Your SlideShare is downloading. ×
Security 202 - Are you sure your site is secure?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security 202 - Are you sure your site is secure?

2,755

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,755
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
37
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Are You Sure Your Site Is Secure? Security 202Confoo 2011 EditionBy Arne Blankerts, thePHP.cc
  • 2. What is this talk about?  Myths in web security  Broken configurations  Typical implementation issues
  • 3. Session data “I can always trust my session data since I know what I did store”
  • 4. Session data[theseer@rikka ~] $ grep "session.save_path" /etc/php.ini | grep -v ";"session.save_path = "/var/lib/php/session"  Identical for all php instances unless specifically overwritten  Read and write access from php code  May be crafted in shared hosting  Session-id takeover from vhost to vhost  Session-Content can be modified  Can even lead to code execution
  • 5. Session hijacking “To protect my users from session hijacking, I did implement a validation check”
  • 6. Session hijacking session.php01 <?php02 session_start();03 $success = true;04 if (($_SESSION[IP] != $_SERVER[REMOTE_ADDR])05 or ($_SESSION[VIA] != $_SERVER[HTTP_VIA])06 or ($_SESSION[FORWARD] != $_SERVER[HTTP_X_FORWARDED_FOR])07 or ($_SESSION[AGENT] != $_SERVER[HTTP_USER_AGENT])) {08 // ...09 }
  • 7. Session hijacking – what to do? Determine if hijacking is a problem Regenerate id on every request  Doesnt block it but makes it harder to exploit Fully switch to https for transport  Alternatively use a separate id in ssl context
  • 8. Cross Site Request Forgery “I have an anti CSRF token in my forms – So Im well protected”
  • 9. CSRF csrftoken.php 01 <?php 02 03 session_start(); 04 $_SESSION[CSRF]=md5(time()); 05 06 //... validate.php 01 <?php 02 03 session_start(); 04 if ($_SESSION[CSRF]==$_GET[CSRF]) { 05 // ... 06 }
  • 10. CSRF Regenerate token for every form?  Do you keep a backlog of tokens? Do you validate your session?  Session fixation may violate CSRF tokens What do you base the token on?
  • 11. CAPTCHA “Im using a captcha to protect my forms from abuse – So Im save.”
  • 12. CAPTCHA Conceptual Problems  Distortion often unreadable  Not the least bit accessible Breaking can be “crowd sourced” Implementation issues
  • 13. CAPTCHA captcha.php 01 <?php 02 session_start(); 03 require captchaHelper.php; 04 05 $code = generateCaptchaCode(); 06 $_SESSION[CAPTCHA] = $code; 07 08 header(Content-type: image/jpeg); 09 echo createCaptchaImage($code); validation.php 01 <?php 02 session_start(); 03 04 if ($_SESSION[CAPTCHA] != $_REQUEST[code]) { 05 die(Captcha value wrong); 06 } 07 echo Welcome!;
  • 14. Prepared Statements “Im using prepared statements so Im protected from sql injections”
  • 15. Prepared Statements01 <?php0203 $db = new PDO(....);04 $query = $db->prepare(SELECT ... WHERE NAME=:name);05 $query->bindParam(:name, $_GET[name]);0607 //...
  • 16. Prepared Statements What about fieldnames? Variable table names? Do you sort your results? Any need for limits? Still use ext/mysql?  Sprintf based implementations?
  • 17. Drawbacks of sprintf Manual escaping needed  mysql_escape_string vs. mysql_real_escape_string PDO::quote() does not work with ODBC No knowledge of fieldtype  String vs. Integer exploits  PDO::quote vs. mysql(i)_real_escape_string
  • 18. Password storage “I know storing clear text passwords is a bad idea. Thats why Im only storing hashes of passwords to protect my users.”
  • 19. Password storage01 <?php0203 $db = new PDO(....);04 $query = $db->prepare(05 UPDATE user SET PASSWD=:pwd WHERE UID=:uid06 );07 $query->bindParam(:uid, $_SESSION[uid]);08 $query->bindParam(:pwd, sha1($_POST[pwd]));0910 //...
  • 20. Most favorite passwords 123456  Abc123 12345  Qwertz / Qwerty 123456789  Dragon Password  Sexgod iloveyou  Football princess  1234 rockyou  Pussy 1234567  Letmein 12345678  admin
  • 21. Password storage Always salt hashes  Prepend and/or append additional values Stretch your passwords  Re-apply and calculate the hash  400.000 iterations take <1sec on my laptop Do a quality check on user supplied codes
  • 22. Validation “I know using blacklists is pointless.Thats why I use regular expressions to check for valid chars in a string”
  • 23. Validation01 <?php0203 $name = isset($_GET[name]) ? $_GET[name] : Anonymous User;0405 if (ereg("^[a-zA-Z0-9 +-]*$", $name)) {06 echo "Welcome, $name";07 } else {08 echo "Sorry, that name contains invalid chars";09 }1011 ?>
  • 24. Clickjacking “To make sure my site cannot be a victim of clickjacking, I have a Javascript to Break out from frames or iframes”
  • 25. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script>
  • 26. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script> Frame buster busting code 01 <script type=”text/javascript”> 02 var prevent_bust = 0 03 window.onbeforeunload = function() { prevent_bust++ } 04 setInterval(function() { 05 if (prevent_bust > 0) { 06 prevent_bust -= 2 07 window.top.location = http://attacker/204.php; 08 } 09 }, 1); 10 </script>
  • 27. Clickjacking – what works JavaScript & CSS  Hide content by use display:none  Switch to visible if frametest succeeds Use X-FRAME-OPTIONS header  Set to DENY for no iframe embedding  Set to SAMEORIGIN to allow from same host
  • 28. Lessons learned? Tiny problems add up  Some attacks are only effective if various vectors get combined  Combinations of attack vectors may render your solution useless Security requires a fully secure eco system
  • 29. Q & A
  • 30. Congrats!
  • 31. Contact Slides will be available  http://talks.thephp.cc Please rate this talk  http://joind.in/talk/view/2785 Contact options  Email: team@thePHP.cc / arne@thePHP.cc Follow us on twitter:  @arneblankerts / @thePHPcc

×