Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dip Your Toes in the Sea of Security

236 views

Published on

Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Dip Your Toes in the Sea of Security

  1. 1. @asgrim Dip Your Toes in the Sea of Security James Titcumb PHP Benelux 2017
  2. 2. James Titcumb www.jamestitcumb.com www.roave.com www.phphants.co.uk www.phpsouthcoast.co.uk Who is this guy?
  3. 3. @asgrim
  4. 4. @asgrim Some simple code... <?php $a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT); $b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT); $result = $a + $b; printf('The answer is %d', $result);
  5. 5. @asgrim
  6. 6. @asgrim The Golden Rules
  7. 7. @asgrim The Golden Rules (my made up golden rules)
  8. 8. @asgrim 1. Keep it simple
  9. 9. @asgrim 2. Know the risks
  10. 10. @asgrim 3. Fail securely
  11. 11. @asgrim 4. Don’t reinvent the wheel
  12. 12. @asgrim 5. Never trust anything
  13. 13. @asgrim OWASP & the OWASP Top 10 https://www.owasp.org/
  14. 14. @asgrim Application Security (mainly PHP applications)
  15. 15. @asgrim Always remember… Filter Input Escape Output
  16. 16. @asgrim © 2003 Disney/Pixar. All Rights Reserved. SQL Injection (#1)
  17. 17. @asgrim SQL Injection (#1) http://xkcd.com/327/
  18. 18. @asgrim SQL Injection (#1)
  19. 19. @asgrim SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
  20. 20. @asgrim SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
  21. 21. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  22. 22. @asgrim exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
  23. 23. @asgrim eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
  24. 24. @asgrim Cross-Site Scripting / XSS (#3) © 2003 Disney/Pixar. All Rights Reserved.
  25. 25. @asgrim Cross-Site Scripting / XSS (#3) <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
  26. 26. @asgrim Cross-Site Request Forgery / CSRF (#8) http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html
  27. 27. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
  28. 28. @asgrim <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
  29. 29. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
  30. 30. @asgrim Timing attacks // From zend_is_identical: return (Z_STR_P(op1) == Z_STR_P(op2) || (Z_STRLEN_P(op1) == Z_STRLEN_P(op2) && memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));
  31. 31. @asgrim Timing attacks Actual string: “foobar” ● a (0.00001) ● aa (0.00001) ● aaa (0.00001) ● aaaa (0.00001) ● aaaaa (0.00001) ● aaaaaa (0.00002) ← success! ● aaaaaaa (0.00001) ● aaaaaaaa (0.00001) ● aaaaaaaaa (0.00001)
  32. 32. @asgrim Timing attacks 1 int memcmp(const void* s1, const void* s2,size_t n) 2 { 3 const unsigned char *p1 = s1, *p2 = s2; 4 while(n--) 5 if( *p1 != *p2 ) 6 return *p1 - *p2; 7 else 8 p1++,p2++; 9 return 0; 10 } http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation
  33. 33. @asgrim Timing attacks Actual string: “foobar” ● “aaaaaa” (0.00001) ● “baaaaa” (0.00001) ● … ● “faaaaa” (0.00002) ← success! ● “fbaaaa” (0.00002) ● “fcaaaa” (0.00002) ● … ● “foaaaa” (0.00003) ← success!
  34. 34. @asgrim Sensitive Data Exposure (#6) © 2003 Disney/Pixar. All Rights Reserved.
  35. 35. @asgrim Sensitive Data Exposure (#6)
  36. 36. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  37. 37. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
  38. 38. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
  39. 39. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  40. 40. @asgrim Third Party Code
  41. 41. @asgrim Third Party Code !!! WARNING !!!
  42. 42. @asgrim Third Party Code github.com/ /SecurityAdvisories !!! WARNING !!!
  43. 43. @asgrim Dependencies Disappearing
  44. 44. @asgrim
  45. 45. @asgrim We are not all security experts!
  46. 46. @asgrim We are not all security experts! … but we CAN write secure code
  47. 47. @asgrim Hack your own system! © 2003 Disney/Pixar. All Rights Reserved.
  48. 48. @asgrim What do you want? Think like a hacker
  49. 49. @asgrim How do you get it? Think Differently
  50. 50. @asgrim Threat Modelling D.R.E.A.D. © Buena Vista Pictures
  51. 51. @asgrim Threat Modelling Damage R E A D © Buena Vista Pictures
  52. 52. @asgrim Threat Modelling Damage Reproducibility E A D © Buena Vista Pictures
  53. 53. @asgrim Threat Modelling Damage Reproducibility Exploitability A D © Buena Vista Pictures
  54. 54. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users D © Buena Vista Pictures
  55. 55. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users Discoverability © Buena Vista Pictures
  56. 56. @asgrim Rank them in order And fix them! © Buena Vista Pictures
  57. 57. @asgrim Authentication & Authorization
  58. 58. @asgrim Authentication Verifying Identity
  59. 59. @asgrim Case Study: Custom Authentication We thought about doing this…
  60. 60. @asgrim Case Study: Custom Authentication We thought about doing this…
  61. 61. @asgrim Case Study: Custom Authentication We thought about doing this… ✘
  62. 62. @asgrim Password Hashing password_hash()
  63. 63. @asgrim Two Factor Authentication
  64. 64. @asgrim
  65. 65. @asgrim Authorization Verifying Access
  66. 66. @asgrim CRYPTOGRAPHY IS HARD
  67. 67. @asgrim
  68. 68. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
  69. 69. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
  70. 70. @asgrim How to encrypt then?
  71. 71. @asgrim I’ve got some great ideas for encryption... Image: IBTimes (http://goo.gl/zPVeo0)
  72. 72. @asgrim How to encrypt then? libsodium PECL package
  73. 73. @asgrim Linux Server Security
  74. 74. @asgrim Create an SSH Fortress
  75. 75. @asgrim Firewalls
  76. 76. @asgrim iptables #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
  77. 77. @asgrim iptables https://twitter.com/sadserver/status/615988393198026752
  78. 78. @asgrim ufw sudo ufw enable sudo ufw allow 22 sudo ufw allow 80
  79. 79. @asgrim Mitigate Brute Force Attacks
  80. 80. @asgrim Install Only What You Need
  81. 81. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  82. 82. @asgrim +
  83. 83. @asgrim Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
  84. 84. @asgrim Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/ ● https://github.com/paragonie/random_compat ● https://github.com/ircmaxell/password_compat ● https://paragonie.com/blog ● https://websec.io/resources.php ● https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 ● https://www.kali.org/
  85. 85. @asgrim The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
  86. 86. @asgrim If you follow all this, you get...
  87. 87. @asgrim If you follow all this, you get...
  88. 88. Any questions? :) https://joind.in/talk/3d299 James Titcumb

×