Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web application security


Published on

Web application security in PHP

Published in: Software
  • Be the first to comment

Web application security

  1. 1. Web Application Security PHP REBOOT Kapil Sharma PHP REBOOT 1
  2. 2. Introduction Kapil Sharma Technical Architect, Eastern Enterprise (DBA Ansh Systems) Working in Web Application development since last 10 years Twitter: @KapilSharmaInfo Personal Website: Blog: Kapil Sharma PHP REBOOT 2
  3. 3. Web Application Important factors for Web Application Performance Maintainability Scalability Reliability Security (Probably most important, still most ignored by developers) Kapil Sharma PHP REBOOT 3
  4. 4. Why me? My web application is small. I have few users. There is no money transaction on my app. I do not store any confidential information of users. Then why the hell someone hack my site. Kapil Sharma PHP REBOOT 4
  5. 5. Kapil Sharma PHP REBOOT 5
  6. 6. Web Application Security Web Application security is not language specific but a common topic for all programming language. This session, in general, is applicable to any web application programming language, but our examples are in PHP. Kapil Sharma PHP REBOOT 6
  7. 7. PHP Features To make development easier, PHP provide many features. One of the feature that attracted more attention, from security point of view, is ‘register_globals’ Kapil Sharma PHP REBOOT 7
  8. 8. register_globals: What is it? Supposed to make PHP application development easy. By default, it is ‘off’ since PHP 4.2 (We will shortly see why?) It convert all incoming data into global variables. For example If register_globals is ‘on’, PHP will create following variable $abc = “xyz”; Kapil Sharma PHP REBOOT 8
  9. 9. Register globals: Disadvantages Having all incoming data converted into variables. It might make development easy but it is not free. Biggest disadvantage, we never know from where variable data is coming. In previous example, we can say if data came from GET/POST, cookie, or HTML Form etc. Kapil Sharma PHP REBOOT 9 Cont..
  10. 10. Register globals: Disadvantages Along with that, for ignorant programmers, it is a security threat (We will see it shortly) It is not recommended to use ‘register_globals’ and it was turned-off by default in php.ini since PHP version 4.2 As replacement, use another more specific global variables like $_GET, $_POST, $_COOKIE, $_FILES, $_SERVER, $_ENV, $_REQUEST Kapil Sharma PHP REBOOT 10
  11. 11. Register globals: security issue ‘register_globals’ was a feature enhancement in PHP, aimed to make PHP easier for programmers. It is not a security threat in itself. A programmer must make a mistake before it become security threat. Lets check with an example. Kapil Sharma PHP REBOOT 11
  12. 12. Register globals: security issue Is there any problem in this code? If (isAdminUser()) { $admin = true; } if ($admin) { //load admin panel. } Kapil Sharma PHP REBOOT 12 $admin = true; $admin = false; NEVER TAKE A DECISION BASED ON A VARIABLE WHICH MIGHT NOT BE INITIALIZED. Register globals will generate following variable for this code $admin = 1; Which, after PHP’s internal type casting, will be: $admin = true;
  13. 13. OWAPS Open Web Application Security Project. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. Kapil Sharma PHP REBOOT 13
  14. 14. OWAPS: Recommendation U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. U.S. Defense Information Systems Agency lists OWASP Top Ten as part of the Defense Information Technology Security Certification and Accreditation (C & A) Process (DITSCAP) The Payment Card Industry (PCI) standards has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. Kapil Sharma PHP REBOOT 14
  15. 15. OWASP Top Ten The OWASP Top Ten is a powerful awareness document for web application security. It is list of the ten Most Critical Web Application Security Risks And for each Risk it provides: A description Example vulnerabilities Example attacks Guidance on how to avoid References to OWASP and other related resources Kapil Sharma PHP REBOOT 15
  16. 16. OWASP Top 10 (in 2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Kapil Sharma PHP REBOOT 16
  17. 17. A1: Injection SQL Injection is one of most common injection but there are more injection possible. Kapil Sharma PHP REBOOT 17 LDAP Injection NoSQL Injection File Injection (OS) Command Injection
  18. 18. SQL Injection In data driven web application, it is common to allow user to set filter on data. Such application use dynamic SQL queries, driven by user input. SQL Injection need two mistakes from developer: A failure to filter data (Filter Input) and Failure to escape data Kapil Sharma PHP REBOOT 18
  19. 19. SQL Injection example (Basic) $sql = "SELECT * FROM Users WHERE user_id = " . $userID; userId = 10 OR 1=1 SELECT * FROM Users WHERE user_id = 10 OR 1=1 Kapil Sharma PHP REBOOT 19
  20. 20. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; Kapil Sharma PHP REBOOT 20
  21. 21. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = ' SELECT count(*) FROM users WHERE username = ''' AND password = '<md5 hash>' Kapil Sharma PHP REBOOT 21
  22. 22. SQL Injection example You have an error in your SQL syntax. Check the manual that corresponds to your MySQL version for the right syntax to use near 'WHERE username = ''' AND password = 'a0b339d7c… Kapil Sharma PHP REBOOT 22
  23. 23. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = kapil' or 'a' = 'a' -- Kapil Sharma PHP REBOOT 23
  24. 24. SQL Injection protection Filter data Escape data mysqli_real_escape_string Prepared statements (prefer PDO) ORM Doctrine Propel Eloquent Kapil Sharma PHP REBOOT 24
  25. 25. A2: Broken Authentication and Session Management What is Authentication? Session? Cookie? Kapil Sharma PHP REBOOT 25
  26. 26. A2: Broken Authentication and Session Management You are vulnerable to Broken Authentication and Session Management if: Password not hashed/encrypted in database. No wrong password limit (Brute Force attack) Session id exposed in URL No session timeout. Session id vulnerable to session fixation. Kapil Sharma PHP REBOOT 26
  27. 27. Session Hijecking http://website.kom/ <script>document.c ookie=”sessionid=ab cd”;</script> http://website.kon/ <meta http- equiv=Set-Cookie content=”sessionid= abcd”> Kapil Sharma PHP REBOOT 27
  28. 28. Securing Session with PHP Kapil Sharma PHP REBOOT 28
  29. 29. Securing Session with PHP static protected function preventHijacking() { if(!isset($_SESSION['IpAddress']) || !isset($_SESSION['userAgent'])) return false; if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) return false; if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) return false; return true; } Kapil Sharma PHP REBOOT 29
  30. 30. Authentication Use proven and opensource component/bundle/module/library Zend Framework: Zend_Auth & Zend_Acl Synfony: Security Component Laravel: IlluminateAuth (Security) Aura: Aura.Auth Cake PHP: AuthComponent Code Igniter: TankAuth (3rd party) Kapil Sharma PHP REBOOT 30
  31. 31. A3: Cross Site Scripting (XSS) Kapil Sharma PHP REBOOT 31
  32. 32. XSS Types Persistent Non-Persistent Kapil Sharma PHP REBOOT 32
  33. 33. Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="">Click to Download</a>"; Kapil Sharma PHP REBOOT 33
  34. 34. Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="">Click to Download</a>"; index.php?name=<script>windo w.onload = function() {var link=document.getElementsByT agName("a");link[0].href="http: //";}</script> Kapil Sharma PHP REBOOT 34 Escape output
  35. 35. Cross Site Request Forgery (CSRF) In XSS, hacker trick user playing is real server. In CSRF, hacker trick server playing as real end user. Kapil Sharma PHP REBOOT 35
  36. 36. Cross Site Request Forgery (CSRF) Example User login to his back at User login to another site at Code <h1>Hi innocent user</h1> Check image below <img src=" 0&remark=hacked"> Kapil Sharma PHP REBOOT 36
  37. 37. Preventing CSRF Always use post for forms. Always check referrer. Synchronize Token Secret and unique token <input type="hidden" name="csrftoken" value=“Random unique value"> Validate that token at server side. Kapil Sharma PHP REBOOT 37
  38. 38. Security best practices If we remember few best practices, we could be safe against most of the security threats. Lets go through these best practices. Kapil Sharma PHP REBOOT 38
  39. 39. Error reporting Property Development Production error_reporting E_ALL | E_STRICT E_ALL | E_STRICT display_errors On Off log_errors Off/On On error_log Error log path Error log path Kapil Sharma PHP REBOOT 39
  40. 40. KISS (Keep It Simple, Stupid) Flashy, hard to read code = Mistake Mistake = Security vulnerability The KISS principle states that most systems work best if they are kept simple rather than made complicated. (source: wikipedia) Keep It Short and Simple. Keep It Simple and Straightforward. Kapil Sharma PHP REBOOT 40
  41. 41. DRY (Don’t Repeat Yourself) Major refactoring principle: Don’t Repeat Yourself. Kapil Sharma PHP REBOOT 41
  42. 42. Defense in depth Well known principle among security professionals. Always have a backup plan. Kapil Sharma PHP REBOOT 42
  43. 43. Least Privileges Identify what privileges a user will need to perform his task. Never give more then needed privileges. Kapil Sharma PHP REBOOT 43
  44. 44. Minimal Data Exposure Data exposure to remotes must be minimal. Remote = Browser, Database, Web Services. Getting CC info -> SSL Display again for verification -> SSL, Strip1234-XXXX-XXXX-4321 Always know and keep track of sensitive data. Kapil Sharma PHP REBOOT 44
  45. 45. Track Data Keep track of Data: What the data is? Where the Data is? From where the Data is coming? Where the Data is going? Kapil Sharma PHP REBOOT 45
  46. 46. Filter Input Save CSRF, Injection, Session Hijacking etc. Consider data from Session and database as input. Never correct invalid data. Consider data is invalid until you proved it is valid. Kapil Sharma PHP REBOOT 46
  47. 47. Filter Input (Core PHP) filter_input($type, $variable_name[,$filter[,$options]]) ZF: Zend_Filter_Input, Zend_Filter Symfony: Allow YAML, Annotation, XML and PHP filters. Kapil Sharma PHP REBOOT 47
  48. 48. Escape Output Identify output, is it entered by user? Escape if yes. Escape it Htmlentities Zend Framework. Zend_View’s escape $this->escape($userInput) Symfony/twig escape all the data by default. Laravel 4/blade {{{ raw }}}, {{escaped}} Yii CHtml::encode(strip_tags()) Kapil Sharma PHP REBOOT 48
  49. 49. Conclusion: Never forget about Proper error reporting Proper php.ini settings KISS DRY Defense in Depth Least priviledges Minimal Data Exposure Track Data Filter Input Escape Output Kapil Sharma PHP REBOOT 49
  50. 50. Kapil Sharma PHP REBOOT 50