What is Security?
Jason Ragsdale
Sr. Technical Yahoo
Yahoo!
Help us
Thank our
Sponsors:
Friday, November 12, 2010
A good place to start...
php.ini
display_errors = Off
register_globals = Off
open_basedir = ....
What about safe_mode??
Fr...
Don’t be stupid
Never require/include any file based on user
input without checking it first.
<?php
if (isset($_GET[‘page’])...
Don’t be stupid... 2
If your solution uses eval().... you are doing it
wrong
<?php
if (isset($_GET[‘input’])
{
eval($_GET[...
Input Filtering
What is input?
Anything the user or interacting system
sends to your site i.e. ($_POST, $_GET,
$_REQUEST, ...
Input Validation
Unfiltered code
Example
<?php
if (isset($_POST[‘username’]))
{
$username = $_POST[‘username’];
}
Friday, N...
Input Validation
ctype
Example
<?php
$clean = array();
if (ctype_alnum($_POST[‘username’]))
{
$clean[‘username’] = $_POST[...
Input Validation
Zend_Filter_Input
Example
<?php
if (isset($_POST[‘username’]))
{
$filterChain = new Zend_Filter();
$filterC...
Input Validation
php/filter
Example
<?php
if (isset($_POST[‘username’]))
{
$username = filter_var(‘username’, FILTER_VALIDAT...
Output Encoding
What is output?
Anything sent back to the user / sender
of the request (RSS Feed, Form Validate,
User crea...
Tim Stiles
At this point mention XmlWriter and all
it’s wonders.... ;)
Friday, November 12, 2010
Database Inputs
(or: How I Learned to Stop Worrying and Love the Users)
Friday, November 12, 2010
How do i deal with it?
A input filter (whitelist) combined with
prepared statements... DONE
$clean = array();
if (ctype_aln...
XSS
(Cross Site Scripting)
Example
<?php
echo “<p> Welcome back, {$_GET[‘username’]}.</p>”;
?>
------
Let’s exploit this
-...
XSS
(Cross Site Scripting)
If you do the two items we spoke about
Input Filtering
Output Encoding
You most likely are stil...
CSRF
(Cross Site Request Forgeries)
Somewhere on MyFavoriteForum.com:
<img src=”bank.com/transfermoney.php?
to=me&amount=1...
CSRF
(Cross Site Request Forgeries)
Solutions
Sign your forms with a token (MD5 hash
with a secret key)
Validate the token...
Protecting Source Code
Make sure all code file extensions are
blocked from viewing
You can remove them from the html root
O...
Protecting Source Code
Watch for editor backup files too!
.file.php.tmp
file.php~
etc...
Or don’t edit code on production box...
Code Auditing
Set a standard for your team (and yes a
team can be a single person)
Input Filtering Methods
Output Encoding...
Code Auditing
Default to Secure.
Make being unsecure obvious and auditable
YAHOO_GET_RAW( “blah” )
Friday, November 12, 20...
System Security
Your website is only as secure as the
server/network is it hosted on
Perform regular package updates
Make ...
Firewalls & Access
Control
Only allow access to ports that you need to
80 - Web
443 - SSL
22 - SSH
Friday, November 12, 20...
Misc...
Signed Data (MD5)
Encrypted passwords in the DB
Config Files outside DOCROOT
Secret keys outside code, in config file...
Q&A
Friday, November 12, 2010
Please Complete An
Evaluation Form
http://joind.in/talk/view/2356
Friday, November 12, 2010
Upcoming SlideShare
Loading in …5
×

Tulsa techfest2010 security

527
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
527
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Tulsa techfest2010 security

  1. 1. What is Security? Jason Ragsdale Sr. Technical Yahoo Yahoo! Help us Thank our Sponsors: Friday, November 12, 2010
  2. 2. A good place to start... php.ini display_errors = Off register_globals = Off open_basedir = .... What about safe_mode?? Friday, November 12, 2010
  3. 3. Don’t be stupid Never require/include any file based on user input without checking it first. <?php if (isset($_GET[‘page’]) { require $_GET[‘page’]; } ?> URL: script.php?page=/etc/passwd .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Friday, November 12, 2010
  4. 4. Don’t be stupid... 2 If your solution uses eval().... you are doing it wrong <?php if (isset($_GET[‘input’]) { eval($_GET[‘input’]); } ?> URL: script.php?input=passthru(“cat /etc/passwd”); .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Friday, November 12, 2010
  5. 5. Input Filtering What is input? Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...) What is a whitelist? “A list of approved or favored items” What is a blacklist? “A list persons who are disapproved of or are to be punished or boycotted” Friday, November 12, 2010
  6. 6. Input Validation Unfiltered code Example <?php if (isset($_POST[‘username’])) { $username = $_POST[‘username’]; } Friday, November 12, 2010
  7. 7. Input Validation ctype Example <?php $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } Friday, November 12, 2010
  8. 8. Input Validation Zend_Filter_Input Example <?php if (isset($_POST[‘username’])) { $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]); } Friday, November 12, 2010
  9. 9. Input Validation php/filter Example <?php if (isset($_POST[‘username’])) { $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ) ); } Friday, November 12, 2010
  10. 10. Output Encoding What is output? Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...) htmlentities Example <?php $str = “A ‘quote’ is <b>bold</b>”; //Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str); //Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str, ENT_QUOTES); Friday, November 12, 2010
  11. 11. Tim Stiles At this point mention XmlWriter and all it’s wonders.... ;) Friday, November 12, 2010
  12. 12. Database Inputs (or: How I Learned to Stop Worrying and Love the Users) Friday, November 12, 2010
  13. 13. How do i deal with it? A input filter (whitelist) combined with prepared statements... DONE $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } $sql = “SELECT `username` FROM `users` WHERE `username` = :username”; $sth = $dbh->prepare($sql); $sth->execute(array(‘:username’=> $clean[‘username’])); $username = $sth->fetchColumn(); Friday, November 12, 2010
  14. 14. XSS (Cross Site Scripting) Example <?php echo “<p> Welcome back, {$_GET[‘username’]}.</p>”; ?> ------ Let’s exploit this ------ <p> Welcome back, <script> ....do something bad here... </script>. </p> Friday, November 12, 2010
  15. 15. XSS (Cross Site Scripting) If you do the two items we spoke about Input Filtering Output Encoding You most likely are still vulnerable, but it’ll be a lot harder to exploit Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter) Friday, November 12, 2010
  16. 16. CSRF (Cross Site Request Forgeries) Somewhere on MyFavoriteForum.com: <img src=”bank.com/transfermoney.php? to=me&amount=100.00”> ...if users are logged in, invisible actions can be taken on their behalf, with their authority. Friday, November 12, 2010
  17. 17. CSRF (Cross Site Request Forgeries) Solutions Sign your forms with a token (MD5 hash with a secret key) Validate the token before processing the data This can be done with Cookie and Session data as well Friday, November 12, 2010
  18. 18. Protecting Source Code Make sure all code file extensions are blocked from viewing You can remove them from the html root Or block them in the apache config <FilesMatch “.inc$”> order deny, allow deny from all </FilesMatch> Friday, November 12, 2010
  19. 19. Protecting Source Code Watch for editor backup files too! .file.php.tmp file.php~ etc... Or don’t edit code on production boxes. Friday, November 12, 2010
  20. 20. Code Auditing Set a standard for your team (and yes a team can be a single person) Input Filtering Methods Output Encoding Methods Database Access Methods Search code security points (echo, print...) Enforce these methods Friday, November 12, 2010
  21. 21. Code Auditing Default to Secure. Make being unsecure obvious and auditable YAHOO_GET_RAW( “blah” ) Friday, November 12, 2010
  22. 22. System Security Your website is only as secure as the server/network is it hosted on Perform regular package updates Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases Friday, November 12, 2010
  23. 23. Firewalls & Access Control Only allow access to ports that you need to 80 - Web 443 - SSL 22 - SSH Friday, November 12, 2010
  24. 24. Misc... Signed Data (MD5) Encrypted passwords in the DB Config Files outside DOCROOT Secret keys outside code, in config files If it’s customer data USE SSL Friday, November 12, 2010
  25. 25. Q&A Friday, November 12, 2010
  26. 26. Please Complete An Evaluation Form http://joind.in/talk/view/2356 Friday, November 12, 2010

×