PHP Security Tips


Published on

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PHP Security Tips

  1. 1. PHP Security<br />E-mail:<br />Twitter: @dragonmantank<br /> dragonmantank<br />September 20, 2011<br />NWO-PUG <br />1<br />
  2. 2. Who are you and why are you in my house?<br />Chris Tankersley<br />Doing PHP for 8 Years<br />Lots of projects no one uses, and a few that some do<br />TL;DR<br />NWO-PUG <br />2<br />September 20, 2011<br />
  3. 3. The Parts of Security<br />It’s more than just a username/password<br />NWO-PUG <br />3<br />September 20, 2011<br />
  4. 4. What is Secure Programming?<br />Minimizing Attack Surface<br />Establishing Secure Defaults<br />Principle of Least Privilege<br />Defense in Depth<br />Fail Securely<br />Don’t Trust Services or Users<br />Separation of Duties<br />Avoid Security through Obscurity<br />Keep Security Simple<br />Fix Security Issues Correctly<br />September 20, 2011<br />NWO-PUG <br />4<br /><br />
  5. 5. Most Common Attacks<br />And how to avoid them<br />NWO-PUG <br />5<br />September 20, 2011<br />
  6. 6. OWASP Top 10<br />Injection<br />Cross-Site Scripting<br />Broken Authentication and Session Management<br />Insecure Direct Object References<br />Cross-Site Request Forgery<br />Security Misconfiguration<br />Insecure Cryptographic Storage<br />Failure To Restrict URL Access<br />Insufficient Transport Layer Protection<br />Unvalidated Redirects and Forwards<br />NWO-PUG <br />6<br /><br />September 20, 2011<br />
  7. 7. Injection<br />NWO-PUG <br />7<br />September 20, 2011<br />
  8. 8. What is Injection?<br />When a user or service corrupts a command due to improper validation of input<br />September 20, 2011<br />NWO-PUG <br />8<br />
  9. 9. Many Shapes and Sizes<br />SQL Injection<br />Command Injection<br />HTML Injection<br />September 20, 2011<br />NWO-PUG <br />9<br />
  10. 10. Protecting against Injections Attacks<br />Filter user input<br />Escape anything not hard-coded<br />Ignore $_REQUEST<br />NWO-PUG <br />10<br />September 20, 2011<br />
  11. 11. SQL Injection<br />NWO-PUG <br />11<br />September 20, 2011<br />
  12. 12. A Bit More Real Life<br />NWO-PUG <br />12<br />September 20, 2011<br />
  13. 13. Protecting against SQL Injection<br />Use PDO and prepared statements<br />NWO-PUG <br />13<br />September 20, 2011<br />
  14. 14. Command Injection<br />When your script calls an external program, users can run code<br />NWO-PUG <br />14<br />September 20, 2011<br />
  15. 15. Protecting against Command Injection<br />If allowing the user to specify commands, use escapeshellcmd()<br />If allowing the user to specify arguments, use escapeshellarg()<br />NWO-PUG <br />15<br />September 20, 2011<br />
  16. 16. HTML/Script Injection<br />HTML Injection: When user input is used to create new markup that the application did not expect<br />Script Injection: When user input is used to add new scripting to a page<br />NWO-PUG <br />16<br />September 20, 2011<br />
  17. 17. HTML/Script Injection<br />NWO-PUG <br />17<br />September 20, 2011<br />
  18. 18. Protecting against HTML/Script Injection<br />Decide if you really need to take HTML input<br />If you do:<br />Use an HTML cleaner like Tidy or htmLawed<br />Create a whitelist of allowed tags<br />If you don’t:<br />Use htmlentities()/htmlspecialchars()<br />NWO-PUG <br />18<br />September 20, 2011<br />
  19. 19. Cross Site Scripting<br />Or XSS<br />NWO-PUG <br />19<br />September 20, 2011<br />
  20. 20. What is it?<br />When a user injects a script into a page or extra JS into a command to send information to another site<br />September 20, 2011<br />NWO-PUG <br />20<br />
  21. 21. How to avoid XSS?<br />Since this is an injection attack, use the same steps as a HTML/Script injection<br />NWO-PUG <br />21<br />September 20, 2011<br />
  22. 22. Broken Authentication and Session Management<br />NWO-PUG <br />22<br />September 20, 2011<br />
  23. 23. What is it?<br />Insecure storing of credentials<br />Session IDs exposed via URL<br />Session fixation attacks<br />September 20, 2011<br />NWO-PUG <br />23<br />
  24. 24. Storing Credentials<br />Hash with a salt using the hash() command<br />Do not use md5 or sha1, use at least sha256<br />md5 and sha1 are broken and not recommended for secure hashing<br />If you have to use the raw data, encrypt using mcrypt() <br />Use AES256 (RIJNDAEL 256)<br />NWO-PUG <br />24<br />September 20, 2011<br />
  25. 25. Session IDs in URL<br />Commonly used when cookies can’t be enabled<br />Make sure the following is set in your php.ini:<br />session.use_trans_id = 0<br />session.use_only_cookies = 1<br />NWO-PUG <br />25<br />September 20, 2011<br />
  26. 26. Session Fixation<br />What happens if your users don’t log out?<br />Use sessions to detect login status<br />NWO-PUG <br />26<br />September 20, 2011<br />
  27. 27. Insecure Direct Object References<br />NWO-PUG <br />27<br />September 20, 2011<br />
  28. 28. What is it?<br />Making sure that what the user is accessing they have access to.<br />Should be handled by checking authorization when accessed, or mapping<br />This is not an injection attack, but a logic attack<br />September 20, 2011<br />NWO-PUG <br />28<br />
  29. 29. An Example<br />NWO-PUG <br />29<br />September 20, 2011<br />
  30. 30. How to Avoid<br />Always check to make sure the user has authorization to access the resource<br />Map variables/whitelist to make it harder<br />NWO-PUG <br />30<br />September 20, 2011<br />
  31. 31. Cross Site Request Forgery<br />Or CSRF Attacks<br />NWO-PUG <br />31<br />September 20, 2011<br />
  32. 32. What is it?<br />When unauthorized commands are sent to and from a trusted website<br />In days gone by, this would be done with Referral checking, but don’t trust referrer information<br />September 20, 2011<br />NWO-PUG <br />32<br />
  33. 33. An example – Bank Transfer<br />A bank transfer is done via $_GET variables<br />User is authenticated but not logged out<br />NWO-PUG <br />33<br />September 20, 2011<br />
  34. 34. How to avoid this<br />Include a hidden element in the form with a one-time value<br />NWO-PUG <br />34<br />September 20, 2011<br />
  35. 35. Security Misconfiguration<br />NWO-PUG <br />35<br />September 20, 2011<br />
  36. 36. Beyond the scope of programming<br />Check for server hardening guidelines for your OS<br />Password rotation practices<br />Understanding your settings<br />Keep your stack up to date!<br />September 20, 2011<br />NWO-PUG <br />36<br />
  37. 37. Insecure Cryptographic Storage<br />NWO-PUG <br />37<br />September 20, 2011<br />
  38. 38. More of a logic problem<br />Encrypting data in the database, but leaving it unencrypted during output<br />Using unsalted hashes<br />September 20, 2011<br />NWO-PUG <br />38<br />
  39. 39. How to avoid this<br />Like when storing credentials, use a salt whenever hashing information<br />Only decrypt data when it is needed<br />NWO-PUG <br />39<br />September 20, 2011<br />
  40. 40. Failure to Restrict URL Access<br />NWO-PUG <br />40<br />September 20, 2011<br />
  41. 41. What is it?<br />When users can gain access to parts of the application just through URL manipulation<br />When the app doesn’t check authorization properly<br />September 20, 2011<br />NWO-PUG <br />41<br />
  42. 42. Security through Obscurity<br />Don’t trust that just because a user doesn’t know a URL, they can’t get to it<br />Fuzzers can find all kinds of things, especially if the app is common<br />NWO-PUG <br />42<br />September 20, 2011<br />
  43. 43. How to avoid this<br />ALWAYS check authorization. The extra CPU cycles are worth it.<br />NWO-PUG <br />43<br />September 20, 2011<br />
  44. 44. Insufficient Transport Layer Protection<br />NWO-PUG <br />44<br />September 20, 2011<br />
  45. 45. Not using SSL when you should<br />If your data is sensitive, use SSL<br />Are your logins behind SSL?<br />There isn’t really an excuse. You can get an SSL cert for $9/year. <br />September 20, 2011<br />NWO-PUG <br />45<br />
  46. 46. Unvalidated Redirects and Forwards<br />NWO-PUG <br />46<br />September 20, 2011<br />
  47. 47. What is it?<br />When an app doesn’t properly validate that the redirect destination is valid<br />September 20, 2011<br />NWO-PUG <br />47<br />
  48. 48. Putting it Together<br />NWO-PUG <br />48<br />September 20, 2011<br />
  49. 49. Attacking from Multiple Fronts<br />Attackers will employ many different vectors in an attack<br />HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions<br />Script injection can lead to Session hijacking <br />September 20, 2011<br />NWO-PUG <br />49<br />
  50. 50. Remember…<br />Minimizing Attack Surface<br />Establishing Secure Defaults<br />Principle of Least Privilege<br />Defense in Depth<br />Fail Securely<br />Don’t Trust Services or Users<br />Separation of Duties<br />Avoid Security through Obscurity<br />Keep Security Simple<br />Fix Security Issues Correctly<br />September 20, 2011<br />NWO-PUG <br />50<br /><br />
  51. 51. Questions?<br />September 20, 2011<br />NWO-PUG <br />51<br />