Advertisement
Check these out next
Dip Your Toes in the Sea of Security (DPC 2015)
Jun. 26, 2015•0 likes•584 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.
James TitcumbFollow
Freelance at Roave, LLCAdvertisement
Advertisement
Advertisement
Recommended
Dip Your Toes in the Sea of Security (PHP Cambridge)James Titcumb
Dip Your Toes in the Sea of Security (PHP UK 2016)James Titcumb
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)James Titcumb
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)James Titcumb
Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)James Titcumb
Rsa OverviewKevin Chen
Dip Your Toes in the Sea of Security (DPC 2015)
- Dip Your Toes in the Sea of Security James Titcumb Dutch PHP Conference 2015
- James Titcumb www.jamestitcumb.com www.roave.com www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is this guy?
- Some simple code... <?php $a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT); $b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT); $result = $a + $b; printf('The answer is %d', $result);
- The Golden Rules
- The Golden Rules (my made up golden rules)
- 1. Keep it simple
- 2. Know the risks
- 3. Fail securely
- 4. Don’t reinvent the wheel
- 5. Never trust anything
- OWASP & the OWASP Top 10 https://www.owasp.org/
- Application Security (mainly PHP applications)
- Always remember… Filter Input Escape Output
- SQL Injection (#1) http://xkcd.com/327/
- SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements
- SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
- SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
- exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
- eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
- Cross-Site Scripting / XSS (#3)
- Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
- Cross-Site Request Forgery / CSRF (#8)
- <?php if (!$isPost) { $csrfToken = hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
- Errors, Exceptions & Logging (#6)
- curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
- curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
- WordPress Plugins
- WordPress Plugins Urgh.
- We are not security experts!
- We are not security experts! … but we CAN write secure code
- Be the threat Think Differently
- What do you want? Think Differently
- How do you get it? Think Differently
- Threat Modelling D.R.E.A.D.
- Authentication & Authorization
- Authentication Verifying Identity
- CRYPTOGRAPHY IS HARD
- CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
- CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
- Case Study: Custom Authentication We thought about doing this…
- Case Study: Custom Authentication We thought about doing this…
- Case Study: Custom Authentication We thought about doing this… ✘
- Password Hashing password_hash()
- Authorization Verifying Access
- Linux Server Security
- Create an SSH Fortress
- Firewalls
- IPTABLES #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
- Mitigate Brute Force Attacks
- Install Only What You Need
- Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
- Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/
- The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
- If you follow all this, you get...
- If you follow all this, you get...
- Any questions? :) https://joind.in/14227 James Titcumb @asgrim
Advertisement