2013 - Mark story - Avoiding the Owasp

AVOIDING THE OWASP
Top 10 security exploits

Saturday, 5 October, 13

ME

Illustrator turned developer
PHP developer for 8 years
Architect/Developer at FreshBooks
Lead developer of CakePHP


SECURITY


SECURITY CONTINUUM

(

unusable


)

unrestricted

OWASP
Open Web Application Security Project


OWASP TOP 10


1

INJECTION


‘ OR 1=1 ‘--

RISKS

Command - Permits arbitrary shell commands.
SQL - Permits query manipulation, and arbitrary SQL.
Bad guys can run arbitrary code/queries.


SQL INJECTION EXAMPLE
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$query = “SELECT * FROM user
WHERE username = ‘$username’
AND password = ‘$password’”;
$user = $db->query($query);

USER INPUT
$username = “root”;
$password = “‘ OR 1 = 1 --”;


FINAL QUERY

WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;


PREVENTION
Use an ORM or Database abstraction layer that
provides escaping. Doctrine, ZendTable, and
CakePHP all do this.
Use PDO and prepared statements.
Never interpolate user data into a query.
Never use regular expressions, magic quotes, or
addslashes()


EXAMPLE (PDO)
WHERE username = ?
AND password = ?”;
$stmt = $db->prepare($query);
$stmt->bindValue($username);
$stmt->bindValue($password);
$result = $db->execute();

COMMAND INJECTION

$file = $_POST[‘file’];
$res = file_get_contents($file);
echo $res;


USER INPUT
$f = “../../../../../../etc/passwd”;


PREVENTION

Escape and validate input.
Check for ..
Check for ;
Ensure the realpath resolves to a ﬁle that is allowed.


2

BROKEN AUTHENTICATION
& SESSION MANAGEMENT
/index.php?PHPSESSID=pwned


RISKS

Identity theft.
Firesheep was an excellent example.


SESSION FIXATION EXAMPLE
<?php
session_start();
if (isset($_GET[‘sessionid’]) {
session_id($_GET[‘sessionid’]);
}


PREVENTION

Rotate session identiﬁers upon login/logout
Set the HttpOnly ﬂag on session cookies.
Use well tested / mature libraries for authentication.
SSL is always a good idea.


3

XSS

<script>alert(‘cross site scripting’);</script>


RISKS

Allows bad guys to do things as the person viewing a
page.
Steal identities, passwords, credit cards, hijack pages
and more.


XSS EXAMPLE

<p>
<?php echo $user[‘bio’]; ?>
</p>


I know, I can use regular expressions!


PREVENTION

Regular expressions and strip_tags leave you
vulnerable.
The only robust solution is output encoding.


EXAMPLE
<p>
<?php echo htmlentities(
$user[‘bio’],
ENT_QUOTES,
‘UTF-8’
); ?>
</p>


DANGERS

Manually encoding is error prone, and you will make
a mistake.
Using a template library like Twig that provides autoescaping reduces the chances of screwing up.
Encoding is dependent on context.


4

INSECURE DIRECT OBJECT
REFERENCE


RISKS

Bad guys can access information they shouldn’t
Bad guys can modify data they shouldn’t.


BROKEN PASSWORD UPDATE
<form action=”/user/update” method=”post”>
<input type=”hidden” name=”userid” value=”4654” />
<input type=”text” name=”new_password” />
<button type=”submit”>Save</button>
</form>


PREVENTION
Remember hidden inputs are not really hidden, and
can be changed by users.
Validate access to all things, don’t depend on things
being hidden/invisible.
If you need to refer to the current user, use session
data not form inputs.
Whitelist properties any form can update.


5

SECURITY
MISCONFIGURATION


RISKS

Default settings can be insecure, and intended for
development not production.
Attackers can use misconﬁgured software to gain
knowledge and access.


PREVENTION

Know the tools you use, and conﬁgure them
correctly.
Keep up to date on vulnerabilities in the tools you
use.
Remove/disable any services/features you aren’t using.


6

SENSITIVE DATA EXPOSURE
4012 8888 8888 1881


RISKS

Bad guys get credit cards, personal identiﬁcation,
passwords or health records.
Your company could be ﬁned or worse.


ASSESSING RISK
Do you have sensitive data?
Is it in plaintext?
Any old/bad crypto in use?
Missing SSL?
Who can access sensitive data?


7

MISSING FUNCTION LEVEL
ACCESS CONTROL


RISKS

Anyone on the internet can request things.
Missing access control could mean bad guys can do
things they shouldn’t be able to.


PREVENTION

No simple solutions sadly.
Good automated tests help.


8

CROSS SITE REQUEST
FORGERY


(CSRF)

RISKS

Evil websites can perform actions for users logged
into your site.
Side effects on GET can be performed via images or
CSS ﬁles.
Remember the Gmail contact hack.


CSRF EXAMPLE

Your app
Evil site


CSRF EXAMPLE

Your app
Evil site

Login


CSRF EXAMPLE

Your app
Evil site

Login
Accidentally visit

CSRF EXAMPLE

Your app

Submit form for evil
Evil site

Login
Accidentally visit

PREVENTION

Add opaque expiring tokens to all forms.
Requests missing tokens or containing invalid tokens
should be rejected.


SAMPLE CSRF VALIDATION
<?php
if (!$this->validCsrfToken($data, ‘csrf’)) {
throw new ForbiddenException();
}


9

USING COMPONENTS WITH
KNOWN VULNERABILITIES


CVE bingo

RISK

Using old busted software can expose you to
documented issues.
CVE databases are ﬁlled with version numbers and
matching exploits.


PREVENTION

Do routine upgrades. Keep up to date with all your
software.
Read mailing lists and keep an eye out for security
releases.


PREVENTION

Several vulnerability databases around.
https://cve.mitre.org/cve/


10

UNVALIDATED REDIRECTS &
FORWARDS


RISKS

Trusting user input for redirects opens phishing
attacks.
Breach of trust with your users.


PREVENTION

Don’t trust user data when handling redirects.


THANK YOU


2013 - Mark story - Avoiding the Owasp

Recommended

Recommended

More Related Content

Similar to 2013 - Mark story - Avoiding the Owasp

Similar to 2013 - Mark story - Avoiding the Owasp (20)

More from PHP Conference Argentina

More from PHP Conference Argentina (6)

Recently uploaded

Recently uploaded (20)

2013 - Mark story - Avoiding the Owasp