secure coding embedded
Post on 06-Apr-2018
227 Views
Preview:
TRANSCRIPT
-
8/3/2019 Secure Coding Embedded
1/32
Mohammed Irfan
-
8/3/2019 Secure Coding Embedded
2/32
A measurement, not a characteristic.
A growing problem that requires a continually
evolving solution. (An application can be called
Secured, if survives even against future attacks.)
Security should be in essential part of application
design (not an after thought).
-
8/3/2019 Secure Coding Embedded
3/32
Lack of security in an application can lead to:
Loss of important data, money, time etc.
Damages reputation and trust In extreme,Law suits
-
8/3/2019 Secure Coding Embedded
4/32
Input Validation
SQL Injection
Code Injection
XSS (Cross Site Scripting)
CSRF (Cross Site Request Forgery)
Session Security
-
8/3/2019 Secure Coding Embedded
5/32
Common development trendsy Lack of proper input validation
y Relying on client side validations only
Problems
y Code injection
y SQL injection
y Command injection
Solutiony Always validate inputs using built in PHP functions (is_int(),is_float(), is_bool(), is_finite(), intval(),floatval(), doubleval(), strlen(), strpos(),ctype_alpha(), ctype_alnum() etc.)
-
8/3/2019 Secure Coding Embedded
6/32
One of the most common problems with security
SQL queries are injected as input
Also similar to input validation
Possible problems can be: Data removal
Modification of existing values
Unwanted access grant
A
rbitrary data injection All above combined
http://www.youtube.com/watch?v=h2GEwiA-FEU
http://www.youtube.com/watch?v=AFeJ0cfeLpk
-
8/3/2019 Secure Coding Embedded
7/32
/* articles.php */
$id = $_GET['id'];
$sql = "select * from articles where id =
'$id'";
$result = mysql_query($sql);
Now when we have a call like:
http://www.example.com/articles.php?id=1
It is very much valid and we can expect article with
id 1 will be fetched from the database.
-
8/3/2019 Secure Coding Embedded
8/32
What if the url is:
http://www.example.com/articles.php?id=1; delete from
articles;
The query becomes
"select * from articles where id = '1';
delete from articles"(deleting of the entire articles table)
-
8/3/2019 Secure Coding Embedded
9/32
Escaping inputs using addslashes or built in PHPmechanism magic_quotes_gpc. (not recommended)
Using dedicated escaping functions provided by the
database interface MySQL
mysql_escape_string()
mysql_real_escape_string()
PostgreSQL
pg_escape_string() pg_escape_bytea()
SQLite
sqlite_escape_string()
-
8/3/2019 Secure Coding Embedded
10/32
-
8/3/2019 Secure Coding Embedded
11/32
So our example will look like this now$id = mysql_real_escape_string($_GET['id']);
$sql = "select * from articles where id = '$id'";
$result = mysql_query($sql);
But, sometimes even escaping can fail!!!$id = "0; delete from articles";
$id = mysql_real_escape_string($id);
// 0; delete from articles
mysql_query("SELECT * FROM articles WHERE id={$id}");
To solve such problem, use explicit casting
$id = (int)$id;
-
8/3/2019 Secure Coding Embedded
12/32
Database specific escaping is not available for all
databases (MSSQL,ORACLE etc)
Prepared Statements - another approach
Prepared queries are query templates: the structure of
the query is pre-defined and fixed with placeholders that
stand-in for real data. The placeholders are typically type-
specifice.g., int for integer data and text for strings
which allows the database to interpret the data strictly We can use PDO (PHP Data Objects) or PHPs mysqli
extension for prepared statements
-
8/3/2019 Secure Coding Embedded
13/32
-
8/3/2019 Secure Coding Embedded
14/32
Code injection occurs when we use parameters from theweb as direct parameter for our code execution.
This is especially important for includes
$module = $_REQUEST['module'];
include("lib/$module");
This is ok: http://example.com/cms?module=login.php
But what if I do this?:http://example.com/cms?module=../passwords.ini
-
8/3/2019 Secure Coding Embedded
15/32
Make sure the value is the one you expected. Else show errormessage
$requestedModule = $_REQUEST['module'];
switch($requestedModule) {
case "login":
$module = "login"; break;
case logout:
$module = "logout"; break;default:
$module = "error";
}
-
8/3/2019 Secure Coding Embedded
16/32
Cross Site Scripting (XSS) is a situation where byattacker injects JavaScript code, which is then displayedon the page without further validation. Can lead to embarrassment.
Session take-over. Password theft.
User tracking by 3rd parties.
Common XSS examples: User submitted content sites such as blogs, forums, wikis etc
User comments on different sites.
http://www.youtube.com/watch?v=ptf9ujBZ8GE
-
8/3/2019 Secure Coding Embedded
17/32
-
8/3/2019 Secure Coding Embedded
18/32
User (attacker) enters following JavaScript code in a
form field :
document.location = "http://www.mysite.com/"
As input data is not filtered, when the page loads user
will be redirected to mysite.com. (Totallyunexpected?)
-
8/3/2019 Secure Coding Embedded
19/32
Prevention of XSS is as simple as filtering input datausing one of the following: htmlspecialchars()
Encodes ', ", , & etc.
htmlentities()
Convert anything that there is HTML entity for.
strip_tags()
Strips anything that resembles HTML tags
Allowing of tags in strip_tags() can bedangerous, as tag attributes are not stripped, e.g.,
This is vulnerable!
-
8/3/2019 Secure Coding Embedded
20/32
Much less widely understood than XSS...
... but almost certainly more common
Cross-site request forgery attacks allow attackers to
force your users to take actions on your site that
they didnt mean to take
N
ot just GET; hidden forms allowPO
ST as well http://www.youtube.com/watch?v=uycmHQM_h64
-
8/3/2019 Secure Coding Embedded
21/32
UserA is a member of bank.com. He sends money to UserB and found thatthe following URL used
http://bank.com/transfer.do?acct=UserB&amount=100
Now UserA constructs a URL like above to victimize UserC (who is also auser of bank.com)
http://bank.com/transfer.do?acct=UserA&amount=100000
Now UserA sends an email to UserC with a forged request.
View my Pictures!
-
8/3/2019 Secure Coding Embedded
22/32
Now if userC clicks the link, he is actually initiating the request as he is
already authenticated in the system.
But wait, when userC clicks the link, he will definitely notice that a payment
has been done. So in order to trick userC without any notice. UserA doesthis (zero byte image).
So without any problem, userA has got fund from userC.
-
8/3/2019 Secure Coding Embedded
23/32
document.forms.csrf.submit();
-
8/3/2019 Secure Coding Embedded
24/32
Distinguish each and every request generated from
your server.
Distinguish request generated from your site and
also from some other sites.
Do not rely on HTTP Referrer checking as it is not
fully reliable.
Include a form token on every forms that youdisplay. The form token must be unique and ensure
that the request came from your site.
Yahoo! Uses similar approach and calls it Crumb
-
8/3/2019 Secure Coding Embedded
25/32
-
8/3/2019 Secure Coding Embedded
26/32
Should be unique peruser(or one user can use
their crumb to attack another)
Hence should be tied to the users session or login cookie
Should be changed over time (even for same formrequest multiple time)
Ajax requests must be from the same domain
Limiting the lifetime of authentication cookies
-
8/3/2019 Secure Coding Embedded
27/32
Sessions are a common tool for user trackingacross an application
For the duration of a visit, the session is effectively
the users identity If an active session can be obtained by 3rd party, it
can assume the identify of the user whos sessionwas compromised
During standard HTTP transactions, all request andresponse information is transmitted as plain-text.Anyone capable of intercepting these messages cansteal the users session.
-
8/3/2019 Secure Coding Embedded
28/32
To prevent session id theft, the id should be altered
on every request, invalidating old values.
Because the session changes on every request, the
back button in a browser will no longer work, as it
will make a request with the old session id
-
8/3/2019 Secure Coding Embedded
29/32
Use HTTPS Pass secure information
Stop session ID being passed via URL
Set session.use_only_cookies so that it is hard to
generate session fixation.
Another session security technique is to compare
the browser signature headers
-
8/3/2019 Secure Coding Embedded
30/32
There are more security issues out there.
Always try to be proactive on security measure
rather than being reactive.
Keep updated with latest security flaws and fixes
Always try to avoid common pitfalls.
-
8/3/2019 Secure Coding Embedded
31/32
http://www.modsecurity.org/ (mod_securityApache
module)
http://www.hardened-php.net/ (PHP Security
Patches)
http://www.xssoops.com/ (Security Scanner)
http://www.cgisecurity.com/
http://www.owasp.org/ http://phpsec.org/
-
8/3/2019 Secure Coding Embedded
32/32
Q &A?
top related