The document highlights key principles of application security, particularly in PHP, emphasizing the need for input filtering, output escaping, and understanding the OWASP Top 10 vulnerabilities. It outlines various security best practices, including the importance of simple coding, knowing risks, and failing securely. Additionally, it discusses authentication, authorization, cryptography, and server security measures while providing examples and links to relevant resources.

1. @asgrim
Dip Your Toes
in the Sea of Security
James Titcumb
PHPNW16

2. James Titcumb
www.jamestitcumb.com
www.roave.com
www.phphants.co.uk
www.phpsouthcoast.co.uk
Who is this guy?

3. @asgrim
Some simple code...
<?php
$a = (int)filter_var($_GET['a'],
FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'],
FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);

4. @asgrim

5. @asgrim
The Golden Rules

6. @asgrim
The Golden Rules
(my made up golden rules)

7. @asgrim
1. Keep it simple

8. @asgrim
2. Know the risks

9. @asgrim
3. Fail securely

10. @asgrim
4. Don’t reinvent the wheel

11. @asgrim
5. Never trust anything

12. @asgrim
OWASP
& the OWASP Top 10
https://www.owasp.org/

13. @asgrim
Application Security
(mainly PHP applications)

14. @asgrim
Always remember…
Filter Input
Escape Output

15. @asgrim
© 2003 Disney/Pixar. All Rights Reserved.
SQL Injection (#1)

16. @asgrim
SQL Injection (#1)
http://xkcd.com/327/

17. @asgrim
SQL Injection (#1)

18. @asgrim
SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql);
✘

19. @asgrim
SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓

20. @asgrim
© 2003 Disney/Pixar. All Rights Reserved.

21. @asgrim
exec($_GET)
https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

22. @asgrim
eval()
https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

23. @asgrim
Cross-Site Scripting / XSS (#3)
© 2003 Disney/Pixar. All Rights Reserved.

24. @asgrim
Cross-Site Scripting / XSS (#3)
<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescaped - JS will run :'(
echo $unfilteredInput;
// Escaped - JS will not run :)
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

25. @asgrim
Cross-Site Request
Forgery / CSRF (#8)
http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html

26. @asgrim
Cross-Site Request Forgery / CSRF (#8)
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}

27. @asgrim
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)

28. @asgrim
Cross-Site Request Forgery / CSRF (#8)
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}

29. @asgrim
Timing attacks
// From zend_is_identical:
return (Z_STR_P(op1) == Z_STR_P(op2) ||
(Z_STRLEN_P(op1) == Z_STRLEN_P(op2) &&
memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));

30. @asgrim
Timing attacks
Actual string: “foobar”
● a (0.00001)
● aa (0.00001)
● aaa (0.00001)
● aaaa (0.00001)
● aaaaa (0.00001)
● aaaaaa (0.00002) ← success!
● aaaaaaa (0.00001)
● aaaaaaaa (0.00001)
● aaaaaaaaa (0.00001)

31. @asgrim
Timing attacks
1 int memcmp(const void* s1, const void* s2,size_t n)
2 {
3 const unsigned char *p1 = s1, *p2 = s2;
4 while(n--)
5 if( *p1 != *p2 )
6 return *p1 - *p2;
7 else
8 p1++,p2++;
9 return 0;
10 }
http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation

32. @asgrim
Timing attacks
Actual string: “foobar”
● “aaaaaa” (0.00001)
● “baaaaa” (0.00001)
● …
● “faaaaa” (0.00002) ← success!
● “fbaaaa” (0.00002)
● “fcaaaa” (0.00002)
● …
● “foaaaa” (0.00003) ← success!

33. @asgrim
Sensitive Data Exposure (#6)
© 2003 Disney/Pixar. All Rights Reserved.

34. @asgrim
Sensitive Data Exposure (#6)

35. @asgrim
© 2003 Disney/Pixar. All Rights Reserved.

36. @asgrim
curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
✘

37. @asgrim
curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");
✓

38. @asgrim
© 2003 Disney/Pixar. All Rights Reserved.

39. @asgrim
Third Party Code

40. @asgrim
Third Party Code
!!! WARNING !!!

41. @asgrim
Third Party Code
github.com/ /SecurityAdvisories
!!! WARNING !!!

42. @asgrim

43. @asgrim
We are not all
security experts!

44. @asgrim
We are not all
security experts!
… but we CAN write secure code

45. @asgrim
Hack your own system!
© 2003 Disney/Pixar. All Rights Reserved.

46. @asgrim
What do you want?
Think like a hacker

47. @asgrim
How do you get it?
Think Differently

48. @asgrim
Threat Modelling
D.R.E.A.D.
© Buena Vista Pictures

49. @asgrim
Threat Modelling
Damage
R
E
A
D
© Buena Vista Pictures

50. @asgrim
Threat Modelling
Damage
Reproducibility
E
A
D
© Buena Vista Pictures

51. @asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
A
D
© Buena Vista Pictures

52. @asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
D
© Buena Vista Pictures

53. @asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
Discoverability
© Buena Vista Pictures

54. @asgrim
Rank them in order
And fix them!
© Buena Vista Pictures

55. @asgrim
Authentication
& Authorization

56. @asgrim
Authentication
Verifying Identity

57. @asgrim
Case Study: Custom Authentication
We thought about doing this…

58. @asgrim
Case Study: Custom Authentication
We thought about doing this…

59. @asgrim
Case Study: Custom Authentication
We thought about doing this…
✘

60. @asgrim
Password Hashing
password_hash()

61. @asgrim
Authorization
Verifying Access

62. @asgrim
CRYPTOGRAPHY
IS
HARD

63. @asgrim

64. @asgrim
CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”

65. @asgrim
CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”
EVER!!!

66. @asgrim
How to encrypt then?

67. @asgrim
I’ve got some
great ideas for
encryption...
Image: IBTimes (http://goo.gl/zPVeo0)

68. @asgrim
How to encrypt then?
libsodium PECL package

69. @asgrim
Linux Server Security

70. @asgrim
Create an SSH Fortress

71. @asgrim
Firewalls

72. @asgrim
iptables
#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Inbound traffic
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Outbound traffic
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

73. @asgrim
ufw
sudo ufw enable
sudo ufw allow 22
sudo ufw allow 80

74. @asgrim
Mitigate Brute Force Attacks

75. @asgrim
Install Only What You Need

76. @asgrim
© 2003 Disney/Pixar. All Rights Reserved.

77. @asgrim
+

78. @asgrim
Case Study: Be Minimal
Internets
Postfix
Squid Proxy
(badly configured)
hacker
spam

79. @asgrim
Resources
● http://securingphp.com/
● https://www.owasp.org/
● http://blog.ircmaxell.com/
● https://github.com/paragonie/random_compat
● https://github.com/ircmaxell/password_compat
● https://paragonie.com/blog
● https://websec.io/resources.php

80. @asgrim
The Golden Rules
1. Keep it simple
2. Know the risks
3. Fail securely
4. Don’t reinvent the wheel
5. Never trust anything / anyone

81. @asgrim
If you follow all this, you get...

82. @asgrim
If you follow all this, you get...

83. Any questions? :)
https://joind.in/talk/a1a05
James Titcumb