Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

1. Dip Your Toes
in the Sea of Security
James Titcumb
Dutch PHP Conference 2015

2. James Titcumb
www.jamestitcumb.com
www.roave.com
www.phphants.co.uk
www.phpsouthcoast.co.uk
@asgrim
Who is this guy?

3. Some simple code...
<?php
$a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);

4. The Golden Rules

5. The Golden Rules
(my made up golden rules)

6. 1. Keep it simple

7. 2. Know the risks

8. 3. Fail securely

9. 4. Don’t reinvent the wheel

10. 5. Never trust anything

11. OWASP
& the OWASP Top 10
https://www.owasp.org/

12. Application Security
(mainly PHP applications)

13. Always remember…
Filter Input
Escape Output

14. SQL Injection (#1)
http://xkcd.com/327/

15. SQL Injection (#1)
1. Use PDO / mysqli
2. Use prepared / parameterized statements

16. SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql);
✘

17. SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓

18. exec($_GET)
https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

19. eval()
https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

20. Cross-Site Scripting / XSS
(#3)

21. Cross-Site Scripting / XSS (#3)
● Escape output
<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescaped - JS will run :'(
echo $unfilteredInput;
// Escaped - JS will not run :)
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

22. Cross-Site Request
Forgery / CSRF (#8)

23. <?php
if (!$isPost) {
$csrfToken = hash("sha512",mt_rand(0,mt_getrandmax()));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if ($_SESSION['csrf_token'] != $_POST['csrf_token']) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)

24. Errors, Exceptions &
Logging (#6)

25. curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
✘

26. curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");
✓

27. WordPress Plugins

28. WordPress Plugins
Urgh.

29. We are not security
experts!

30. We are not security
experts!
… but we CAN write secure code

31. Be the threat
Think Differently

32. What do you want?
Think Differently

33. How do you get it?
Think Differently

34. Threat Modelling
D.R.E.A.D.

35. Authentication
& Authorization

36. Authentication
Verifying Identity

37. CRYPTOGRAPHY
IS
HARD

38. CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”

39. CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”
EVER!!!

40. Case Study: Custom Authentication
We thought about doing this…

41. Case Study: Custom Authentication
We thought about doing this…

42. Case Study: Custom Authentication
We thought about doing this…
✘

43. Password Hashing
password_hash()

44. Authorization
Verifying Access

45. Linux Server Security

46. Create an SSH Fortress

47. Firewalls

48. IPTABLES
#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Inbound traffic
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
# Outbound traffic
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state
--state NEW -j ACCEPT

49. Mitigate Brute Force
Attacks

50. Install Only
What You Need

51. Case Study: Be Minimal
Internets
Postfix
Squid Proxy
(badly configured)
hacker
spam

52. Resources
● http://securingphp.com/
● https://www.owasp.org/
● http://blog.ircmaxell.com/

53. The Golden Rules
1. Keep it simple
2. Know the risks
3. Fail securely
4. Don’t reinvent the wheel
5. Never trust anything / anyone

54. If you follow all this, you get...

55. If you follow all this, you get...

56. Any questions? :)
https://joind.in/14227
James Titcumb @asgrim