Securing PHP Web Applications Web Applications <ul><li>Damon P. Cortesi, CISSP </li></ul><ul><li>Directory @ Alchemy Secur...
$ whoami <ul><li>Security Consultant </li></ul><ul><li>Part-time Web Dev (PHP, Django, Rails) </li></ul><ul><li>Destroyer ...
<?=presoinfo();?> <ul><li>Typical web application vulnerabilities </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><...
SQL Injection <ul><li>$sql   =  “SELECT * FROM users WHERE username = ‘“ .  $_POST[‘username’]  . “‘ AND password = ‘“ .  ...
<ul><li>http://www.flickr.com/photos/tekalpha/94105897/ </li></ul>
SQL Injection <ul><li>Username:  dpc </li></ul><ul><li>SELECT * FROM users WHERE username = ‘dpc‘ AND password = ‘apasswor...
Cross-Site Scripting <ul><li>User input re-displayed in browser and interpreted as HTML or ... JavaScript </li></ul><ul><l...
XSS Example <ul><li>Ability to spoof an entire site by including JavaScript from elsewhere </li></ul><ul><li>http://realsi...
Real-world Dangers <ul><li>We live in an interactive web </li></ul>
So what? <ul><li>I run a blog ... XSS me all day long ... </li></ul><ul><li>I DON’T CARE! </li></ul><ul><li>Fair enough. <...
Coder for Hire? <ul><li>Are you willing to put your company reputation at stake? </li></ul><ul><li>What type of apps are y...
Common Mitigations <ul><li>“Increase your security by 80%, by fixing 20% of the problems.” </li></ul><ul><li>Input Sanitiz...
Sanitization/Encoding <ul><li>SQL: mysql_real_escape_string() </li></ul><ul><li>HTML/XSS: htmlentities() </li></ul><ul><ul...
Input Sanitization Fail <ul><li>exec(mysql_escape_string($_GET[‘var’])) </li></ul><ul><ul><li>Problem #1: mysql_escape_str...
Better? <ul><li>Instead of dynamically constructing SQL queries...use a framework. </li></ul><ul><ul><li>CodeIgniter, Cake...
Server-Side Checks <ul><li>Client-side code can be modified </li></ul><ul><ul><li>HTTP Proxies </li></ul></ul><ul><ul><li>...
Bug Hunting <ul><li>Data Inputs </li></ul><ul><ul><li>$_GET, $_POST, $_REQUEST </li></ul></ul><ul><ul><li>$_SERVER[‘QUERY_...
Cross-Site Request Forgery <ul><li>Let’s Google for “javascript are you sure?” </li></ul><ul><li>First result (circa 2006)...
GET CSRF <ul><li>delete.php?id=123 </li></ul><ul><li>An action that modifies data called via HTTP GET (against HTTP specs)...
POST CSRF <ul><li>Only difference: JavaScript required to automate attack. </li></ul><form name=”csrf” action=” http://x.c...
CSRF in Action
Fixing CSRF <ul><li>Do not modify data using GET </li></ul><ul><li>Use tokens on all form POSTs </li></ul><ul><ul><li>per-...
Other Protections <ul><li>Secure Cookie Flag  </li></ul><ul><ul><li>Restricts transmission of cookies set via HTTPS </li><...
3rd Party Plugins <ul><li>Need a plugin or specific function? </li></ul><ul><li>Google. Download. Hackhack. It works! </li...
Server Config <ul><li>Not always some über-technical sploit... </li></ul><ul><li>/phpMyAdmin unprotected? </li></ul><ul><l...
Location: $references <ul><li>Chris Shiflett:  http://shiflett.org / </li></ul><ul><ul><li>Essential PHP Security </li></u...
Thanks <ul><li>[email_address] </li></ul>http://xkcd.com/327/
Upcoming SlideShare
Loading in...5
×

PHPUG Presentation

1,532

Published on

Presentation on securing PHP web applications given to Seattle PHP Users Group.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,532
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PHPUG Presentation

  1. 1. Securing PHP Web Applications Web Applications <ul><li>Damon P. Cortesi, CISSP </li></ul><ul><li>Directory @ Alchemy Security </li></ul><ul><li>Stats Nut | Security Geek | Builder of Tools </li></ul>
  2. 2. $ whoami <ul><li>Security Consultant </li></ul><ul><li>Part-time Web Dev (PHP, Django, Rails) </li></ul><ul><li>Destroyer of Web Apps and Dual-Cores </li></ul>
  3. 3. <?=presoinfo();?> <ul><li>Typical web application vulnerabilities </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Cross-Site Scripting </li></ul></ul><ul><li>What to watch out for </li></ul><ul><li>How to secure your PHP apps </li></ul>
  4. 4. SQL Injection <ul><li>$sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; </li></ul><ul><li>What if username is: “dpc’ or ‘a’=’a” ? </li></ul><ul><li>... username = ‘ dpc’ or ‘a’=’a ‘ ... </li></ul>
  5. 5. <ul><li>http://www.flickr.com/photos/tekalpha/94105897/ </li></ul>
  6. 6. SQL Injection <ul><li>Username: dpc </li></ul><ul><li>SELECT * FROM users WHERE username = ‘dpc‘ AND password = ‘apassword’; </li></ul><ul><li>Username: dpc’ OR ‘A’=’A </li></ul><ul><li>SELECT * FROM users WHERE username = ‘dpc ’ OR ‘A’=’A ‘ AND password = ‘apassword’; </li></ul>
  7. 7. Cross-Site Scripting <ul><li>User input re-displayed in browser and interpreted as HTML or ... JavaScript </li></ul><ul><li>My name is Damon”><script>alert(‘hi’)</script> </li></ul><ul><li>Why is this bad? </li></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Cookie stealing </li></ul></ul><ul><ul><li>Arbitrary JavaScript execution... </li></ul></ul>
  8. 8. XSS Example <ul><li>Ability to spoof an entire site by including JavaScript from elsewhere </li></ul><ul><li>http://realsite.com/projects/search?q=test ”><script src=” http://badsite.com/evilphishingpage.js ”></script>... </li></ul><ul><li>JavaScript can rewrite any DOM element... </li></ul>
  9. 9. Real-world Dangers <ul><li>We live in an interactive web </li></ul>
  10. 10. So what? <ul><li>I run a blog ... XSS me all day long ... </li></ul><ul><li>I DON’T CARE! </li></ul><ul><li>Fair enough. </li></ul><ul><li>Importance of security is directly proportional to level of risk. </li></ul><ul><li>Blog != Payment Gateway. </li></ul>
  11. 11. Coder for Hire? <ul><li>Are you willing to put your company reputation at stake? </li></ul><ul><li>What type of apps are you building? </li></ul><ul><li>Where _might_ your code be used? </li></ul><ul><li>Themes? Plugins? include(‘wp_story’); </li></ul>
  12. 12. Common Mitigations <ul><li>“Increase your security by 80%, by fixing 20% of the problems.” </li></ul><ul><li>Input Sanitization and Validation </li></ul><ul><li>Data Encoding and Escaping </li></ul>
  13. 13. Sanitization/Encoding <ul><li>SQL: mysql_real_escape_string() </li></ul><ul><li>HTML/XSS: htmlentities() </li></ul><ul><ul><li>“ <b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; </li></ul></ul><ul><ul><li>Beware encoding </li></ul></ul>
  14. 14. Input Sanitization Fail <ul><li>exec(mysql_escape_string($_GET[‘var’])) </li></ul><ul><ul><li>Problem #1: mysql_escape_string is deprecated. </li></ul></ul><ul><ul><li>Problem #2: MySQL escape does not make it safe for exec(). </li></ul></ul><ul><li>?? preg_match(&quot;/.jpe?g$/i&quot;, $var) </li></ul>exec ( &quot;convert '&quot; . mysql_escape_string ( $path ) . &quot;' /tmp/'&quot; . mysql_escape_string ( basename ( $path )). &quot;'.png&quot; );
  15. 15. Better? <ul><li>Instead of dynamically constructing SQL queries...use a framework. </li></ul><ul><ul><li>CodeIgniter, CakePHP, Zend </li></ul></ul><ul><li>Or build a db.inc.php (but not a db.inc). </li></ul><ul><li>Use an output library that automatically escapes. </li></ul>
  16. 16. Server-Side Checks <ul><li>Client-side code can be modified </li></ul><ul><ul><li>HTTP Proxies </li></ul></ul><ul><ul><li>Toolbars </li></ul></ul><ul><ul><li>Super-hack “save to disk” & modify </li></ul></ul><ul><li>Validate all user input with server-side code </li></ul>
  17. 17. Bug Hunting <ul><li>Data Inputs </li></ul><ul><ul><li>$_GET, $_POST, $_REQUEST </li></ul></ul><ul><ul><li>$_SERVER[‘QUERY_STRING’] </li></ul></ul><ul><ul><li>$_SERVER[‘PHP_SELF’] </li></ul></ul><ul><ul><li>$_COOKIE </li></ul></ul><ul><li>Shell commands: exec() </li></ul>
  18. 18. Cross-Site Request Forgery <ul><li>Let’s Google for “javascript are you sure?” </li></ul><ul><li>First result (circa 2006) is susceptible to CSRF (and probably SQL Injection). </li></ul><ul><li>What is this CSRF? </li></ul>
  19. 19. GET CSRF <ul><li>delete.php?id=123 </li></ul><ul><li>An action that modifies data called via HTTP GET (against HTTP specs). </li></ul><ul><li><img src=” http://x.com/delete.php?id=123” /> </li></ul>
  20. 20. POST CSRF <ul><li>Only difference: JavaScript required to automate attack. </li></ul><form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
  21. 21. CSRF in Action
  22. 22. Fixing CSRF <ul><li>Do not modify data using GET </li></ul><ul><li>Use tokens on all form POSTs </li></ul><ul><ul><li>per-session </li></ul></ul><ul><ul><li>per-form </li></ul></ul><ul><ul><li>Up to you - convenience vs. security </li></ul></ul>
  23. 23. Other Protections <ul><li>Secure Cookie Flag </li></ul><ul><ul><li>Restricts transmission of cookies set via HTTPS </li></ul></ul><ul><li>HTTPOnly Cookie Flag </li></ul><ul><ul><li>Can’t be accessed using <script> </li></ul></ul><ul><li>Use innerText, not innerHTML </li></ul>
  24. 24. 3rd Party Plugins <ul><li>Need a plugin or specific function? </li></ul><ul><li>Google. Download. Hackhack. It works! </li></ul><ul><li>Is that code secure? (See prev. CSRF) </li></ul>
  25. 25. Server Config <ul><li>Not always some über-technical sploit... </li></ul><ul><li>/phpMyAdmin unprotected? </li></ul><ul><li>demo/demo password </li></ul><ul><li>Email on confirmation page </li></ul>
  26. 26. Location: $references <ul><li>Chris Shiflett: http://shiflett.org / </li></ul><ul><ul><li>Essential PHP Security </li></ul></ul><ul><li>PHP Manual: http://www.php.net/manual/en/security.php </li></ul><ul><li>Disable register_globals </li></ul><ul><ul><li>Disabled by default in PHP > 4.2.0 </li></ul></ul><ul><li>http://www.owasp.org/index.php/PHP_Top_5 </li></ul><ul><li>http://startupsecurity.info </li></ul>
  27. 27. Thanks <ul><li>[email_address] </li></ul>http://xkcd.com/327/

×