Successfully reported this slideshow.

Dip Your Toes in the Sea of Security (DPC 2015)

0

Share

Loading in …3
×
1 of 56
1 of 56

Dip Your Toes in the Sea of Security (DPC 2015)

0

Share

Download to read offline

Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

More Related Content

More from James Titcumb

Related Books

Free with a 14 day trial from Scribd

See all

Dip Your Toes in the Sea of Security (DPC 2015)

  1. 1. Dip Your Toes in the Sea of Security James Titcumb Dutch PHP Conference 2015
  2. 2. James Titcumb www.jamestitcumb.com www.roave.com www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is this guy?
  3. 3. Some simple code... <?php $a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT); $b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT); $result = $a + $b; printf('The answer is %d', $result);
  4. 4. The Golden Rules
  5. 5. The Golden Rules (my made up golden rules)
  6. 6. 1. Keep it simple
  7. 7. 2. Know the risks
  8. 8. 3. Fail securely
  9. 9. 4. Don’t reinvent the wheel
  10. 10. 5. Never trust anything
  11. 11. OWASP & the OWASP Top 10 https://www.owasp.org/
  12. 12. Application Security (mainly PHP applications)
  13. 13. Always remember… Filter Input Escape Output
  14. 14. SQL Injection (#1) http://xkcd.com/327/
  15. 15. SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements
  16. 16. SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
  17. 17. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
  18. 18. exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
  19. 19. eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
  20. 20. Cross-Site Scripting / XSS (#3)
  21. 21. Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
  22. 22. Cross-Site Request Forgery / CSRF (#8)
  23. 23. <?php if (!$isPost) { $csrfToken = hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
  24. 24. Errors, Exceptions & Logging (#6)
  25. 25. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
  26. 26. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
  27. 27. WordPress Plugins
  28. 28. WordPress Plugins Urgh.
  29. 29. We are not security experts!
  30. 30. We are not security experts! … but we CAN write secure code
  31. 31. Be the threat Think Differently
  32. 32. What do you want? Think Differently
  33. 33. How do you get it? Think Differently
  34. 34. Threat Modelling D.R.E.A.D.
  35. 35. Authentication & Authorization
  36. 36. Authentication Verifying Identity
  37. 37. CRYPTOGRAPHY IS HARD
  38. 38. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
  39. 39. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
  40. 40. Case Study: Custom Authentication We thought about doing this…
  41. 41. Case Study: Custom Authentication We thought about doing this…
  42. 42. Case Study: Custom Authentication We thought about doing this… ✘
  43. 43. Password Hashing password_hash()
  44. 44. Authorization Verifying Access
  45. 45. Linux Server Security
  46. 46. Create an SSH Fortress
  47. 47. Firewalls
  48. 48. IPTABLES #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
  49. 49. Mitigate Brute Force Attacks
  50. 50. Install Only What You Need
  51. 51. Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
  52. 52. Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/
  53. 53. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
  54. 54. If you follow all this, you get...
  55. 55. If you follow all this, you get...
  56. 56. Any questions? :) https://joind.in/14227 James Titcumb @asgrim

×