Web security best practices for PHP

© 2019 Rogue Wave Software, Inc. All rights reserved
Webinar series: PHP security best practices
Part 1: Web security best practices for PHP

PHPsecuritybestpracticesPHPsecuritybestpractices
by Daryl Wood
Senior Technical Trainer
Webinar, March 25, 2019
Rogue Wave Software, Inc.

PHPapplicationsecurityPHPapplicationsecurity
BestpracticefundamentalsBestpracticefundamentals
Security attack types
Log monitoring
Attack injection
Attack severities and impacts
PHP version end of life

AttackseveritiesandimpactsAttackseveritiesandimpacts

AttackseveritiesAttackseverities

AttackimpactsAttackimpacts
Impacts of injection success include:
Data loss, corruption, access denial, or complete host takeover
Lack of accountability
Bad public relations
Litigation expense
Web site front-facing impacts
Account(s) compromise

Injectionandattacktypes(limited)Injectionandattacktypes(limited)
Some of the most common attacks or vulnerabilities include:
Cross-site scripting (XSS)
SQL injection
Broken session management
Brute force

InjectionInjection
Injection is an attempt to insert something nefarious into an
application. It can:
Allow malicious code pass through
Include system calls
Include whole scripts
Cause an interpreter to execute unauthorized code

Cross-sitescripting(XSS)Cross-sitescripting(XSS)
An injection of script code, typically JavaScript, into an application from
an outside client.
This vulnerability occurs when input data is used without proper
ltering, validation, and escaping.
Two types of XSS (can occur on a server or client):
Stored
Re ected

Cross-sitescripting(XSS)Cross-sitescripting(XSS)
AstoredvulnerableexampleAstoredvulnerableexample
$_POST['username'] = 'pablo';
$_POST['comment'] = '<script>alert("document.cookie")</script>';
if($_POST) {
$result = null;
try {
$pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog',
'vagrant', 'vagrant');
$stmt = $pdo->query("INSERT INTO blog (username, comment) VALUES ({$_POST['username']},
{$_POST['comment']})");
if($stmt) $stmt->execute();
// Then subsequently
$result = $pdo->exec("SELECT * FROM blog WHERE username='{$_POST['username']}'");
} catch (Throwable $e){
// Handle ...
}
if($result){
echo $result['comment'];
}
}

SQLinjectionSQLinjection
SQL injection de nes an attempt to inject some amount of SQL, or any
database interface language, in input data from a client.
It attempts to execute unauthorized database actions on a database
server.

SQLinjectionSQLinjection
AvulnerabledodeexampleAvulnerabledodeexample
But, what if the Id parameter looks like this:
if ($_GET && isset($_GET['Submit'])) {
1.
//Employ ACL to determine access
try {
$pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog',
'vagrant', 'vagrant');
$stmt = $pdo->query("SELECT first_name, last_name FROM blog
WHERE user_id = '{$_GET['id']}'");
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
} catch (PDOException $e) {
// Handle ...
}
}
;update blog set username = attacker where user_id = 1;

BrokensessionmanagementBrokensessionmanagement
Broken session management can allow unauthorized attackers access
to privileged account data. When this happens:
Account(s) are compromised
Can allow further exploitation

BrokensessionmanagementBrokensessionmanagement
AvulnerablecodeexampleAvulnerablecodeexample
class LoginController {
// ...
public function logoutAction() {
$this->view->setTemplate('login');
$this->view->render();
}
// ...
}

BruteforceBruteforce
A brute force attack is an attempt to break authentication.
The brute force attacker tries every character/special
character/symbol/number mutation possible until successful.
Robotic
Attempts to identify authentication mechanism
Good at covering tracks
Success is a not a matter of if, but when?
Extremely dangerous on success

BruteforceBruteforce
AvulnerablecodeexampleAvulnerablecodeexample
if($_POST && isset( $_POST['Login'] ) ) {
$username = $_POST['username'];
$password = md5($_POST['password']);
try{
$stmt = $this->getPdo()->query("SELECT * FROM users
WHERE username='$username' AND password='$password'");
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
}catch(PDOException $e){
// Handle ...
}
if( $result && count($result) ) {
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
} else {
//Login failed
echo "<pre><br>Username and/or password incorrect.</pre>";
}
}

LogmonitoringLogmonitoring

Log monitoring is all about keeping an eye on what's being attacked,
from where, and sometimes by whom.
This section includes:
Log location
Enabling
Monitoring tools

LoglocationLoglocation
Where are the logs? This is dependant on your server's OS. Here are
locations for a Debian-based Linux server using the Apache web server:
Syslog: /var/log/syslog
Apache access: /var/log/apache2/access.log
Apache error: /var/log/apache2/error.log
PHP error When enabled, and by default, is the syslog.

LogEntryExamplesLogEntryExamples
A cut from a Debian-based Linux syslog:
A cut from an Apache access log:
A cut from an Apache error log:
Mar 15 09:58:40 linux systemd[1]: Timed out waiting for device
dev-disk-byx2did-usbx2dWDC_WD10_02FAEXx2d00Z3A0_152D00539000x2d0:0x2dpart1.device.
127.0.0.1 - - [14/Mar/2019:08:10:14 -0700] "GET / HTTP/1.1" 200 1330 "-"
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0"
[Fri Mar 15 08:11:41.867281 2019] [mpm_prefork:notice] [pid 1473]
AH00169: caught SIGTERM, shutting down

EnablingPHPerrorloggingEnablingPHPerrorlogging
PHP application error logging is not enabled by default. Enabeling in a
Debian-based Linux PHP installation for apache looks like this:
The le location: /etc/php/<version>/<parser type>/php.ini.
...
; Besides displaying errors, PHP can also log errors to locations such as a
; server-specific log, STDERR, or a location specified by the error_log
; directive found below. While errors should not be displayed on productions
; servers they should still be monitored and logging is a great way to do that.
; Default Value: Off
; Development Value: On
; Production Value: On
; http://php.net/log-errors
log_errors = On
...

MonitoringtoolsMonitoringtools
Include:
Framework tools
Third party library (https://packagist.org)
Third party service

PHPversionend-of-lifePHPversionend-of-life

PHPversionend-of-lifePHPversionend-of-life
PHP servers must be kept up to date, and a formal process established
to a ect that update.
Version end of life means that support for:
Bug xes will cease
Security xes will cease
System optimizations will cease
System monitoring might be impacted and fail to function correctly, if
at all.
Being proactive with version updates will help prevent problems!

RecapRecap

RecapRecap
Let's recap:
Attack severities and their technical and business impacts.
A limited set of injection and attack types.
Logging importance and some monitoring information.
The risks of PHP version end of life.

Whatelse?Whatelse?
Oh, and, we never mentioned:
Cross site request forgery
Remote code injection
Command injection
Man-in-the-middle attacks
How to target log for severities
And more...

What'snext?What'snext?

StaytunedStaytuned
Additional resources:
PHP Security, support and migration: zend.com/phpsecurity
Training, PHP security and more: zend.com/en/services/training
Don't forget to join this webinar where we’ll dive a little deeper into the
PHP security best practices with code xes!
April25th:PHPsecuritybestpracticescontinuesApril25th:PHPsecuritybestpracticescontinues

Q&AQ&A

Thankyou!Thankyou!
Contact Ryan: ryan.krszjzaniek@roguewave.com
Contact Daryl: daryl.wood@roguewave.com
Follow me on Twitter: @datashuttle

Web security best practices for PHP

Recommended

Recommended

More Related Content

More from Zend by Rogue Wave Software

More from Zend by Rogue Wave Software (20)

Recently uploaded

Recently uploaded (20)

Web security best practices for PHP