PHP Security Basics


Published on

A short webinar I gave with Zend on basic security practices when developing PHP applications

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • PHP Security Basics

    1. 1. PHP Security Basics John Coggeshall
    2. 2. Welcome! <ul><li>Welcome to PHP Security Basics </li></ul><ul><li>Who am I: </li></ul><ul><ul><li>John Coggeshall </li></ul></ul><ul><ul><li>Lead, North American Professional Services </li></ul></ul><ul><ul><li>PHP 5 Core Contributor </li></ul></ul><ul><ul><li>Author: PHP 5 Unleashed </li></ul></ul><ul><ul><li>Member of Zend’s Education Advisory Board </li></ul></ul>May 28, 2009 #
    3. 3. What We’ll Cover Today: <ul><li>An Introduction to the World of Security </li></ul><ul><li>How To Think about Security </li></ul><ul><li>Attack Vectors 101 </li></ul><ul><li>Open Forum for Questions </li></ul>May 28, 2009 #
    4. 4. Copyright © 2007, Zend Technologies Inc. # 2 Winter, 2007 COMPUTERWORLD Security WASC In summer 2006, according to a Mitre’s Common Vulnerabilities and Exposures report, SQL Injection vulnerability has become a web application flaw second only to cross-site scripting . Furthermore, some experts argue that this vulnerability is even more significant due to its prevalence in custom web applications created by inexperienced programmers and its direct effect on the database, which is often the most sensitive part of a web application, more critical than the server systems which are typically more exposed.
    5. 5. Scope May 28, 2009 # <ul><li>Security is too large a topic to fully discuss in a 45 minute webinar </li></ul><ul><li>In fact, Web Application Security could be one’s life work </li></ul><ul><ul><li>The Operating System </li></ul></ul><ul><ul><ul><li>The Web Server </li></ul></ul></ul><ul><ul><ul><ul><li>The Database Server </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>The Application </li></ul></ul></ul></ul></ul><ul><li>The Protocol </li></ul><ul><ul><li>The Browser </li></ul></ul><ul><ul><ul><li>The Client Side Language </li></ul></ul></ul><ul><li>We are going to stay focused on understanding the Principles of security, with a brief discussion of some common attacks </li></ul>
    6. 6. Lingo <ul><li>In my discussions I’ll be using a few terms - some are common, some are my own: </li></ul><ul><ul><li>Attacker: The bad guy trying to acquire the Principal </li></ul></ul><ul><ul><li>Principal: The target of the attacker, be it data or functional change to your application </li></ul></ul><ul><ul><li>Attack Vector: An approach used to achieve the compromise of the Principal </li></ul></ul><ul><ul><li>Strategic Data: Information used by an attacker to formulate his attack vectors </li></ul></ul>May 28, 2009 #
    7. 7. Let’s Get Started <ul><li>Can you describe security? </li></ul><ul><ul><li>Security is information </li></ul></ul><ul><ul><li>Keeping private information away from others who want it </li></ul></ul><ul><ul><li>Getting information from others who want your private information </li></ul></ul><ul><li>Information IS power </li></ul><ul><ul><li>The power to steal your data </li></ul></ul><ul><ul><li>The power to change the behavior of your application </li></ul></ul><ul><ul><li>The power to prevent </li></ul></ul>May 28, 2009 #
    8. 8. The Principal <ul><li>The Principal is the ultimate goal of the Attacker, and it takes many forms </li></ul><ul><li>Examples: </li></ul><ul><ul><li>Acquisition of your private data </li></ul></ul><ul><ul><ul><li>Credit Card numbers, passwords </li></ul></ul></ul><ul><ul><li>Introduction of unintended function </li></ul></ul><ul><ul><ul><li>Acquisition of someone else’s data </li></ul></ul></ul><ul><ul><ul><li>Further infection of other systems </li></ul></ul></ul><ul><li>The Principal is what you must protect </li></ul><ul><li>Attackers are interested in a vast array of Principals </li></ul>May 28, 2009 #
    9. 9. Understand your Principal <ul><li>Before you can hope to defend anything, you have to understand what you’re defending </li></ul><ul><ul><li>What about your application would be appealing to an attacker? </li></ul></ul><ul><ul><ul><li>I don’t see many Attackers trying to steal other people’s online dating accounts </li></ul></ul></ul><ul><ul><ul><li>I do see a lot of online dating sites concerned about their customer’s financial data being compromised </li></ul></ul></ul><ul><ul><li>Not to say that security everywhere isn’t important, but it is a never-ending struggle </li></ul></ul><ul><ul><ul><li>Focus on what you think the Principal is </li></ul></ul></ul><ul><ul><ul><li>Make sure you can identify other Principals as they become apparent </li></ul></ul></ul>May 28, 2009 #
    10. 10. Common Principals <ul><li>Every one has these in common: </li></ul><ul><ul><li>Your Visitors </li></ul></ul><ul><ul><li>Your Database </li></ul></ul><ul><ul><li>Your Server </li></ul></ul><ul><li>Every application has its own unique Principals as well </li></ul><ul><li>The first step in securing your application is identifying the Principals </li></ul><ul><li>The second step is identifying your attack vectors </li></ul>May 28, 2009 #
    11. 11. Understand the Attack Vectors <ul><li>Once you’ve identified as many Principals as you can, you now have to defend them </li></ul><ul><ul><li>Again, you can’t defend against what you don’t know </li></ul></ul><ul><li>Often there are common Attack Vectors useful in attacking many principals </li></ul><ul><ul><li>Injection Attacks (SQL, HTTP, HTML, JS, etc., etc., etc.) </li></ul></ul><ul><ul><li>Prediction Attacks (Session Fixation, Algorithm Compromising) </li></ul></ul><ul><li>Every web application should defend against the usual suspects, and thus the common Principals </li></ul><ul><li>But what about your application? </li></ul><ul><ul><li>Don’t forget about specific principals and attacks against them </li></ul></ul>May 28, 2009 #
    12. 12. <ul><li>It is critical to realize that no one step will ensure security… In fact, no combination can ensure it either </li></ul><ul><li>There is a best strategy – defense in depth – which means employing a broad range of overlapping security tactics to present a defense to all attack vectors </li></ul><ul><li>The concept is to make it so difficult for an attacker to break through all the security measures in place that they are likely to give up and attack a site that is easier to assault </li></ul>Defense In Depth Copyright © 2007, Zend Technologies Inc. # 4 Winter, 2007
    13. 13. SQL Injection Attacks <ul><li>SQL (Structured Query Language): involve attacks on a database, by injecting SQL code into a user form that is then submitted </li></ul><ul><li>Attack provides attacker with access to data within the database, according to the database user rights, where they could: </li></ul><ul><ul><li>Download the entire database contents </li></ul></ul><ul><ul><li>Wipe out the entire contents </li></ul></ul><ul><ul><li>Corrupt the database structure </li></ul></ul><ul><ul><li>Change the data itself </li></ul></ul><ul><ul><li>Cause DOS (Denial of Service) </li></ul></ul>Copyright © 2007, Zend Technologies Inc. # 13 Winter, 2007
    14. 14. SQL Injection Attacks (continued) <ul><li>Examples: </li></ul><ul><li>$query = &quot;SELECT * FROM table WHERE id = {$_GET['id']}&quot;; </li></ul><ul><li>http://host/file.php?id=1 %20 AND %20 1=1 (returns entire table) </li></ul><ul><li>http://host/file.php?id=1; %20 DELETE %20 FROM %20 table (deletes entire table) </li></ul><ul><li>1; ALTER TABLE table CHANGE col1 col1 CHAR(12) (corrupts table) </li></ul><ul><li>Corrupt as above; then change data type back (truncates string values) </li></ul><ul><li>1; SELECT BENCHMARK(10000000, SHA1(REPEAT(CURDATE(), 10))) (DOS) </li></ul><ul><li>$query = “UPDATE users SET password=‘{$_GET[‘newpass’]}’ WHERE user_id = {$userid}” </li></ul><ul><li>$_GET[‘newpass’] = “foo’ WHERE user_id=‘admin’ --”; (controls password) </li></ul>Copyright © 2007, Zend Technologies Inc. # 14 Winter, 2007
    15. 15. Cross-Site Scripting (XSS) <ul><li>XSS: Cross-Site Scripting attacks are an injection of HTML, CSS, or script code into a page </li></ul><ul><ul><li>JavaScript is especially a threat </li></ul></ul><ul><ul><li>Displaying data mis-interpreted by the browser is the primary cause </li></ul></ul><ul><li>Example of an attack: Form input </li></ul><ul><ul><li>User input details are gathered by probing vulnerable dynamically generated form error messages on a web site </li></ul></ul><ul><ul><li>The attacker alters the site’s HTML and inserts malicious code into a link on what looks like the original web site… when the link is clicked by the user, the attacker’s web site handles the request instead of the intended web site </li></ul></ul>May 28, 2009 #
    16. 16. XSS/XST Injection Attacks Evil Doer Victim User Trusted Site Copyright © 2007, Zend Technologies Inc. # 18 Winter, 2007 (4) User’s Private Data (1) Injection (2) User Request (3) Evil HTML
    17. 17. Session Fixation <ul><li>User gets a &quot;fixed&quot; session ID </li></ul><ul><ul><li>Usually via an specially crafted URL made to look like a real site </li></ul></ul><ul><li>Unless specified, PHP will use an assigned session ID as the ID being used </li></ul><ul><ul><li>i.e., from cookie or URL </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Basically, you have made an unpredictable value used in secure transactions predictable </li></ul>May 28, 2009 #
    18. 18. Remember It’s about Information <ul><li>If you’re not designing applications that help you identify your Principals and how they are attacked, you will fail </li></ul><ul><ul><li>Take the extra time to validate your assumptions </li></ul></ul><ul><ul><ul><li>You think it’s an integer? Check that </li></ul></ul></ul><ul><ul><ul><li>You think that environment variable is A or B? Make sure it’s not C before you use it </li></ul></ul></ul><ul><ul><li>LOG LOG LOG LOG LOG LOG LOG LOG …. </li></ul></ul><ul><ul><ul><li>And analyze them </li></ul></ul></ul><ul><ul><li>Be ready to respond to new threats </li></ul></ul>May 28, 2009 #
    19. 19. <ul><li>Every piece of information you give the attacker will help him formulate his attack vector </li></ul><ul><li>If you were a attacker, what could you derive from the following error message? </li></ul><ul><li>Notice: Undefined index: passwd in /usr/local/Zend/apache2/htdocs/includes/ </li></ul>Remember, It’s About Information May 28, 2009 #
    20. 20. Thank you! Questions? May 28, 2009 # For additional info on our PHP security classes, please visit: Our next 6-hour online seminar – “Building Security into your PHP Applications” - is being offered on June 26-28, but seats are filling fast! Don’t forget: