Your SlideShare is downloading. ×
0
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security 202 - Are you sure your site is secure?

2,789

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,789
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
38
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Are You Sure Your Site Is Secure? Security 202Confoo 2011 EditionBy Arne Blankerts, thePHP.cc
  2. What is this talk about?  Myths in web security  Broken configurations  Typical implementation issues
  3. Session data “I can always trust my session data since I know what I did store”
  4. Session data[theseer@rikka ~] $ grep "session.save_path" /etc/php.ini | grep -v ";"session.save_path = "/var/lib/php/session"  Identical for all php instances unless specifically overwritten  Read and write access from php code  May be crafted in shared hosting  Session-id takeover from vhost to vhost  Session-Content can be modified  Can even lead to code execution
  5. Session hijacking “To protect my users from session hijacking, I did implement a validation check”
  6. Session hijacking session.php01 <?php02 session_start();03 $success = true;04 if (($_SESSION[IP] != $_SERVER[REMOTE_ADDR])05 or ($_SESSION[VIA] != $_SERVER[HTTP_VIA])06 or ($_SESSION[FORWARD] != $_SERVER[HTTP_X_FORWARDED_FOR])07 or ($_SESSION[AGENT] != $_SERVER[HTTP_USER_AGENT])) {08 // ...09 }
  7. Session hijacking – what to do? Determine if hijacking is a problem Regenerate id on every request  Doesnt block it but makes it harder to exploit Fully switch to https for transport  Alternatively use a separate id in ssl context
  8. Cross Site Request Forgery “I have an anti CSRF token in my forms – So Im well protected”
  9. CSRF csrftoken.php 01 <?php 02 03 session_start(); 04 $_SESSION[CSRF]=md5(time()); 05 06 //... validate.php 01 <?php 02 03 session_start(); 04 if ($_SESSION[CSRF]==$_GET[CSRF]) { 05 // ... 06 }
  10. CSRF Regenerate token for every form?  Do you keep a backlog of tokens? Do you validate your session?  Session fixation may violate CSRF tokens What do you base the token on?
  11. CAPTCHA “Im using a captcha to protect my forms from abuse – So Im save.”
  12. CAPTCHA Conceptual Problems  Distortion often unreadable  Not the least bit accessible Breaking can be “crowd sourced” Implementation issues
  13. CAPTCHA captcha.php 01 <?php 02 session_start(); 03 require captchaHelper.php; 04 05 $code = generateCaptchaCode(); 06 $_SESSION[CAPTCHA] = $code; 07 08 header(Content-type: image/jpeg); 09 echo createCaptchaImage($code); validation.php 01 <?php 02 session_start(); 03 04 if ($_SESSION[CAPTCHA] != $_REQUEST[code]) { 05 die(Captcha value wrong); 06 } 07 echo Welcome!;
  14. Prepared Statements “Im using prepared statements so Im protected from sql injections”
  15. Prepared Statements01 <?php0203 $db = new PDO(....);04 $query = $db->prepare(SELECT ... WHERE NAME=:name);05 $query->bindParam(:name, $_GET[name]);0607 //...
  16. Prepared Statements What about fieldnames? Variable table names? Do you sort your results? Any need for limits? Still use ext/mysql?  Sprintf based implementations?
  17. Drawbacks of sprintf Manual escaping needed  mysql_escape_string vs. mysql_real_escape_string PDO::quote() does not work with ODBC No knowledge of fieldtype  String vs. Integer exploits  PDO::quote vs. mysql(i)_real_escape_string
  18. Password storage “I know storing clear text passwords is a bad idea. Thats why Im only storing hashes of passwords to protect my users.”
  19. Password storage01 <?php0203 $db = new PDO(....);04 $query = $db->prepare(05 UPDATE user SET PASSWD=:pwd WHERE UID=:uid06 );07 $query->bindParam(:uid, $_SESSION[uid]);08 $query->bindParam(:pwd, sha1($_POST[pwd]));0910 //...
  20. Most favorite passwords 123456  Abc123 12345  Qwertz / Qwerty 123456789  Dragon Password  Sexgod iloveyou  Football princess  1234 rockyou  Pussy 1234567  Letmein 12345678  admin
  21. Password storage Always salt hashes  Prepend and/or append additional values Stretch your passwords  Re-apply and calculate the hash  400.000 iterations take <1sec on my laptop Do a quality check on user supplied codes
  22. Validation “I know using blacklists is pointless.Thats why I use regular expressions to check for valid chars in a string”
  23. Validation01 <?php0203 $name = isset($_GET[name]) ? $_GET[name] : Anonymous User;0405 if (ereg("^[a-zA-Z0-9 +-]*$", $name)) {06 echo "Welcome, $name";07 } else {08 echo "Sorry, that name contains invalid chars";09 }1011 ?>
  24. Clickjacking “To make sure my site cannot be a victim of clickjacking, I have a Javascript to Break out from frames or iframes”
  25. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script>
  26. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script> Frame buster busting code 01 <script type=”text/javascript”> 02 var prevent_bust = 0 03 window.onbeforeunload = function() { prevent_bust++ } 04 setInterval(function() { 05 if (prevent_bust > 0) { 06 prevent_bust -= 2 07 window.top.location = http://attacker/204.php; 08 } 09 }, 1); 10 </script>
  27. Clickjacking – what works JavaScript & CSS  Hide content by use display:none  Switch to visible if frametest succeeds Use X-FRAME-OPTIONS header  Set to DENY for no iframe embedding  Set to SAMEORIGIN to allow from same host
  28. Lessons learned? Tiny problems add up  Some attacks are only effective if various vectors get combined  Combinations of attack vectors may render your solution useless Security requires a fully secure eco system
  29. Q & A
  30. Congrats!
  31. Contact Slides will be available  http://talks.thephp.cc Please rate this talk  http://joind.in/talk/view/2785 Contact options  Email: team@thePHP.cc / arne@thePHP.cc Follow us on twitter:  @arneblankerts / @thePHPcc

×