securing your web apps now

SECURING YOUR WEB APPS NOWTIPS TO MAKE YOUR SITE LESS HACKABLE

WHO?• Stephan Steynfaardt

• Solutions Architect & Tech Lead

• CISSP certified

• White hat penetration testing

• @ssteynfaardt

WHAT?• Validation

• SQL injection

• OS injection

• Code injection

• File upload

• Information leakage

• Broken Authentication & Session Management

• XSS

WHY?

IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER

IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.

I don’t even trust the panda

ANY 4 YEAR OLD WITH AN INTERNET CONNECTION

Nothing to do with SSL

WEB APPLICATIONS TESTED BY OWASP

WORLD’S BIGGEST DATA BREACHES

2013

HOW?• More than one security layer

HOW?• More than one security layer• Validate• Escape• Bind SQL• Least privileges• Generic error exceptions

messages• Don't display error messages

VALIDATION

VALIDATION• Client side validation is useless

• Whitelisting acceptance criteria

• Typecast your variables

• Never trust any data

• Respect\Validation

Top 10 OWASP list

SQL INJECTION

SQL INJECTION• Don't use quotes – You only need to

miss one

• Always bind your parameter

BIND PARAMETER

$sql = "SELECT * FROM users WHERE name=:name and age=:age";

$stmt = $db->prepare($sql);

$stmt->execute(array(":name" => $name, ":age" => $age));

SQL INJECTION• Don't use quotes – You only need to

miss one

• Always bind your parameter

• Only allow SQL privileges required

• SQL MAP

Cracking password hashes

SQL MAP

CODE INJECTION

CODE INJECTION• Eval() === Evil

$var = 1;

$newvalue = isset($_GET['id']) ? $_GET['id'] : 0;

eval('$var = ' . $newvalue . ';');

echo $var;

• PHP manual warns you against using eval()

CODE INJECTION• Don’t use preg_replace() with /e

• PHP 5.5 deprecated /e

• Dynamic function injection, don’t call it from the URL

• local.php?file=some_file.log

OS INJECTION

OS INJECTION• Statements executed directly on the OS

• Don’t use system()

• system('nslookup ' . $_POST['host']);

• 'google.com; rm -RF /var/www’

• Download any script with wget

• Validate file_get_contents()

bring your own exploit

FILE UPLOADS

Actually any PHP n00bs

WORDPRESS N00BS

FILE UPLOADS• Upload files outside of the webroot

• Check the mime-type

• file -i logo.pnglogo.png: image/png; charset=binary

• file –i evil_file.png evil_file.png: text/plain; charset=us-ascii

• Rename file

• Move to desired location

INFORMATION LEAKAGE

INFORMATION LEAKAGE• Phpinfo()

• php.ini dispay_error = Off

• php.ini dispay_startup_error = Off

• php.ini error_reporting = E_ALL & ~E_DEPRICATED

• php.ini html_errors = Off

• php.ini log_error = On Always log your errors to a file

OVER SPECIFIC FEEDBACK

OVER SPECIFIC FEEDBACK• Login forms messages

• Forgotten debug statements

• Server headers

• php.ini, expose_php = Off

• httpd.conf, Server Tokens Full | OS | Minor |Major | prod

• modSecurity

SENSITIVE DATA EXPOSURE

All your data are belong to us- NSA

SENSITIVE DATA EXPOSURE• OWASP, top 10 2013, simply not encrypting data

• Only store the data you need

• MD5, SHA1 is not for passwords

• Passwords are easy to guess

• Bcrypt is for passwordsircmaxwell/password-compat zendframework/zend-crypt

• PHP 5.5password_hash()

• cost, more rounds = better security but more time/performance penalty

SENSITIVE DATA EXPOSURE• Directories should be 750 or 755

• Files should be 644 or 640

• Locate directories that are 777 on your server:$ sudo find /var/www/ -type d -perm -002

• Locate files that are 777 on your server:$ sudo find /var/www/ -type f -perm -002

• User should own the web directory

• Group should be the apache user

BROKEN AUTHENTICATION & SESSION MANAGEMENT

BROKEN AUTHENTICATION & SESSION MANAGEMENT

• #2 on OWASP top 10 2013

• Allows attackers to impersonate other user currently logged in.

• Don’t display the sessionID in the URL

• Hidden fields – isAdmin

• Remove the session cookie when done

• Regenerate sessionID's after login

BROKEN AUTHENTICATION & SESSION MANAGEMENT

• session_destoy()session_unet()

• Remember me functions

• chrome://settings/passwords

Cross Site Scripting

XSS

XSS• 65% of websites are venerable to XSS

• 2 types of XXSstoredreflected

• Steal sessionID from cookies

• Escape all form input – htmlspecialhars()

• ezyang/htmlpurifier, escape_html

• cookies HTML Only

• document.write hidden iframe

GOING FORWARD

GOING FORWARD• 57% organizations provided some software security

training

• 40% fewer vulnerabilities

• Resolved issues 59% faster

• owasp.org

• https://security.sensiolabs.org/

GOING FORWARD• 19 Extensions to Turn Google Chrome into Penetration

Testing toolhttp://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/

• PHP security manualhttp://php.net/manual/en/security.php

• Code reviews

• Try it yourself