Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security 202 - Are you sure your site is secure?

3,325 views

Published on

  • Be the first to comment

Security 202 - Are you sure your site is secure?

  1. 1. Are You Sure Your Site Is Secure? Security 202Confoo 2011 EditionBy Arne Blankerts, thePHP.cc
  2. 2. What is this talk about?  Myths in web security  Broken configurations  Typical implementation issues
  3. 3. Session data “I can always trust my session data since I know what I did store”
  4. 4. Session data[theseer@rikka ~] $ grep "session.save_path" /etc/php.ini | grep -v ";"session.save_path = "/var/lib/php/session"  Identical for all php instances unless specifically overwritten  Read and write access from php code  May be crafted in shared hosting  Session-id takeover from vhost to vhost  Session-Content can be modified  Can even lead to code execution
  5. 5. Session hijacking “To protect my users from session hijacking, I did implement a validation check”
  6. 6. Session hijacking session.php01 <?php02 session_start();03 $success = true;04 if (($_SESSION[IP] != $_SERVER[REMOTE_ADDR])05 or ($_SESSION[VIA] != $_SERVER[HTTP_VIA])06 or ($_SESSION[FORWARD] != $_SERVER[HTTP_X_FORWARDED_FOR])07 or ($_SESSION[AGENT] != $_SERVER[HTTP_USER_AGENT])) {08 // ...09 }
  7. 7. Session hijacking – what to do? Determine if hijacking is a problem Regenerate id on every request  Doesnt block it but makes it harder to exploit Fully switch to https for transport  Alternatively use a separate id in ssl context
  8. 8. Cross Site Request Forgery “I have an anti CSRF token in my forms – So Im well protected”
  9. 9. CSRF csrftoken.php 01 <?php 02 03 session_start(); 04 $_SESSION[CSRF]=md5(time()); 05 06 //... validate.php 01 <?php 02 03 session_start(); 04 if ($_SESSION[CSRF]==$_GET[CSRF]) { 05 // ... 06 }
  10. 10. CSRF Regenerate token for every form?  Do you keep a backlog of tokens? Do you validate your session?  Session fixation may violate CSRF tokens What do you base the token on?
  11. 11. CAPTCHA “Im using a captcha to protect my forms from abuse – So Im save.”
  12. 12. CAPTCHA Conceptual Problems  Distortion often unreadable  Not the least bit accessible Breaking can be “crowd sourced” Implementation issues
  13. 13. CAPTCHA captcha.php 01 <?php 02 session_start(); 03 require captchaHelper.php; 04 05 $code = generateCaptchaCode(); 06 $_SESSION[CAPTCHA] = $code; 07 08 header(Content-type: image/jpeg); 09 echo createCaptchaImage($code); validation.php 01 <?php 02 session_start(); 03 04 if ($_SESSION[CAPTCHA] != $_REQUEST[code]) { 05 die(Captcha value wrong); 06 } 07 echo Welcome!;
  14. 14. Prepared Statements “Im using prepared statements so Im protected from sql injections”
  15. 15. Prepared Statements01 <?php0203 $db = new PDO(....);04 $query = $db->prepare(SELECT ... WHERE NAME=:name);05 $query->bindParam(:name, $_GET[name]);0607 //...
  16. 16. Prepared Statements What about fieldnames? Variable table names? Do you sort your results? Any need for limits? Still use ext/mysql?  Sprintf based implementations?
  17. 17. Drawbacks of sprintf Manual escaping needed  mysql_escape_string vs. mysql_real_escape_string PDO::quote() does not work with ODBC No knowledge of fieldtype  String vs. Integer exploits  PDO::quote vs. mysql(i)_real_escape_string
  18. 18. Password storage “I know storing clear text passwords is a bad idea. Thats why Im only storing hashes of passwords to protect my users.”
  19. 19. Password storage01 <?php0203 $db = new PDO(....);04 $query = $db->prepare(05 UPDATE user SET PASSWD=:pwd WHERE UID=:uid06 );07 $query->bindParam(:uid, $_SESSION[uid]);08 $query->bindParam(:pwd, sha1($_POST[pwd]));0910 //...
  20. 20. Most favorite passwords 123456  Abc123 12345  Qwertz / Qwerty 123456789  Dragon Password  Sexgod iloveyou  Football princess  1234 rockyou  Pussy 1234567  Letmein 12345678  admin
  21. 21. Password storage Always salt hashes  Prepend and/or append additional values Stretch your passwords  Re-apply and calculate the hash  400.000 iterations take <1sec on my laptop Do a quality check on user supplied codes
  22. 22. Validation “I know using blacklists is pointless.Thats why I use regular expressions to check for valid chars in a string”
  23. 23. Validation01 <?php0203 $name = isset($_GET[name]) ? $_GET[name] : Anonymous User;0405 if (ereg("^[a-zA-Z0-9 +-]*$", $name)) {06 echo "Welcome, $name";07 } else {08 echo "Sorry, that name contains invalid chars";09 }1011 ?>
  24. 24. Clickjacking “To make sure my site cannot be a victim of clickjacking, I have a Javascript to Break out from frames or iframes”
  25. 25. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script>
  26. 26. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script> Frame buster busting code 01 <script type=”text/javascript”> 02 var prevent_bust = 0 03 window.onbeforeunload = function() { prevent_bust++ } 04 setInterval(function() { 05 if (prevent_bust > 0) { 06 prevent_bust -= 2 07 window.top.location = http://attacker/204.php; 08 } 09 }, 1); 10 </script>
  27. 27. Clickjacking – what works JavaScript & CSS  Hide content by use display:none  Switch to visible if frametest succeeds Use X-FRAME-OPTIONS header  Set to DENY for no iframe embedding  Set to SAMEORIGIN to allow from same host
  28. 28. Lessons learned? Tiny problems add up  Some attacks are only effective if various vectors get combined  Combinations of attack vectors may render your solution useless Security requires a fully secure eco system
  29. 29. Q & A
  30. 30. Congrats!
  31. 31. Contact Slides will be available  http://talks.thephp.cc Please rate this talk  http://joind.in/talk/view/2785 Contact options  Email: team@thePHP.cc / arne@thePHP.cc Follow us on twitter:  @arneblankerts / @thePHPcc

×