Part 1 of a two-part webinar series discussing the best practices every development team should follow to ensure the security of their web applications.
Youโll learn a few best practices to help ward off incessant attacks on your web application including: The different attack types;
What role log monitoring plays; What is injection and where it comes from; Understanding the importance of developing a severity matrix; Gain insights on how PHP versioning end-of-life impacts web security.
1. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
Webinar series: PHP security best practices
Part 1: Web security best practices for PHP
2. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
PHPsecuritybestpracticesPHPsecuritybestpractices
by Daryl Wood
Senior Technical Trainer
Webinar, March 25, 2019
Rogue Wave Software, Inc.
3. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
PHPapplicationsecurityPHPapplicationsecurity
BestpracticefundamentalsBestpracticefundamentals
Security attack types
Log monitoring
Attack injection
Attack severities and impacts
PHP version end of life
4. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
AttackseveritiesandimpactsAttackseveritiesandimpacts
5. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
AttackseveritiesAttackseverities
6. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
AttackimpactsAttackimpacts
Impacts of injection success include:
Data loss, corruption, access denial, or complete host takeover
Lack of accountability
Bad public relations
Litigation expense
Web site front-facing impacts
Account(s) compromise
7. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
Injectionandattacktypes(limited)Injectionandattacktypes(limited)
Some of the most common attacks or vulnerabilities include:
Cross-site scripting (XSS)
SQL injection
Broken session management
Brute force
8. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
InjectionInjection
Injection is an attempt to insert something nefarious into an
application. It can:
Allow malicious code pass through
Include system calls
Include whole scripts
Cause an interpreter to execute unauthorized code
9. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
Cross-sitescripting(XSS)Cross-sitescripting(XSS)
An injection of script code, typically JavaScript, into an application from
an outside client.
This vulnerability occurs when input data is used without proper
ltering, validation, and escaping.
Two types of XSS (can occur on a server or client):
Stored
Re ected
10. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
Cross-sitescripting(XSS)Cross-sitescripting(XSS)
AstoredvulnerableexampleAstoredvulnerableexample
$_POST['username'] = 'pablo';
$_POST['comment'] = '<script>alert("document.cookie")</script>';
if($_POST) {
$result = null;
try {
$pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog',
'vagrant', 'vagrant');
$stmt = $pdo->query("INSERT INTO blog (username, comment) VALUES ({$_POST['username']},
{$_POST['comment']})");
if($stmt) $stmt->execute();
// Then subsequently
$result = $pdo->exec("SELECT * FROM blog WHERE username='{$_POST['username']}'");
} catch (Throwable $e){
// Handle ...
}
if($result){
echo $result['comment'];
}
}
11. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
SQLinjectionSQLinjection
SQL injection de nes an attempt to inject some amount of SQL, or any
database interface language, in input data from a client.
It attempts to execute unauthorized database actions on a database
server.
12. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
SQLinjectionSQLinjection
AvulnerabledodeexampleAvulnerabledodeexample
But, what if the Id parameter looks like this:
if ($_GET && isset($_GET['Submit'])) {
1.
//Employ ACL to determine access
try {
$pdo = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock;dbname=blog',
'vagrant', 'vagrant');
$stmt = $pdo->query("SELECT first_name, last_name FROM blog
WHERE user_id = '{$_GET['id']}'");
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
} catch (PDOException $e) {
// Handle ...
}
}
;update blog set username = attacker where user_id = 1;
13. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
BrokensessionmanagementBrokensessionmanagement
Broken session management can allow unauthorized attackers access
to privileged account data. When this happens:
Account(s) are compromised
Can allow further exploitation
14. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
BrokensessionmanagementBrokensessionmanagement
AvulnerablecodeexampleAvulnerablecodeexample
class LoginController {
// ...
public function logoutAction() {
$this->view->setTemplate('login');
$this->view->render();
}
// ...
}
15. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
BruteforceBruteforce
A brute force attack is an attempt to break authentication.
The brute force attacker tries every character/special
character/symbol/number mutation possible until successful.
Robotic
Attempts to identify authentication mechanism
Good at covering tracks
Success is a not a matter of if, but when?
Extremely dangerous on success
16. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
BruteforceBruteforce
AvulnerablecodeexampleAvulnerablecodeexample
if($_POST && isset( $_POST['Login'] ) ) {
$username = $_POST['username'];
$password = md5($_POST['password']);
try{
$stmt = $this->getPdo()->query("SELECT * FROM users
WHERE username='$username' AND password='$password'");
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
}catch(PDOException $e){
// Handle ...
}
if( $result && count($result) ) {
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
} else {
//Login failed
echo "<pre><br>Username and/or password incorrect.</pre>";
}
}
17. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
LogmonitoringLogmonitoring
18. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
LogmonitoringLogmonitoring
Log monitoring is all about keeping an eye on what's being attacked,
from where, and sometimes by whom.
This section includes:
Log location
Enabling
Monitoring tools
19. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
LoglocationLoglocation
Where are the logs? This is dependant on your server's OS. Here are
locations for a Debian-based Linux server using the Apache web server:
Syslog: /var/log/syslog
Apache access: /var/log/apache2/access.log
Apache error: /var/log/apache2/error.log
PHP error When enabled, and by default, is the syslog.
20. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
LogmonitoringLogmonitoring
LogEntryExamplesLogEntryExamples
A cut from a Debian-based Linux syslog:
A cut from an Apache access log:
A cut from an Apache error log:
Mar 15 09:58:40 linux systemd[1]: Timed out waiting for device
dev-disk-byx2did-usbx2dWDC_WD10_02FAEXx2d00Z3A0_152D00539000x2d0:0x2dpart1.device.
127.0.0.1 - - [14/Mar/2019:08:10:14 -0700] "GET / HTTP/1.1" 200 1330 "-"
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0"
[Fri Mar 15 08:11:41.867281 2019] [mpm_prefork:notice] [pid 1473]
AH00169: caught SIGTERM, shutting down
21. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
EnablingPHPerrorloggingEnablingPHPerrorlogging
PHP application error logging is not enabled by default. Enabeling in a
Debian-based Linux PHP installation for apache looks like this:
The le location: /etc/php/<version>/<parser type>/php.ini.
...
; Besides displaying errors, PHP can also log errors to locations such as a
; server-specific log, STDERR, or a location specified by the error_log
; directive found below. While errors should not be displayed on productions
; servers they should still be monitored and logging is a great way to do that.
; Default Value: Off
; Development Value: On
; Production Value: On
; http://php.net/log-errors
log_errors = On
...
22. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
MonitoringtoolsMonitoringtools
Include:
Framework tools
Third party library (https://packagist.org)
Third party service
23. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
PHPversionend-of-lifePHPversionend-of-life
24. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
PHPversionend-of-lifePHPversionend-of-life
PHP servers must be kept up to date, and a formal process established
to a ect that update.
Version end of life means that support for:
Bug xes will cease
Security xes will cease
System optimizations will cease
System monitoring might be impacted and fail to function correctly, if
at all.
Being proactive with version updates will help prevent problems!
25. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
RecapRecap
26. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
RecapRecap
Let's recap:
Attack severities and their technical and business impacts.
A limited set of injection and attack types.
Logging importance and some monitoring information.
The risks of PHP version end of life.
27. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
Whatelse?Whatelse?
Oh, and, we never mentioned:
Cross site request forgery
Remote code injection
Command injection
Man-in-the-middle attacks
How to target log for severities
And more...
28. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
What'snext?What'snext?
29. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
StaytunedStaytuned
Additional resources:
PHP Security, support and migration: zend.com/phpsecurity
Training, PHP security and more: zend.com/en/services/training
Don't forget to join this webinar where weโll dive a little deeper into the
PHP security best practices with code xes!
April25th:PHPsecuritybestpracticescontinuesApril25th:PHPsecuritybestpracticescontinues
30. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
Q&AQ&A
31. ยฉ 2019 Rogue Wave Software, Inc. All rights reserved
Thankyou!Thankyou!
Contact Ryan: ryan.krszjzaniek@roguewave.com
Contact Daryl: daryl.wood@roguewave.com
Follow me on Twitter: @datashuttle