PHP Security 101

PHP SECURITY101michael stowe AUGUST 12, 2012

MIKESTOWE .com• 10+ years experience hacking PHP• Published Author, Speaker, and Consultant• Developed applications used by the medical field and law enforcement• Software Engineer at CaringBridge.org (half a million visitors every day)• Zend Certified PHP 5.3 Software Engineer@mikegstowe

WHAT DOES IT MEANTO BE SECURE?

PRISON THEORY OFWEB DEVELOPMENT SECURITY

PRISON THEORY OF WEBDEVELOPMENT SECURITY • Control User Access and Mobility • Have a Emergency Response Plan • Provide Proper Training • Restrict Potential for Negligence by Staff • Scan Incoming Traffic • Validate and Sanitize Everything • Use Obfuscation • Log and Monitor Everything • Proactively Scan and Monitor Code

CONTROL USER ACCESSOne of the most basic layers of security is to simplycontrol what pages the user has access to. This, in it’ssimplest form means providing work flows to direct usersto only the pages you want them to visit, and in morecomplex forms: restricting script directives and validatinguser roles and privileges on each page.

Remember, it’s YOUR application. You builtit with a purpose. The way your applicationis built should GUIDE users to do the thingsyou want them to, and PREVENT them fromdoing the things you don’t.

INI DIRECTIVES register_globals = off; < PHP 5.4, Extremely Dangerous session.use_only_cookies = 1; Ignores querystring session ID session.cookie_httponly = 1; Limits access to cookies* allow_url_fopen = 0; Disallows using fopen with external URLs allow_url_include = 0; Disallows including external URLs zend.script_encoding = UTF8; PHP 5.4+, sets encoding* not supported by all browsers

USER AUTHENTICATION <?php <?php class restrictedController { public function restrictedAction() { // Load User Class $user = new User(); // Validate User if (!$user->loggedIn() || !$user->role(Author)) { $this->redirect(/notAuthorized); } /** ... **/ } }

HAVE A EMERGENCY RESPONSE PLANSecurity breaches can occur night or day, you need tohave a plan for responding when they do. Your planshould include different scenarios, and the properprotocols to follow. You should also have an escalationplan, in case the security breach is beyond your control orexpertise. Your plan should also include a debriefing toreview how effective the response was, and how toimprove and prevent future security breaches.

SAMPLE PLAN• Take database containing personal data offline• Place maintenance page online• Review logs to identify breach• Notify on-call experienced employee• Patch and review for other obvious threats• Restore database and site• Proactively scan and identify any other threats• Report issue and cause• Debriefing with team

THE DEBRIEFINGVersion control, backups, logging, and proactive scanscan help reduce the damage caused by some breaches.However, team debriefings can prevent this breach fromoccurring again by explaining to team members whatcaused the vulnerability to begin with.Debriefings should not be blame sessions, but ratherteaching moments.

PROVIDE TRAININGIt is vital that developers are trained on the propersecurity techniques and stay up to date on newvulnerabilities/ security techniques.Training helps reduce the risk of security breaches byteaching the BEST methods while identifying incorrectpractices (ie add_slashes()).

You can INVEST in your DEVELOPER’S EDUCATION or you can PAY for theirMISTAKES. Guess which one costs more…

RESTRICT POTENTIAL FOR NEGLIGENCE Some of the most dangerous hackers are on the payroll. More often than not developers are rushed to complete part of a project that is dependent on code that they are not familiar with (ex: services, models, etc). Without the proper steps this rush code has the potential to be a welcoming mat for pernicious* visitors.* Yes, I pulled out the dictionary…

RESTRICT POTENTIAL FOR NEGLIGENCEMethods to prevent negligent code include:• Restricted Access (only the code they need)• Version Control (Git, SVN, CVS, etc)• Code Reviews and Audits• End-Point Validation (ex: type-hinting)• Using Magic (getters and setters)

VERSION CONTROL Version control allows you to quickly see WHAT code is being modified, and determine whether or not it should be merged into your master branch or trunk. And when something breaks, version control makes it fairly painless to identify issues and revert back to previous code.Git and SVN are two of the more popular version control methods

VERSION CONTROL BASH Get the latest from Master Branch in Git git pull master Create a new branch for a project git checkout –b mybranch Make Edits to index.php, and see differences git diff index.php Add to be committed git add index.php Commit file with message to local repository git commit –m “Added check to redirect Mobile Users” Push to Master Repository git push origin masterGitHub.com provides a nice online code management interface

END-POINT VALIDATIONSimply put End-Point Validation validates the data at it’send, instead of relying on previous validations. Thisprevents the use of invalid or malformed code that is notproperly vetted prior to injection.This also prevents developers from passing the wrongtype of information to a service, model, class, or function.

END-POINT VALIDATION <?php <?php class User { public function editPhone(PhoneNumber $phoneNumber) { if (!$phoneNumber->isValid()) { throw new Exception(Invalid Phone Number); } $this->phoneNumber = $phoneNumber->get(number); /** ... **/ } }

USING MAGIC PHP provides magic methods that can be used to validate or restrict data based on value or type. By using the magic __get() and __set() methods you are not only able to restrict class properties, but ensure the data passed is correct or manipulate it as necessary. One such pre-existing code base for this is the smrtClass() which allows you to set rules, restrict, and even lock property values.There are more useful magic methods such as __clone() and __invoke()

USING MAGIC <?php class User { private $data = array(name, phone); public function __set($name, $value) { if (!isset($this->data[$name])) { throw new Exception(Invalid Property Name); } $this->data[$name] = $value; } public function __get($name) { if (isset($this->data[$name])) { return $this->data[$name]; } throw new Exception(Property Does not Exists); } }Learn more at: http://php.net/manual/en/language.oop5.magic.php

USING SMRTCLASS <?php <?php $data = new smrtClass(); // Add an Integer $data->add(number, int); $data->number = 10; // Add a String $data->add(string); $data->string = Hello World; // Add an Email String $data->add(emailAddress, email); $data->emailAddress = test@test.com; // Lock Data (No Changes) $data->lockData();Download at: http://www.phpclasses.org/smrtClass

SCAN INCOMING TRAFFICThe first step to defending your site against hackers is toprevent malicious incoming traffic. By checking the useragainst a known database of hackers, checking thebrowser, checking incoming data, and the use of Cross-site Request Forgery tokens we can eliminate severalpotential threats.

IP BLACKLISTINGIP Blacklisting allows you to prevent IPs identified asbelonging to, or being used by spammers and hackersfrom preventing your web application.

IP BLACKLISTING <?php <?php $blacklisted = array( 123.123.123.120, 123.123.123.121, 123.123.123.122, 123.123.123.123, ); if (isset($_SERVER[REMOTE_ADDR]) && in_array($_SERVER[REMOTE_ADDR], $blacklisted)) { header(Location: banned.html); exit(); }

BROWSER SNIFFINGBy checking the HTTP_USER_AGENT we can learn moreabout our user, including what browser they CLAIM to beusing. Keep in mind that this, like all variables set clientside can be spoofed.However, if a potential hacker has not gone the extra stepto set this variable in their attack, they will be easilyidentified.

BROWSER SNIFFING <?php <?php $allowedBrowsersRegex = / Safari | Chrome | IE | Firefox | Opera /; if (isset($_SERVER[HTTP_USER_AGENT])) { if (!preg_match($allowedBrowsersRegex, $_SERVER[HTTP_USER_AGENT])) { // Unsupported HTTP_USER_AGENT $this->redirect(/browserupgrade); exit(); } } elseif (PHP_SAPI == cli) { // Accessed through Command Line - Unit Test? } else { // No HTTP_USER_AGENT! Curl attack? $this->redirect(/browserupgrade); }Remember, HTTP_USER_AGENT CAN be spoofed, do not rely on this

CROSS-SITE REQUEST FORGERYSimply put End-Point Validation validates the data at it’send, instead of relying on previous validations. Thisprevents the use of invalid or malformed code that is notproperly vetted prior to injection.This also prevents developers from passing the wrongtype of information to a service, model, class, or function.

CSRF TOKENS <?php<?phpsession_start();if (!isset($_SESSION[token])) { $_SESSION[token] = sha1(uniqid(mt_rand(), TRUE)); $_SESSION[token_time] = time();}if ($_POST) { if (isset($_POST[token]) && $_POST[token] == $_SESSION[token] && (time() - $_SESSION[token_time]) <= 600) { // Valid Token Submitted within 10 minutes } else { echo <span class="error">Invalid Submission. Please try again!</span>; }}?><form action="..." method="post"> <input type="hidden" name="token" value="<?php echo $_SESSION[token]; ?>" /> ...</form>

REQUEST SNIFFINGRequest Sniffing is similar to Browser Sniffing with theexception that we are testing the incoming GET/POSTdata to ensure we are receiving ONLY the data we shouldbe. Zend Framework 2 allows you to setup form filters that will remove any undefined form elements

REQUEST SNIFFING <?php<?php$formFields = array( name, address, city, state, zip, token, // dont forget to add any tokens!);// Validating Postforeach ($_POST as $k=>$v) { if (!in_array($k, $formFields)) { // Delete it unset($_POST[$k]); // Or Just Redirect Them (Especially if Register_Globals enabled) $this->redirect(/invalidRequest); exit(); }}

VALIDATE EVERYTHINGThe biggest mistake any developer can make is trustingusers to send them the correct data. Not only can usersmake mistakes, but hackers are keen at taking advantageof scripts that lack the proper vetting of incoming data.Failure to validate and sanitize incoming data will openyour application to numerous attacks and vulnerabilities.

SESSION VALIDATIONIn order to prevent Session Fixation and Session Hijacking it isimportant to validate that the Session ID being used belongs to thecorrect user, and is not being used multiple times.This can be done by storing and validating the user’s IP (problem forAOL users), the HTTP_USER_AGENT, or using a Cookie based token(recommended).Also be sure to utilize session_regenerate_id() when performingsensitive tasks (logins, credit cards, password updates, etc).

SESSION VALIDATION <?php<?phpsession_start();if (!isset($_SESSION[token]) || !isset($_COOKIE[token]) || $_SESSION[token] != $_COOKIE[token]) { session_regenerate_id(true); // note the delete_old_session parameter is set to true $token = md5(rand(11111111111, 99999999999)); // you can create a much more secure token // by utilizing alphabetic $_SESSION[token] = $token; setcookie(token, $token);}?>

VALIDATE POST/ GETWhenever possible, try to avoid using $_REQUEST to getincoming data, instead ensuring the data is being sent toyour script through the proper (and expected) channels.Especially since $_REQUEST will utilize Post, Get, andCookie data unless otherwise set in your INI.Be sure to check that the data exists using isset()before trying to validate to avoid index errors.

VALIDATE GET/POST <?php<?php// For a Specific Patternif (!isset($_POST[year]) || !preg_match(/[0-9]{4}/, $_POST[year])) { die(This is not a valid 4-Digit Year);}// For Specific Choices$array = array(male, female);if (!isset($_POST[gender]) || !in_array($_POST[gender], $array)) { die(This is not a valid gender);}// For Specific Typesif (!isset($_POST[year]) || !is_int($_POST[year])) { die(This is not a valid integer);}

PHP FILTER_VAR()PHP 5.2+ includes the filter_var() function, whichallows you to both validate and sanitize data dependingon the flag used.You can learn more about filter_var() at:http://php.net/manual/en/filter.filters.validate.php

PHP FILTER_VAR() <?php<?php// VALIDATE DATAif (!isset($_POST[email]) || !filter_var($_POST[email], FILTER_VALIDATE_EMAIL)) { die(This is an invalid email);}if (!isset($_POST[genurlder]) || !filter_var($_POST[url], FILTER_VALIDATE_URL)) { die(This is an invalid url);}

SANITIZE EVERYTHINGValidation helps reduce the risk of malicious data being passedthrough, however, like any security measure it is not completelyfool proof. It is essential to sanitize the data once it has beenvalidated in order to help prevent malicious data from sneakingthrough.Three helpful functions for sanitizing incoming data include:• filter_var()• strip_tags()• htmlentities()

SANITIZE EVERYTHING <?php <?php // Sanitize using filter_var() (PHP 5.2+) $safeEmail = filter_var($_POST[email], FILTER_SANITIZE_EMAIL); $safeUrl = filter_var($_POST[url], FILTER_SANITIZE_URL); //------------------------------------- // Using strip_tags() $unsafeData = <script>location.href=mysite;</script>; $new = strip_tags($unsafeData); echo $new; // echos out "location.href=mysite;" //------------------------------------- // Using htmlentities() $new = htmlentities($unsafeData, ENT_COMPAT | ENT_HTML401, UTF-8); echo $new; // echos out // <script>location.href=mysite;</script>For PHP versions prior to 5.4 be sure to set the Encoding parameter

DATABASE SANITIZATIONIt is important to sanitize your data prior to submitting itto the SQL Query Engine. When using MySQL you canutilize the mysql_real_escape_string() function,but it is highly recommended to take advantage ofMySQLi or PDO.MySQLi and PDO allow you to build highly efficientprepared statements, or parameterized statements thatutilize a single query template.

USING PHP DATA OBJECTS <?php<?php// Setup PDO Object and Connection Information$db = new PDO(mysql:host=localhost;dbname=testdb;charset=UTF-8, username, password);// Build Query Template$stmt = $db->prepare("SELECT * FROM myTable WHERE username = :username AND password = :password");// Bind and Sanitize Values// You can bind PHP Variables using the bindParam() method instead$stmt->bindValue(:username, $_POST[username], PDO::PARAM_STR);$stmt->bindValue(:password, $_POST[password], PDO::PARAM_STR);// Execute and Fetch$stmt->execute();$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

USE OBFUSCATIONOften times, the simplest forms of protection are also some of thebest. Obfuscation allows us to prevent users from having easyaccess to our data and the architectural structure of ourapplication.Methods of obfuscation include:• Using harder to guess variable names• Not using variable names in URLs or forms• Encrypting personal information (password, credit cards, etc)• Providing generic error messages

LOG AND MONITORIt is extremely important to log system access, system errors,PHP errors, and user activities. These logs not only provide usvaluable insight into WHO the user is, and WHAT they are tryingto do, but also help us identify problems within our serverenvironments or PHP scripts.Whenever testing an application, be sure to check the PHP Errorslog to ensure you are not creating new errors or warnings.

LOGGING BAD ACTIONS <?php <?php class restrictedController { public function restrictedAction() { // Load User Class $user = new User(); if (!$user->loggedIn()) { $this->redirect(/login); } // Validate User if (!$user->role(Author)) { $this->logAttempt(restrictedAction, $user); $this->redirect(/notAuthorized); exit(); } /** ... **/ } }Multiple logs for the same user may identify a potential hacker

PROACTIVELY SCAN AND MONITORIt is also important to be proactive in scanning and monitoringyour code for bugs, unexpected behaviors, and maliciouslyuploaded code.Tools to Monitor and Scan Code Include:• PHPUnit – behavior audit (phpunit.de)• Selenium – front-end audit (seleniumhq.org)• PHP Security Audit - code (sourceforge.net/projects/phpsecaudit/)• Eval Scanner – code audit (mikestowe.com)• PHP Scanner – front-end audit (mikestowe.com)

TO REVIEW

PRISON THEORY OF WEBDEVELOPMENT SECURITY • Control User Access and Mobility • Have a Emergency Response Plan • Provide Proper Training • Restrict Potential for Negligence by Staff • Scan Incoming Traffic • Validate and Sanitize Everything • Use Obfuscation • Log and Monitor Everything • Proactively Scan and Monitor Code

THANK YOU. @mikegstowevisit mikestowe.com/slides for more on Security and PHP

http://knowledge	32
http://www.mikestowe.com	19
https://si0.twimg.com	4
http://www.brijj.com	2
http://www.dominus.dk	2
http://sandbox-tobias-krogh.env.xing.com	1
http://www.onlydoo.com	1
http://www.php-talks.com	1
http://tubemote.com	1
https://sandbox-tobias-krogh.env.xing.com	1

PHP Security 101

by Michael Stowe on Aug 12, 2012

Accessibility

Categories

Upload Details

Usage Rights

10 Embeds 64

Statistics

PHP Security 101 Presentation Transcript