Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Report
Share
•0 likes•629 views
![Dip Your Toes
in the Sea of Security
James Titcumb
php[MiNDS] Meetup - January 2016](https://image.slidesharecdn.com/160121-dipyourtoesintheseaofsecurityphpmindsjanuarymeetup2016-160121200705/75/dip-your-toes-in-the-sea-of-security-php-minds-january-meetup-2016-1-2048.jpg?cb=1670058776)
![Some simple code...
<?php
$a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);](https://image.slidesharecdn.com/160121-dipyourtoesintheseaofsecurityphpmindsjanuarymeetup2016-160121200705/75/dip-your-toes-in-the-sea-of-security-php-minds-january-meetup-2016-3-2048.jpg?cb=1670058776)
![SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql);
✘](https://image.slidesharecdn.com/160121-dipyourtoesintheseaofsecurityphpmindsjanuarymeetup2016-160121200705/75/dip-your-toes-in-the-sea-of-security-php-minds-january-meetup-2016-18-2048.jpg?cb=1670058776)
![SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓](https://image.slidesharecdn.com/160121-dipyourtoesintheseaofsecurityphpmindsjanuarymeetup2016-160121200705/75/dip-your-toes-in-the-sea-of-security-php-minds-january-meetup-2016-19-2048.jpg?cb=1670058776)
![<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)](https://image.slidesharecdn.com/160121-dipyourtoesintheseaofsecurityphpmindsjanuarymeetup2016-160121200705/75/dip-your-toes-in-the-sea-of-security-php-minds-january-meetup-2016-26-2048.jpg?cb=1670058776)
![<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)](https://image.slidesharecdn.com/160121-dipyourtoesintheseaofsecurityphpmindsjanuarymeetup2016-160121200705/75/dip-your-toes-in-the-sea-of-security-php-minds-january-meetup-2016-27-2048.jpg?cb=1670058776)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
•0 likes•629 views
Report
Share
Download to read offline
Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.
Recommended
More Related Content
What's hot
![C99[2]](https://cdn.slidesharecdn.com/ss_thumbnails/c992-100302130206-phpapp01-thumbnail.jpg?width=384&fit=bounds)
What's hot(20)
![C99[2]](https://cdn.slidesharecdn.com/ss_thumbnails/c992-100302130206-phpapp01-thumbnail.jpg?width=768&fit=bounds)
Viewers also liked
Viewers also liked(10)
Similar to Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
Similar to Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)(20)
![[PL] Jak nie zostać "programistą" PHP?](https://cdn.slidesharecdn.com/ss_thumbnails/phpgoodandbadpractices-111012153806-phpapp01-thumbnail.jpg?width=768&fit=bounds)
More from James Titcumb
![Climbing the Abstract Syntax Tree (php[world] 2019)](https://cdn.slidesharecdn.com/ss_thumbnails/191024-climbingtheabstractsyntaxtreephpworld2019-191020175622-thumbnail.jpg?width=384&fit=bounds)
![Best practices for crafting high quality PHP apps (php[world] 2019)](https://cdn.slidesharecdn.com/ss_thumbnails/191022-qualitytutorialphpworld2019-191020175612-thumbnail.jpg?width=384&fit=bounds)
More from James Titcumb(20)
![Climbing the Abstract Syntax Tree (php[world] 2019)](https://cdn.slidesharecdn.com/ss_thumbnails/191024-climbingtheabstractsyntaxtreephpworld2019-191020175622-thumbnail.jpg?width=768&fit=bounds)
![Best practices for crafting high quality PHP apps (php[world] 2019)](https://cdn.slidesharecdn.com/ss_thumbnails/191022-qualitytutorialphpworld2019-191020175612-thumbnail.jpg?width=768&fit=bounds)
Recently uploaded
Recently uploaded(20)
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
- 1. Dip Your Toes in the Sea of Security James Titcumb php[MiNDS] Meetup - January 2016
- 2. James Titcumb www.jamestitcumb.com www.roave.com www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is this guy?
- 3. Some simple code... <?php $a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT); $b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT); $result = $a + $b; printf('The answer is %d', $result);
- 6. The Golden Rules (my made up golden rules)
- 7. 1. Keep it simple
- 8. 2. Know the risks
- 10. 4. Don’t reinvent the wheel
- 11. 5. Never trust anything
- 12. OWASP & the OWASP Top 10 https://www.owasp.org/
- 13. Application Security (mainly PHP applications)
- 14. Always remember… Filter Input Escape Output
- 15. © 2003 Disney/Pixar. All Rights Reserved. SQL Injection (#1)
- 17. SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements
- 18. SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
- 19. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
- 20. © 2003 Disney/Pixar. All Rights Reserved.
- 23. Cross-Site Scripting / XSS (#3) © 2003 Disney/Pixar. All Rights Reserved.
- 24. Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
- 25. Cross-Site Request Forgery / CSRF (#8) http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html
- 26. <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
- 27. <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
- 28. Errors, Exceptions & Logging (#6) © 2003 Disney/Pixar. All Rights Reserved.
- 29. Errors, Exceptions & Logging (#6)
- 30. © 2003 Disney/Pixar. All Rights Reserved.
- 31. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
- 32. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
- 33. © 2003 Disney/Pixar. All Rights Reserved.
- 34. WordPress Plugins Audit third party plugins carefully.
- 35. WordPress Plugins Audit third party plugins carefully. ANY THIRD PARTY CODE
- 36. WordPress Plugins Audit third party plugins carefully. ANY THIRD PARTY CODE github.com/ /SecurityAdvisories
- 38. We are not all security experts!
- 39. We are not all security experts! … but we CAN write secure code
- 40. Be the threat Think Differently
- 41. What do you want? Think Differently
- 42. How do you get it? Think Differently
- 43. Threat Modelling D.R.E.A.D. © Buena Vista Pictures
- 44. Threat Modelling Damage R E A D © Buena Vista Pictures
- 45. Threat Modelling Damage Reproducibility E A D © Buena Vista Pictures
- 46. Threat Modelling Damage Reproducibility Exploitability A D © Buena Vista Pictures
- 47. Threat Modelling Damage Reproducibility Exploitability Affected users D © Buena Vista Pictures
- 48. Threat Modelling Damage Reproducibility Exploitability Affected users Discoverability © Buena Vista Pictures
- 51. Case Study: Custom Authentication We thought about doing this…
- 52. Case Study: Custom Authentication We thought about doing this…
- 53. Case Study: Custom Authentication We thought about doing this… ✘
- 58. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
- 59. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
- 60. How to encrypt then?
- 61. I’ve got some great ideas for encryption... Image: The Guardian (http://goo.gl/pUkyvO)
- 62. How to encrypt then? libsodium PECL package
- 64. Create an SSH Fortress
- 65. Firewalls
- 66. iptables #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
- 67. ufw sudo ufw enable sudo ufw allow 22 sudo ufw allow 80
- 69. Install Only What You Need
- 70. © 2003 Disney/Pixar. All Rights Reserved.
- 71. +
- 72. Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
- 73. Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/ ● https://github.com/paragonie/random_compat ● https://github.com/ircmaxell/password_compat
- 74. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
- 75. If you follow all this, you get...
- 76. If you follow all this, you get...
- 77. Any questions? :) https://joind.in/talk/0ad74 James Titcumb @asgrim