Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dip Your Toes In The Sea Of Security (PHPNW16)

246 views

Published on

Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Dip Your Toes In The Sea Of Security (PHPNW16)

  1. 1. @asgrim Dip Your Toes in the Sea of Security James Titcumb PHPNW16
  2. 2. James Titcumb www.jamestitcumb.com www.roave.com www.phphants.co.uk www.phpsouthcoast.co.uk Who is this guy?
  3. 3. @asgrim Some simple code... <?php $a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT); $b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT); $result = $a + $b; printf('The answer is %d', $result);
  4. 4. @asgrim
  5. 5. @asgrim The Golden Rules
  6. 6. @asgrim The Golden Rules (my made up golden rules)
  7. 7. @asgrim 1. Keep it simple
  8. 8. @asgrim 2. Know the risks
  9. 9. @asgrim 3. Fail securely
  10. 10. @asgrim 4. Don’t reinvent the wheel
  11. 11. @asgrim 5. Never trust anything
  12. 12. @asgrim OWASP & the OWASP Top 10 https://www.owasp.org/
  13. 13. @asgrim Application Security (mainly PHP applications)
  14. 14. @asgrim Always remember… Filter Input Escape Output
  15. 15. @asgrim © 2003 Disney/Pixar. All Rights Reserved. SQL Injection (#1)
  16. 16. @asgrim SQL Injection (#1) http://xkcd.com/327/
  17. 17. @asgrim SQL Injection (#1)
  18. 18. @asgrim SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
  19. 19. @asgrim SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
  20. 20. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  21. 21. @asgrim exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
  22. 22. @asgrim eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
  23. 23. @asgrim Cross-Site Scripting / XSS (#3) © 2003 Disney/Pixar. All Rights Reserved.
  24. 24. @asgrim Cross-Site Scripting / XSS (#3) <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
  25. 25. @asgrim Cross-Site Request Forgery / CSRF (#8) http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html
  26. 26. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
  27. 27. @asgrim <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
  28. 28. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
  29. 29. @asgrim Timing attacks // From zend_is_identical: return (Z_STR_P(op1) == Z_STR_P(op2) || (Z_STRLEN_P(op1) == Z_STRLEN_P(op2) && memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));
  30. 30. @asgrim Timing attacks Actual string: “foobar” ● a (0.00001) ● aa (0.00001) ● aaa (0.00001) ● aaaa (0.00001) ● aaaaa (0.00001) ● aaaaaa (0.00002) ← success! ● aaaaaaa (0.00001) ● aaaaaaaa (0.00001) ● aaaaaaaaa (0.00001)
  31. 31. @asgrim Timing attacks 1 int memcmp(const void* s1, const void* s2,size_t n) 2 { 3 const unsigned char *p1 = s1, *p2 = s2; 4 while(n--) 5 if( *p1 != *p2 ) 6 return *p1 - *p2; 7 else 8 p1++,p2++; 9 return 0; 10 } http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation
  32. 32. @asgrim Timing attacks Actual string: “foobar” ● “aaaaaa” (0.00001) ● “baaaaa” (0.00001) ● … ● “faaaaa” (0.00002) ← success! ● “fbaaaa” (0.00002) ● “fcaaaa” (0.00002) ● … ● “foaaaa” (0.00003) ← success!
  33. 33. @asgrim Sensitive Data Exposure (#6) © 2003 Disney/Pixar. All Rights Reserved.
  34. 34. @asgrim Sensitive Data Exposure (#6)
  35. 35. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  36. 36. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
  37. 37. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
  38. 38. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  39. 39. @asgrim Third Party Code
  40. 40. @asgrim Third Party Code !!! WARNING !!!
  41. 41. @asgrim Third Party Code github.com/ /SecurityAdvisories !!! WARNING !!!
  42. 42. @asgrim
  43. 43. @asgrim We are not all security experts!
  44. 44. @asgrim We are not all security experts! … but we CAN write secure code
  45. 45. @asgrim Hack your own system! © 2003 Disney/Pixar. All Rights Reserved.
  46. 46. @asgrim What do you want? Think like a hacker
  47. 47. @asgrim How do you get it? Think Differently
  48. 48. @asgrim Threat Modelling D.R.E.A.D. © Buena Vista Pictures
  49. 49. @asgrim Threat Modelling Damage R E A D © Buena Vista Pictures
  50. 50. @asgrim Threat Modelling Damage Reproducibility E A D © Buena Vista Pictures
  51. 51. @asgrim Threat Modelling Damage Reproducibility Exploitability A D © Buena Vista Pictures
  52. 52. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users D © Buena Vista Pictures
  53. 53. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users Discoverability © Buena Vista Pictures
  54. 54. @asgrim Rank them in order And fix them! © Buena Vista Pictures
  55. 55. @asgrim Authentication & Authorization
  56. 56. @asgrim Authentication Verifying Identity
  57. 57. @asgrim Case Study: Custom Authentication We thought about doing this…
  58. 58. @asgrim Case Study: Custom Authentication We thought about doing this…
  59. 59. @asgrim Case Study: Custom Authentication We thought about doing this… ✘
  60. 60. @asgrim Password Hashing password_hash()
  61. 61. @asgrim Authorization Verifying Access
  62. 62. @asgrim CRYPTOGRAPHY IS HARD
  63. 63. @asgrim
  64. 64. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
  65. 65. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
  66. 66. @asgrim How to encrypt then?
  67. 67. @asgrim I’ve got some great ideas for encryption... Image: IBTimes (http://goo.gl/zPVeo0)
  68. 68. @asgrim How to encrypt then? libsodium PECL package
  69. 69. @asgrim Linux Server Security
  70. 70. @asgrim Create an SSH Fortress
  71. 71. @asgrim Firewalls
  72. 72. @asgrim iptables #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
  73. 73. @asgrim ufw sudo ufw enable sudo ufw allow 22 sudo ufw allow 80
  74. 74. @asgrim Mitigate Brute Force Attacks
  75. 75. @asgrim Install Only What You Need
  76. 76. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
  77. 77. @asgrim +
  78. 78. @asgrim Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
  79. 79. @asgrim Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/ ● https://github.com/paragonie/random_compat ● https://github.com/ircmaxell/password_compat ● https://paragonie.com/blog ● https://websec.io/resources.php
  80. 80. @asgrim The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
  81. 81. @asgrim If you follow all this, you get...
  82. 82. @asgrim If you follow all this, you get...
  83. 83. Any questions? :) https://joind.in/talk/a1a05 James Titcumb

×