What is Security?
                                 DPUG - September 9th 2008
                                       Jason ...
A good place to start...
                          php.ini

                                display_errors = Off

        ...
Don’t be stupid
                          Never require/include any file based on user
                          input with...
Don’t be stupid... 2
                      If your solution uses eval().... you are doing it
                      wrong

...
Input Filtering
                          What is input?

                                Anything the user or interacting...
Input Validation
                          Unfiltered code

                                Example



               <?php...
Input Validation
                          ctype

                                Example


               <?php

        ...
Input Validation
                          Zend_Filter_Input

                                Example

               <?ph...
Input Validation
                          php/filter

                                Example

               <?php

     ...
Output Encoding
                          What is output?

                                Anything sent back to the user ...
Tim Stiles



                                At this point mention XmlWriter and all
                                it’s...
Database Inputs
                                (or: How I Learned to Stop Worrying and Love the Users)




Wednesday, Sep...
How do i deal with it?
                          A input filter (whitelist) combined with
                          prepare...
XSS
                          (Cross Site Scripting)
                         Example
               <?php

              ...
XSS
                          (Cross Site Scripting)
                          If you do the two items we spoke about

   ...
CSRF
                                (Cross Site Request Forgeries)



                          Somewhere on MyFavoriteFo...
CSRF
                                   (Cross Site Request Forgeries)


                          Solutions

            ...
Protecting Source Code

                          Make sure all code file extensions are
                          blocked ...
Protecting Source Code

                                Watch for editor backup files too!

                               ...
Code Auditing
                          Set a standard for your team (and yes a
                          team can be a si...
Code Auditing

                          Default to Secure.



                          Make being unsecure obvious and a...
System Security
                          Your website is only as secure as the
                          server/network i...
Firewalls & Access
                                     Control
                          Only allow access to ports that ...
Misc...
                          Signed Data (MD5)

                          Encrypted passwords in the DB

            ...
Q&A




Wednesday, September 10, 2008         25
Upcoming SlideShare
Loading in...5
×

What Is Security

1,203

Published on

What Is Security - DPUG September 2008

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,203
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

What Is Security

  1. 1. What is Security? DPUG - September 9th 2008 Jason Ragsdale Wednesday, September 10, 2008 1
  2. 2. A good place to start... php.ini display_errors = Off register_globals = Off open_basedir = .... What about safe_mode?? Wednesday, September 10, 2008 2
  3. 3. Don’t be stupid Never require/include any file based on user input without checking it first. <?php if (isset($_GET[‘page’]) { require $_GET[‘page’]; } ?> URL: script.php?page=/etc/passwd .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Wednesday, September 10, 2008 3
  4. 4. Don’t be stupid... 2 If your solution uses eval().... you are doing it wrong <?php if (isset($_GET[‘input’]) { eval($_GET[‘input’]); } ?> URL: script.php?input=passthru(“cat /etc/passwd”); .... nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh Wednesday, September 10, 2008 4
  5. 5. Input Filtering What is input? Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...) What is a whitelist? “A list of approved or favored items” What is a blacklist? “A list persons who are disapproved of or are to be punished or boycotted” Wednesday, September 10, 2008 5
  6. 6. Input Validation Unfiltered code Example <?php if (isset($_POST[‘username’])) { $username = $_POST[‘username’]; } Wednesday, September 10, 2008 6
  7. 7. Input Validation ctype Example <?php $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } Wednesday, September 10, 2008 7
  8. 8. Input Validation Zend_Filter_Input Example <?php if (isset($_POST[‘username’])) { $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]); } Wednesday, September 10, 2008 8
  9. 9. Input Validation php/filter Example <?php if (isset($_POST[‘username’])) { $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ) ); } Wednesday, September 10, 2008 9
  10. 10. Output Encoding What is output? Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...) htmlentities Example <?php $str = “A ‘quote’ is <b>bold</b>”; //Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str); //Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt echo htmlentities($str, ENT_QUOTES); Wednesday, September 10, 2008 10
  11. 11. Tim Stiles At this point mention XmlWriter and all it’s wonders.... ;) Wednesday, September 10, 2008 11
  12. 12. Database Inputs (or: How I Learned to Stop Worrying and Love the Users) Wednesday, September 10, 2008 12
  13. 13. How do i deal with it? A input filter (whitelist) combined with prepared statements... DONE $clean = array(); if (ctype_alnum($_POST[‘username’])) { $clean[‘username’] = $_POST[‘username’]; } $sql = “SELECT `username` FROM `users` WHERE `username` = :username”; $sth = $dbh->prepare($sql); $sth->execute(array(‘:username’=> $clean[‘username’])); $username = $sth->fetchColumn(); Wednesday, September 10, 2008 13
  14. 14. XSS (Cross Site Scripting) Example <?php echo “<p> Welcome back, {$_GET[‘username’]}.</p>”; ?> ------ Let’s exploit this ------ <p> Welcome back, <script> ....do something bad here... </script>. </p> Wednesday, September 10, 2008 14
  15. 15. XSS (Cross Site Scripting) If you do the two items we spoke about Input Filtering Output Encoding You most likely are still vulnerable, but it’ll be a lot harder to exploit Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter) Wednesday, September 10, 2008 15
  16. 16. CSRF (Cross Site Request Forgeries) Somewhere on MyFavoriteForum.com: <img src=”bank.com/transfermoney.php? to=me&amount=100.00”> ...if users are logged in, invisible actions can be taken on their behalf, with their authority. Wednesday, September 10, 2008 16
  17. 17. CSRF (Cross Site Request Forgeries) Solutions Sign your forms with a token (MD5 hash with a secret key) Validate the token before processing the data This can be done with Cookie and Session data as well Wednesday, September 10, 2008 17
  18. 18. Protecting Source Code Make sure all code file extensions are blocked from viewing You can remove them from the html root Or block them in the apache config <FilesMatch “.inc$”> order deny, allow deny from all </FilesMatch> Wednesday, September 10, 2008 18
  19. 19. Protecting Source Code Watch for editor backup files too! .file.php.tmp file.php~ etc... Or don’t edit code on production boxes. Wednesday, September 10, 2008 19
  20. 20. Code Auditing Set a standard for your team (and yes a team can be a single person) Input Filtering Methods Output Encoding Methods Database Access Methods Search code security points (echo, print...) Enforce these methods Wednesday, September 10, 2008 20
  21. 21. Code Auditing Default to Secure. Make being unsecure obvious and auditable YAHOO_GET_RAW( “blah” ) Wednesday, September 10, 2008 21
  22. 22. System Security Your website is only as secure as the server/network is it hosted on Perform regular package updates Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases Wednesday, September 10, 2008 22
  23. 23. Firewalls & Access Control Only allow access to ports that you need to 80 - Web 443 - SSL 22 - SSH Wednesday, September 10, 2008 23
  24. 24. Misc... Signed Data (MD5) Encrypted passwords in the DB Config Files outside DOCROOT Secret keys outside code, in config files If it’s customer data USE SSL Wednesday, September 10, 2008 24
  25. 25. Q&A Wednesday, September 10, 2008 25
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×