Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dip Your Toes in the Sea of Security (PHP Cambridge)

557 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Dip Your Toes in the Sea of Security (PHP Cambridge)

  1. 1. Dip Your Toes in the Sea of Security James Titcumb PHP Cambridge 28th January 2015
  2. 2. James Titcumb www.jamestitcumb.com www.protected.co.uk www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is this guy?
  3. 3. Some simple code... <?php $a = (int)$_GET['a']; $b = (int)$_GET['b']; $result = $a + $b; printf('The answer is %d', $result);
  4. 4. The Golden Rules
  5. 5. The Golden Rules (my made up golden rules)
  6. 6. 1. Keep it simple
  7. 7. 2. Know the risks
  8. 8. 3. Fail securely
  9. 9. 4. Don’t reinvent the wheel
  10. 10. 5. Never trust anything
  11. 11. OWASP & the OWASP Top 10 https://www.owasp.org/
  12. 12. Application Security (mainly PHP applications)
  13. 13. Always remember… Filter Input Escape Output
  14. 14. SQL Injection (#1) http://xkcd.com/327/
  15. 15. SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements
  16. 16. SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
  17. 17. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
  18. 18. exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
  19. 19. eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
  20. 20. Cross-Site Scripting / XSS (#3)
  21. 21. Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
  22. 22. Cross-Site Request Forgery / CSRF (#8)
  23. 23. <?php if (!$isPost) { $csrfToken = hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
  24. 24. Errors, Exceptions & Logging (#6)
  25. 25. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
  26. 26. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
  27. 27. WordPress
  28. 28. WordPress Urgh.
  29. 29. We are not security experts!
  30. 30. We are not security experts! … but we CAN write secure code
  31. 31. Be the threat Think Differently
  32. 32. What do you want? Think Differently
  33. 33. How do you get it? Think Differently
  34. 34. Threat Modelling D.R.E.A.D.
  35. 35. Authentication & Authorization
  36. 36. Authentication Verifying Identity
  37. 37. CRYPTOGRAPHY IS HARD
  38. 38. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
  39. 39. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
  40. 40. Case Study: Custom Authentication We thought about doing this…
  41. 41. Case Study: Custom Authentication We thought about doing this…
  42. 42. Case Study: Custom Authentication We thought about doing this… ✘
  43. 43. Password Hashing password_hash()
  44. 44. Authorization Verifying Access
  45. 45. Linux Server Security
  46. 46. Create an SSH Fortress
  47. 47. Firewalls
  48. 48. IPTABLES #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state
  49. 49. Mitigate Brute Force Attacks
  50. 50. Install Only What You Need
  51. 51. Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
  52. 52. Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/
  53. 53. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
  54. 54. If you follow all this, you get...
  55. 55. If you follow all this, you get...
  56. 56. Questions?
  57. 57. James Titcumb @asgrim Thanks for watching!

×