Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)

2,468 views
2,314 views

Published on

Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

Published in: Software
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,468
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)

  1. 1. Dip Your Toes in the Sea of Security James Titcumb PHP Dorset 2nd June 2014
  2. 2. James Titcumb www.jamestitcumb.com www.protected.co.uk www.phphants.co.uk @asgrim Who is this guy?
  3. 3. Who are you? https://www.flickr.com/photos/akrabat/10168019755/
  4. 4. Some simple code... <?php $a = (int)$_GET['a']; $b = (int)$_GET['b']; $result = $a + $b; printf('The answer is %d', $result);
  5. 5. The Golden Rules
  6. 6. The Golden Rules 1. Keep it simple
  7. 7. The Golden Rules 1. Keep it simple 2. Know the risks
  8. 8. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely
  9. 9. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel
  10. 10. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
  11. 11. OWASP & the OWASP Top 10 https://www.owasp.org/
  12. 12. Application Security (mainly PHP applications)
  13. 13. Always remember… Filter Input Escape Output
  14. 14. SQL Injection (#1) http://xkcd.com/327/
  15. 15. SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements
  16. 16. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
  17. 17. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✔
  18. 18. Cross-Site Scripting / XSS (#3) ● Escape output
  19. 19. Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
  20. 20. Cross-Site Request Forgery / CSRF (#8) ● HTTP request ● e.g. submit a POST request to login form
  21. 21. Errors, Exceptions & Logging (#6) Sensitive Information exposure custom Exception & Error handling - filter what the end user sees - Handle API responses in a unified way
  22. 22. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
  23. 23. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✔
  24. 24. exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
  25. 25. eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
  26. 26. WordPress
  27. 27. WordPress Urgh.
  28. 28. We are not security experts! We CAN write secure code
  29. 29. We are not security experts! We CAN write secure code ● Learn more ● Keep it simple ● Think about attack vectors ● Prioritise vulnerabilities
  30. 30. ● Be the “threat” ● What do you want? ○ Personal data (name, address, DOB) ○ Sensitive data (credit cards, bank accounts) ○ Cause disruption (downtime) ● How would you do it? Think Differently
  31. 31. Threat Modelling ● Damage ● Reproducibility ● Exploitability ● Affected users ● Discoverability
  32. 32. Authentication & Authorization
  33. 33. Authentication == Verifying IDENTITY ● Password ● Delegated password (LDAP etc.) ● One-time code (SMS, Yubi, Google 2FA etc.) ● Biometrics (fingerprints, iris, DNA etc.) ● Keycards / USB sticks etc.
  34. 34. CRYPTOGRAPHY IS HARD
  35. 35. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
  36. 36. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
  37. 37. Case Study: Custom Authentication We thought about doing this…
  38. 38. Case Study: Custom Authentication We thought about doing this…
  39. 39. Case Study: Custom Authentication We thought about doing this… ...but the we realised we were overcomplicating things.
  40. 40. Password Hashing ● Never store plain text passwords ● Never encrypt passwords ● Always hash passwords ● Use password_hash / password_verify ○ >= PHP 5.5 ○ < PHP 5.5, use ircmaxell/password-compat
  41. 41. Authorization == Verifying ACCESS ● Access lists ● Role-based ● Attribute-based
  42. 42. Linux Server Security
  43. 43. SSH Fortress ● Passwordless ● Rootless ● Lock down IP ● Run on different port
  44. 44. Firewalls #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state
  45. 45. Brute Force Attacks ● iptables (complex) ● fail2ban ● DenyHosts
  46. 46. Install Only What You Need ● Audit Regularly ● Use provisioning ● Don’t install cruft
  47. 47. Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
  48. 48. Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/
  49. 49. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
  50. 50. If you follow all this, you get...
  51. 51. If you follow all this, you get...
  52. 52. Questions?
  53. 53. James Titcumb www.jamestitcumb.com www.protected.co.uk www.phphants.co.uk @asgrim Thanks for watching!

×