Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PHP Security Tips


Published on

Published in: Technology

PHP Security Tips

  1. 1. PHP Security<br />E-mail:<br />Twitter: @dragonmantank<br /> dragonmantank<br />September 20, 2011<br />NWO-PUG <br />1<br />
  2. 2. Who are you and why are you in my house?<br />Chris Tankersley<br />Doing PHP for 8 Years<br />Lots of projects no one uses, and a few that some do<br />TL;DR<br />NWO-PUG <br />2<br />September 20, 2011<br />
  3. 3. The Parts of Security<br />It’s more than just a username/password<br />NWO-PUG <br />3<br />September 20, 2011<br />
  4. 4. What is Secure Programming?<br />Minimizing Attack Surface<br />Establishing Secure Defaults<br />Principle of Least Privilege<br />Defense in Depth<br />Fail Securely<br />Don’t Trust Services or Users<br />Separation of Duties<br />Avoid Security through Obscurity<br />Keep Security Simple<br />Fix Security Issues Correctly<br />September 20, 2011<br />NWO-PUG <br />4<br /><br />
  5. 5. Most Common Attacks<br />And how to avoid them<br />NWO-PUG <br />5<br />September 20, 2011<br />
  6. 6. OWASP Top 10<br />Injection<br />Cross-Site Scripting<br />Broken Authentication and Session Management<br />Insecure Direct Object References<br />Cross-Site Request Forgery<br />Security Misconfiguration<br />Insecure Cryptographic Storage<br />Failure To Restrict URL Access<br />Insufficient Transport Layer Protection<br />Unvalidated Redirects and Forwards<br />NWO-PUG <br />6<br /><br />September 20, 2011<br />
  7. 7. Injection<br />NWO-PUG <br />7<br />September 20, 2011<br />
  8. 8. What is Injection?<br />When a user or service corrupts a command due to improper validation of input<br />September 20, 2011<br />NWO-PUG <br />8<br />
  9. 9. Many Shapes and Sizes<br />SQL Injection<br />Command Injection<br />HTML Injection<br />September 20, 2011<br />NWO-PUG <br />9<br />
  10. 10. Protecting against Injections Attacks<br />Filter user input<br />Escape anything not hard-coded<br />Ignore $_REQUEST<br />NWO-PUG <br />10<br />September 20, 2011<br />
  11. 11. SQL Injection<br />NWO-PUG <br />11<br />September 20, 2011<br />
  12. 12. A Bit More Real Life<br />NWO-PUG <br />12<br />September 20, 2011<br />
  13. 13. Protecting against SQL Injection<br />Use PDO and prepared statements<br />NWO-PUG <br />13<br />September 20, 2011<br />
  14. 14. Command Injection<br />When your script calls an external program, users can run code<br />NWO-PUG <br />14<br />September 20, 2011<br />
  15. 15. Protecting against Command Injection<br />If allowing the user to specify commands, use escapeshellcmd()<br />If allowing the user to specify arguments, use escapeshellarg()<br />NWO-PUG <br />15<br />September 20, 2011<br />
  16. 16. HTML/Script Injection<br />HTML Injection: When user input is used to create new markup that the application did not expect<br />Script Injection: When user input is used to add new scripting to a page<br />NWO-PUG <br />16<br />September 20, 2011<br />
  17. 17. HTML/Script Injection<br />NWO-PUG <br />17<br />September 20, 2011<br />
  18. 18. Protecting against HTML/Script Injection<br />Decide if you really need to take HTML input<br />If you do:<br />Use an HTML cleaner like Tidy or htmLawed<br />Create a whitelist of allowed tags<br />If you don’t:<br />Use htmlentities()/htmlspecialchars()<br />NWO-PUG <br />18<br />September 20, 2011<br />
  19. 19. Cross Site Scripting<br />Or XSS<br />NWO-PUG <br />19<br />September 20, 2011<br />
  20. 20. What is it?<br />When a user injects a script into a page or extra JS into a command to send information to another site<br />September 20, 2011<br />NWO-PUG <br />20<br />
  21. 21. How to avoid XSS?<br />Since this is an injection attack, use the same steps as a HTML/Script injection<br />NWO-PUG <br />21<br />September 20, 2011<br />
  22. 22. Broken Authentication and Session Management<br />NWO-PUG <br />22<br />September 20, 2011<br />
  23. 23. What is it?<br />Insecure storing of credentials<br />Session IDs exposed via URL<br />Session fixation attacks<br />September 20, 2011<br />NWO-PUG <br />23<br />
  24. 24. Storing Credentials<br />Hash with a salt using the hash() command<br />Do not use md5 or sha1, use at least sha256<br />md5 and sha1 are broken and not recommended for secure hashing<br />If you have to use the raw data, encrypt using mcrypt() <br />Use AES256 (RIJNDAEL 256)<br />NWO-PUG <br />24<br />September 20, 2011<br />
  25. 25. Session IDs in URL<br />Commonly used when cookies can’t be enabled<br />Make sure the following is set in your php.ini:<br />session.use_trans_id = 0<br />session.use_only_cookies = 1<br />NWO-PUG <br />25<br />September 20, 2011<br />
  26. 26. Session Fixation<br />What happens if your users don’t log out?<br />Use sessions to detect login status<br />NWO-PUG <br />26<br />September 20, 2011<br />
  27. 27. Insecure Direct Object References<br />NWO-PUG <br />27<br />September 20, 2011<br />
  28. 28. What is it?<br />Making sure that what the user is accessing they have access to.<br />Should be handled by checking authorization when accessed, or mapping<br />This is not an injection attack, but a logic attack<br />September 20, 2011<br />NWO-PUG <br />28<br />
  29. 29. An Example<br />NWO-PUG <br />29<br />September 20, 2011<br />
  30. 30. How to Avoid<br />Always check to make sure the user has authorization to access the resource<br />Map variables/whitelist to make it harder<br />NWO-PUG <br />30<br />September 20, 2011<br />
  31. 31. Cross Site Request Forgery<br />Or CSRF Attacks<br />NWO-PUG <br />31<br />September 20, 2011<br />
  32. 32. What is it?<br />When unauthorized commands are sent to and from a trusted website<br />In days gone by, this would be done with Referral checking, but don’t trust referrer information<br />September 20, 2011<br />NWO-PUG <br />32<br />
  33. 33. An example – Bank Transfer<br />A bank transfer is done via $_GET variables<br />User is authenticated but not logged out<br />NWO-PUG <br />33<br />September 20, 2011<br />
  34. 34. How to avoid this<br />Include a hidden element in the form with a one-time value<br />NWO-PUG <br />34<br />September 20, 2011<br />
  35. 35. Security Misconfiguration<br />NWO-PUG <br />35<br />September 20, 2011<br />
  36. 36. Beyond the scope of programming<br />Check for server hardening guidelines for your OS<br />Password rotation practices<br />Understanding your settings<br />Keep your stack up to date!<br />September 20, 2011<br />NWO-PUG <br />36<br />
  37. 37. Insecure Cryptographic Storage<br />NWO-PUG <br />37<br />September 20, 2011<br />
  38. 38. More of a logic problem<br />Encrypting data in the database, but leaving it unencrypted during output<br />Using unsalted hashes<br />September 20, 2011<br />NWO-PUG <br />38<br />
  39. 39. How to avoid this<br />Like when storing credentials, use a salt whenever hashing information<br />Only decrypt data when it is needed<br />NWO-PUG <br />39<br />September 20, 2011<br />
  40. 40. Failure to Restrict URL Access<br />NWO-PUG <br />40<br />September 20, 2011<br />
  41. 41. What is it?<br />When users can gain access to parts of the application just through URL manipulation<br />When the app doesn’t check authorization properly<br />September 20, 2011<br />NWO-PUG <br />41<br />
  42. 42. Security through Obscurity<br />Don’t trust that just because a user doesn’t know a URL, they can’t get to it<br />Fuzzers can find all kinds of things, especially if the app is common<br />NWO-PUG <br />42<br />September 20, 2011<br />
  43. 43. How to avoid this<br />ALWAYS check authorization. The extra CPU cycles are worth it.<br />NWO-PUG <br />43<br />September 20, 2011<br />
  44. 44. Insufficient Transport Layer Protection<br />NWO-PUG <br />44<br />September 20, 2011<br />
  45. 45. Not using SSL when you should<br />If your data is sensitive, use SSL<br />Are your logins behind SSL?<br />There isn’t really an excuse. You can get an SSL cert for $9/year. <br />September 20, 2011<br />NWO-PUG <br />45<br />
  46. 46. Unvalidated Redirects and Forwards<br />NWO-PUG <br />46<br />September 20, 2011<br />
  47. 47. What is it?<br />When an app doesn’t properly validate that the redirect destination is valid<br />September 20, 2011<br />NWO-PUG <br />47<br />
  48. 48. Putting it Together<br />NWO-PUG <br />48<br />September 20, 2011<br />
  49. 49. Attacking from Multiple Fronts<br />Attackers will employ many different vectors in an attack<br />HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions<br />Script injection can lead to Session hijacking <br />September 20, 2011<br />NWO-PUG <br />49<br />
  50. 50. Remember…<br />Minimizing Attack Surface<br />Establishing Secure Defaults<br />Principle of Least Privilege<br />Defense in Depth<br />Fail Securely<br />Don’t Trust Services or Users<br />Separation of Duties<br />Avoid Security through Obscurity<br />Keep Security Simple<br />Fix Security Issues Correctly<br />September 20, 2011<br />NWO-PUG <br />50<br /><br />
  51. 51. Questions?<br />September 20, 2011<br />NWO-PUG <br />51<br />