Security 202 - And you thought you would be secure

And you thought you'd be secure Security 202 ZendCon 2010 Edition By Arne Blankerts, thePHP.cc

What is this talk about?  Myths in web security  Broken configurations  Typical implementation issues

Session data “I can always trust my session data since I know what I did store”

Sessions [theseer@rikka ~] $ grep "session.save_path" /etc/php.ini | grep -v ";" session.save_path = "/var/lib/php/session"  Identical for all php instances unless specifically overwritten  Read and write access from php code  May be crafted in shared hosting  Session-id takeover from vhost to vhost  Session-Content can be modified  Can even lead to code execution

CAPTCHA “I'm using a captcha to protect my forms from abuse – So I'm save.”

CAPTCHA  Conceptual Problems  Distortion often unreadable  Not the least bit accessible  Breaking can be “crowd sourced”  Implementation issues

CAPTCHA  captcha.php 01 <?php 02 session_start(); 03 require 'captchaHelper.php'; 04 05 $code = generateCaptchaCode(); 06 $_SESSION['CAPTCHA'] = $code; 07 08 header('Content-type: image/jpeg'); 09 echo createCaptchaImage($code);  validation.php 01 <?php 02 session_start(); 03 04 if ($_SESSION['CAPTCHA'] != $_REQUEST['code']) { 05 die('Captcha value wrong'); 06 } 07 echo 'Welcome!';

Prepared Statements “I'm using prepared statements so I'm protected from sql injections”

Prepared Statements 01 <?php 02 03 $db = new PDO(....); 04 $query = $db->prepare('SELECT ... WHERE NAME=:name'); 05 $query->bindParam(':name', $_GET['name']); 06 07 //...

Prepared Statements  What about fieldnames?  Variable table names?  Do you sort your results?  Any need for limits?  Still use ext/mysql?  Sprintf based implementations?

Drawbacks of sprintf  Manual escaping needed  mysql_escape_string vs. mysql_real_escape_string  PDO::quote() does not work with ODBC  No knowledge of fieldtype  String vs. Integer exploits  PDO::quote vs. mysql(i)_real_escape_string

Cross Site Request Forgery “I have an anti CSRF token in my forms – So I'm well protected”

CSRF  csrftoken.php 01 <?php 02 03 session_start(); 04 $_SESSION['CSRF']=md5(time()); 05 06 //...  validate.php 01 <?php 02 03 session_start(); 04 if ($_SESSION['CSRF']==$_GET['CSRF']) { 05 // ... 06 }

CSRF  Regenerate token for every form?  Do you keep a backlog of tokens?  Do you validate your session?  Session fixation may violate CSRF tokens  What do you base the token on?

Password storage “I know storing clear text passwords is a bad idea. That's why I'm only storing hashes of passwords to protect my users.”

Password storage 01 <?php 02 03 $db = new PDO(....); 04 $query = $db->prepare( 05 'UPDATE user SET PASSWD=:pwd WHERE UID=:uid' 06 ); 07 $query->bindParam(':uid', $_SESSION['uid']); 08 $query->bindParam(':pwd', sha1($_POST['pwd'])); 09 10 //...

Most favorite passwords  123456  Abc123  12345  Qwertz / Qwerty  123456789  Dragon  Password  Sexgod  iloveyou  Football  princess  1234  rockyou  Pussy  1234567  Letmein  12345678  admin

Password storage  Always salt hashes  Either prepend or append additional values  Do a quality check on user supplied codes

Validation “I know using blacklists is pointless. That's why I use regular expressions to check for valid chars in a string”

Validation 01 <?php 02 03 $name = isset($_GET['name']) ? $_GET['name'] : 'Anonymous User'; 04 05 if (ereg("^[a-zA-Z0-9 +-]*$", $name)) { 06 echo "Welcome, $name"; 07 } else { 08 echo "Sorry, that name contains invalid chars"; 09 } 10 11 ?>

Clickjacking “To make sure my site cannot be a victim of clickjacking, I have a Javascript to Break out from frames or iframes”

Clickjacking  Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script>

Clickjacking  Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script>  Frame buster busting code 01 <script type=”text/javascript”> 02 var prevent_bust = 0 03 window.onbeforeunload = function() { prevent_bust++ } 04 setInterval(function() { 05 if (prevent_bust > 0) { 06 prevent_bust -= 2 07 window.top.location = 'http://attacker/204.php'; 08 } 09 }, 1); 10 </script>

Clickjacking – what works  JavaScript & CSS  Hide content by use display:none  Switch to visible if frametest succeeds  Use X-FRAME-OPTIONS header  Set to DENY for no iframe embedded  Set to SAMEORIGIN to allow from same host

Lessons learned?  Tiny problems add up  Some attacks are only effective if various vectors get combined  Combinations of attack vectors may render your solution useless  Security requires a fully secure eco system

Congrats!

Contact  Slides will be available  http://talks.thephp.cc  Please rate this talk  http://joind.in/talk/view/2258  Contact options  Email: team@thePHP.cc / arne@thePHP.cc  Follow us on twitter:  @arneblankerts / @thePHPcc

Security 202 - And you thought you would be secure

by Arne Blankerts on Nov 03, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 42

Statistics

Security 202 - And you thought you would be secure — Presentation Transcript

http://www.berejeb.com	38
http://www.devetdesign.com	4