PUG 12September 20, 2011

Protecting against SQL Injection

Use PDO and prepared statements

NWO-PUG 13September 20, 2011

Command Injection

When your script calls an external program, users can run code

NWO-PUG 14September 20, 2011

Protecting against Command Injection

If allowing the user to specify commands, use escapeshellcmd()

If allowing the user to specify arguments, use escapeshellarg()

NWO-PUG 15September 20, 2011

HTML/Script Injection

HTML Injection: When user input is used to create new markup that the application did not expect

Script Injection: When user input is used to add new scripting to a page

NWO-PUG 16September 20, 2011

HTML/Script Injection

NWO-PUG 17September 20, 2011

Protecting against HTML/Script Injection

Decide if you really need to take HTML input

If you do: Use an HTML cleaner like Tidy or

htmLawed Create a whitelist of allowed tags

If you don’t: Use htmlentities()/htmlspecialchars()

NWO-PUG 18September 20, 2011

Cross Site ScriptingOr XSS

NWO-PUG 19September 20, 2011

What is it?

When a user injects a script into a page or extra JS into a command to send information to another site

September 20, 2011 NWO-PUG 20

How to avoid XSS?

Since this is an injection attack, use the same steps as a HTML/Script injection

NWO-PUG 21September 20, 2011

Broken Authentication and Session Management

NWO-PUG 22September 20, 2011

What is it?

Insecure storing of credentials Session IDs exposed via URL Session fixation attacks

September 20, 2011 NWO-PUG 23

Storing Credentials

Hash with a salt using the hash() command

Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not

recommended for secure hashing If you have to use the raw data, encrypt

using mcrypt() Use AES256 (RIJNDAEL 256)

NWO-PUG 24September 20, 2011

Session IDs in URL

Commonly used when cookies can’t be enabled

Make sure the following is set in your php.ini:

session.use_trans_id = 0session.use_only_cookies = 1

NWO-PUG 25September 20, 2011

Session Fixation

What happens if your users don’t log out?

Use sessions to detect login status

NWO-PUG 26September 20, 2011

Insecure Direct Object References

NWO-PUG 27September 20, 2011

What is it?

Making sure that what the user is accessing they have access to.

Should be handled by checking authorization when accessed, or mapping

This is not an injection attack, but a logic attack

September 20, 2011 NWO-PUG 28

An Example

NWO-PUG 29September 20, 2011

How to Avoid

Always check to make sure the user has authorization to access the resource

Map variables/whitelist to make it harder

NWO-PUG 30September 20, 2011

Cross Site Request ForgeryOr CSRF Attacks

NWO-PUG 31September 20, 2011

What is it?

When unauthorized commands are sent to and from a trusted website

In days gone by, this would be done with Referral checking, but don’t trust referrer information

September 20, 2011 NWO-PUG 32

An example – Bank Transfer

A bank transfer is done via $_GET variables

User is authenticated but not logged out

NWO-PUG 33September 20, 2011

How to avoid this

Include a hidden element in the form with a one-time value

NWO-PUG 34September 20, 2011

Security Misconfiguration

NWO-PUG 35September 20, 2011

Beyond the scope of programming

Check for server hardening guidelines for your OS

Password rotation practices Understanding your settings

Keep your stack up to date!

September 20, 2011 NWO-PUG 36

Insecure Cryptographic Storage

NWO-PUG 37September 20, 2011

More of a logic problem

Encrypting data in the database, but leaving it unencrypted during output

Using unsalted hashes

September 20, 2011 NWO-PUG 38

How to avoid this

Like when storing credentials, use a salt whenever hashing information

Only decrypt data when it is needed

NWO-PUG 39September 20, 2011

Failure to Restrict URL Access

NWO-PUG 40September 20, 2011

What is it?

When users can gain access to parts of the application just through URL manipulation

When the app doesn’t check authorization properly

September 20, 2011 NWO-PUG 41

Security through Obscurity

Don’t trust that just because a user doesn’t know a URL, they can’t get to it

Fuzzers can find all kinds of things, especially if the app is common

NWO-PUG 42September 20, 2011

How to avoid this

ALWAYS check authorization. The extra CPU cycles are worth it.

NWO-PUG 43September 20, 2011

Insufficient Transport Layer Protection

NWO-PUG 44September 20, 2011

Not using SSL when you should

If your data is sensitive, use SSL Are your logins behind SSL?

There isn’t really an excuse. You can get an SSL cert for $9/year.

September 20, 2011 NWO-PUG 45

Unvalidated Redirects and Forwards

NWO-PUG 46September 20, 2011

What is it?

When an app doesn’t properly validate that the redirect destination is valid

September 20, 2011 NWO-PUG 47

Putting it Together

NWO-PUG 48September 20, 2011

Attacking from Multiple Fronts

Attackers will employ many different vectors in an attack

HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions

Script injection can lead to Session hijacking

September 20, 2011 NWO-PUG 49

Remember…

1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly

September 20, 2011 NWO-PUG 50

https://www.owasp.org/index.php/Secure_Coding_Principles

Questions?

September 20, 2011 NWO-PUG 51