The document is a presentation by James Titcumb on security practices for PHP applications at the PHP UK Conference 2016. It emphasizes key principles like simplicity, risk awareness, secure failures, and the importance of established guidelines from OWASP, while providing examples of SQL Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Additionally, it discusses the significance of secure coding, third-party code caution, and maintaining server security.

1. Dip Your Toes in the
Sea of Security
James Titcumb
PHP UK Conference 2016

2. James Titcumb
www.jamestitcumb.com
www.roave.com
www.phphants.co.uk
www.phpsouthcoast.co.uk
@asgrim
Who is this guy?

3. Use “phpuk16” discount code!

4. Some simple code...
<?php
$a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);

6. The Golden Rules

7. The Golden Rules
(my made up golden rules)

8. 1. Keep it simple

9. 2. Know the risks

10. 3. Fail securely

11. 4. Don’t reinvent the wheel

12. 5. Never trust anything

13. OWASP
& the OWASP Top 10
https://www.owasp.org/

14. Application Security
(mainly PHP applications)

15. Always remember…
Filter Input
Escape Output

16. © 2003 Disney/Pixar. All Rights Reserved.
SQL Injection (#1)

17. SQL Injection (#1)
http://xkcd.com/327/

18. SQL Injection (#1)
1. Use PDO / mysqli
2. Use prepared / parameterized statements

19. SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql);
✘

20. SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓

21. © 2003 Disney/Pixar. All Rights Reserved.

22. exec($_GET)
https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

23. eval()
https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

24. Cross-Site Scripting / XSS (#3)
© 2003 Disney/Pixar. All Rights Reserved.

25. Cross-Site Scripting / XSS (#3)
● Escape output
<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescaped - JS will run :'(
echo $unfilteredInput;
// Escaped - JS will not run :)
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

26. Cross-Site Request Forgery
or CSRF (#8)
http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html

27. <?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)

28. <?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)

29. <?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)

30. Timing attacks
From zend_is_identical:
return (Z_STR_P(op1) == Z_STR_P(op2) ||
(Z_STRLEN_P(op1) == Z_STRLEN_P(op2) &&
memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));

31. Timing attacks
Actual string: “foobar”
● a (0.00001)
● aa (0.00001)
● aaa (0.00001)
● aaaa (0.00001)
● aaaaa (0.00001)
● aaaaaa (0.00002) ← success!
● aaaaaaa (0.00001)
● aaaaaaaa (0.00001)
● aaaaaaaaa (0.00001)

32. Timing attacks
1 int memcmp(const void* s1, const void* s2,size_t n)
2 {
3 const unsigned char *p1 = s1, *p2 = s2;
4 while(n--)
5 if( *p1 != *p2 )
6 return *p1 - *p2;
7 else
8 p1++,p2++;
9 return 0;
10 }
http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation

33. Timing attacks
Actual string: “foobar”
● “aaaaaa” (0.00001)
● “baaaaa” (0.00001)
● …
● “faaaaa” (0.00002) ← success!
● “fbaaaa” (0.00002)
● “fcaaaa” (0.00002)
● …
● “foaaaa” (0.00003) ← success!

34. Sensitive Data Exposure (#6)
© 2003 Disney/Pixar. All Rights Reserved.

35. Sensitive Data Exposure (#6)

36. © 2003 Disney/Pixar. All Rights Reserved.

37. curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

38. curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");

39. © 2003 Disney/Pixar. All Rights Reserved.

40. Third Party Code

41. Third Party Code
!!! WARNING !!!

42. Third Party Code
github.com/ /SecurityAdvisories
!!! WARNING !!!

44. We are not all
security experts!

45. We are not all
security experts!
… but we CAN write secure code

46. Hack your own system!
© 2003 Disney/Pixar. All Rights Reserved.

47. What do you want?
Think like a hacker

48. How do you get it?
Think Differently

49. Threat Modelling
D.R.E.A.D.
© Buena Vista Pictures

50. Threat Modelling
Damage
R
E
A
D
© Buena Vista Pictures

51. Threat Modelling
Damage
Reproducibility
E
A
D
© Buena Vista Pictures

52. Threat Modelling
Damage
Reproducibility
Exploitability
A
D
© Buena Vista Pictures

53. Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
D
© Buena Vista Pictures

54. Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
Discoverability
© Buena Vista Pictures

55. Put them in order
And fix them!
© Buena Vista Pictures

56. Authentication
& Authorization

57. Authentication
Verifying Identity

58. Case Study: Custom Authentication
We thought about doing this…

59. Case Study: Custom Authentication
We thought about doing this…

60. Case Study: Custom Authentication
We thought about doing this…

61. Password Hashing
password_hash()

62. Authorization
Verifying Access

63. CRYPTOGRAPHY
IS
HARD

65. CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”

66. CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”
EVER!!!

67. How to encrypt then?

68. I’ve got some
great ideas for
encryption...
Image: The Guardian (http://goo.gl/pUkyvO)

69. How to encrypt then?
libsodium PECL package

70. Linux Server Security

71. Create an SSH Fortress

72. Firewalls

73. iptables
#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Inbound traffic
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Outbound traffic
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

74. ufw
sudo ufw enable
sudo ufw allow 22
sudo ufw allow 80

75. Mitigate Brute Force
Attacks

76. Install Only
What You Need

77. © 2003 Disney/Pixar. All Rights Reserved.

78. +

79. Case Study: Be Minimal
Internets
Postfix
Squid Proxy
(badly configured)
hacker
spam

80. Resources
● http://securingphp.com/
● https://www.owasp.org/
● http://blog.ircmaxell.com/
● https://github.com/paragonie/random_compat
● https://github.com/ircmaxell/password_compat
● https://paragonie.com/blog
● https://websec.io/resources.php

81. The Golden Rules
1. Keep it simple
2. Know the risks
3. Fail securely
4. Don’t reinvent the wheel
5. Never trust anything / anyone

82. If you follow all this, you get...

83. If you follow all this, you get...

84. Any questions? :)
https://joind.in/talk/c2bb0
James Titcumb @asgrim