James Titcomb's presentation at the PHP Berkshire meetup discusses security best practices for PHP applications, highlighting the OWASP top 10 vulnerabilities, such as SQL injection and cross-site scripting. He emphasizes the importance of simple, secure coding, input filtering, output escaping, and using cryptography correctly. The talk also covers various security measures like proper authentication, authorization, and server security configurations.

1. Dip Your Toes
in the Sea of Security
James Titcumb
PHP Berkshire Meetup - November 2015

2. James Titcumb
www.jamestitcumb.com
www.roave.com
www.phphants.co.uk
www.phpsouthcoast.co.uk
@asgrim
Who is this guy?

3. Some simple code...
<?php
$a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);

5. The Golden Rules

6. The Golden Rules
(my made up golden rules)

7. 1. Keep it simple

8. 2. Know the risks

9. 3. Fail securely

10. 4. Don’t reinvent the wheel

11. 5. Never trust anything

12. OWASP
& the OWASP Top 10
https://www.owasp.org/

13. Application Security
(mainly PHP applications)

14. Always remember…
Filter Input
Escape Output

15. © 2003 Disney/Pixar. All Rights Reserved.
SQL Injection (#1)

16. SQL Injection (#1)
http://xkcd.com/327/

17. SQL Injection (#1)
1. Use PDO / mysqli
2. Use prepared / parameterized statements

18. SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql);
✘

19. SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓

20. © 2003 Disney/Pixar. All Rights Reserved.

21. exec($_GET)
https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

22. eval()
https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

23. Cross-Site Scripting / XSS (#3)
© 2003 Disney/Pixar. All Rights Reserved.

24. Cross-Site Scripting / XSS (#3)
● Escape output
<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescaped - JS will run :'(
echo $unfilteredInput;
// Escaped - JS will not run :)
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

25. Cross-Site Request
Forgery / CSRF (#8)
http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html

26. <?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)

27. <?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)

28. Errors, Exceptions &
Logging (#6)
© 2003 Disney/Pixar. All Rights Reserved.

29. Errors, Exceptions & Logging (#6)

30. © 2003 Disney/Pixar. All Rights Reserved.

31. curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
✘

32. curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");
✓

33. © 2003 Disney/Pixar. All Rights Reserved.

34. WordPress Plugins

35. WordPress Plugins
Urgh.

37. We are not all
security experts!

38. We are not all
security experts!
… but we CAN write secure code

39. Be the threat
Think Differently

40. What do you want?
Think Differently

41. How do you get it?
Think Differently

42. Threat Modelling
D.R.E.A.D.
© Buena Vista Pictures

43. Threat Modelling
Damage
R
E
A
D
© Buena Vista Pictures

44. Threat Modelling
Damage
Reproducibility
E
A
D
© Buena Vista Pictures

45. Threat Modelling
Damage
Reproducibility
Exploitability
A
D
© Buena Vista Pictures

46. Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
D
© Buena Vista Pictures

47. Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
Discoverability
© Buena Vista Pictures

48. Authentication
& Authorization

49. Authentication
Verifying Identity

50. Case Study: Custom Authentication
We thought about doing this…

51. Case Study: Custom Authentication
We thought about doing this…

52. Case Study: Custom Authentication
We thought about doing this…
✘

53. Password Hashing
password_hash()

54. Authorization
Verifying Access

55. CRYPTOGRAPHY
IS
HARD

57. CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”

58. CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”
EVER!!!

59. How to encrypt then?

60. I’ve got some
great ideas for
encryption...
Image: The Guardian (http://goo.gl/pUkyvO)

61. How to encrypt then?
libsodium PECL package

62. Linux Server Security

63. Create an SSH Fortress

64. Firewalls

65. iptables
#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Inbound traffic
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Outbound traffic
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

66. ufw
sudo ufw enable
sudo ufw allow 22
sudo ufw allow 80

67. Mitigate Brute Force
Attacks

68. Install Only
What You Need

69. © 2003 Disney/Pixar. All Rights Reserved.

70. +

71. Case Study: Be Minimal
Internets
Postfix
Squid Proxy
(badly configured)
hacker
spam

72. Resources
● http://securingphp.com/
● https://www.owasp.org/
● http://blog.ircmaxell.com/
● https://github.com/paragonie/random_compat
● https://github.com/ircmaxell/password_compat

73. The Golden Rules
1. Keep it simple
2. Know the risks
3. Fail securely
4. Don’t reinvent the wheel
5. Never trust anything / anyone

74. If you follow all this, you get...

75. If you follow all this, you get...

76. Any questions? :)
...
James Titcumb @asgrim