Introduction To Web Application Security in PHP
description
Transcript of Introduction To Web Application Security in PHP
![Page 1: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/1.jpg)
Introduction To Web Application Security in PHP
![Page 2: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/2.jpg)
Security is Big And Often DifficultPHP doesn’t make it any easier
![Page 3: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/3.jpg)
What we’ll cover• What do we mean by security?• Application Security
• Code• Configuration
• OWASP• OWASP Top Ten
• SQL Injection• XSS• Configuration
![Page 4: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/4.jpg)
Application SecuritySecurity in the SDLC as opposed to network security or data security or physical security
![Page 5: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/5.jpg)
Security in Code and in Deployment
For our purposes we’ll just stick to this:
![Page 6: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/6.jpg)
OWASPAn authority in Web Application Security
![Page 7: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/7.jpg)
Open Web Application Security Project
• Really, many projects are “under” OWASP• OWASP Top Ten• ESAPI• Development Guide• Cheat Sheets• Do not bring to exam
• Testing Guide• More
![Page 8: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/8.jpg)
OWASP Top Ten – Top Web Application Security Issues
Based on the statistics of a number of scanning tools
![Page 9: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/9.jpg)
OWASP Top 10-2013 – A1 InjectionSQL Injection is the variant of this that we’ll cover here
![Page 10: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/10.jpg)
SQL InjectionConfusing the DBMS between logic (written by the developer) and data (provided by the user)
![Page 11: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/11.jpg)
A common query:
$query = "SELECT * FROM user WHERE username = '" . $_POST["username"] . "' AND password = '" . $_POST["password"] . "';";
![Page 12: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/12.jpg)
The intention
$query = "SELECT * FROM user WHERE username = 'sue' AND password = 'secret';";
![Page 13: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/13.jpg)
What if $_POST[“username”] is actually SQL Code
The vulnerability:
![Page 14: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/14.jpg)
' OR 1 = 1 #Let’s try this:
![Page 15: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/15.jpg)
An SQL Injection
$query = "SELECT * FROM user WHERE username = '' OR 1 = 1 #' AND password = '';”;
![Page 16: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/16.jpg)
How to protect our code?Use Prepared Statements (available in all modern languages)
![Page 17: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/17.jpg)
Prepared Statements
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array($_POST["username"], $_POST["password"]));
![Page 18: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/18.jpg)
The Intention
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("sue", ”secret"));
![Page 19: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/19.jpg)
The Exploit Foiled
$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("' OR 1 = 1 #", ""));// the logic is clearly separated // in our code and in transmission// to our database
![Page 21: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/21.jpg)
OWASP Top 10-2013 – A3 XSS
Cross Site Scripting
![Page 22: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/22.jpg)
Three Variants of XSS1.Reflected XSS2.Stored XSS3.DOM based XSS
![Page 23: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/23.jpg)
Cross Site ScriptingConfusing the browser between the application’s HTML (structure) and Data.
![Page 24: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/24.jpg)
Commonly Used Display Code
<div><?php print $_GET["username"] ?></div>
![Page 25: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/25.jpg)
The Intended Result<div>sue</div>
![Page 26: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/26.jpg)
What if $_GET[“username”] is actually HTML and JavaScript?
The vulnerability:
![Page 27: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/27.jpg)
<script>alert("Hello World")</script>
Let’s try this:
![Page 28: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/28.jpg)
Display Code With Injection
<div><?php print "<script>alert('hello world’)</script>" ?></div>
![Page 29: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/29.jpg)
Display Code With Injection
<div><script>alert('hello world')</script></div>
![Page 30: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/30.jpg)
Reflected XSSThe vulnerability is exploited only in response to a specific request.Example
http://vulnerable.example.org/index.php?data=%3Cscript%3Ealert(%22hello%20world%22)%3Cscript%3E
![Page 31: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/31.jpg)
Stored XSSSubmit request with XSS payload (ex. a blog comment with XSS in the body)
Web app stores the comment in Database (with unencoded XSS Code)
Victim views the stored data (ex. view a blog post which shows comments)
XSS Code is executed by the victim’s browser.
![Page 32: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/32.jpg)
DOM Based XSS • Also known as Type 0 XSS• Out of the scope of this course• Basically, tricking JavaScript to write
out code
![Page 33: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/33.jpg)
Protecting from XSSEncode user inputs
![Page 34: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/34.jpg)
htmlentites()
$foo = “<script>”;$foo = htmlentities($foo, ENT_QUOTES | ENT_HTML5);print $foo; # <script>
![Page 35: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/35.jpg)
html_entity_decode()
foo = "<script>";$foo = html_entity_decode($foo, ENT_QUOTES | ENT_HTML5);print $foo; # "<script>”
![Page 36: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/36.jpg)
When to encode?• Before reflecting• Before displaying information you just
received• Choose either before you persist or
after then be consistent.• Better yet do both but watch out for
double encoding
![Page 37: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/37.jpg)
ConfigurationYour app is not secure if it’s running on a vulnerable server or otherwise deployed insecurely.
![Page 38: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/38.jpg)
This is a topic in itself• Sources to look at:• http://php.net/manual/en/security.php• http://www.phptherightway.com/• Google et al.
![Page 39: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/39.jpg)
Simple Good Things To Do
![Page 40: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/40.jpg)
Use PHP as Module not CGI
![Page 41: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/41.jpg)
Patch!Your software is only as secure as your latest security patch
![Page 42: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/42.jpg)
Hide your fingerprints• http://www.php.net/manual/en/securi
ty.hiding.php• http://httpd.apache.org/docs/current/
mod/core.html#servertokens
![Page 43: Introduction To Web Application Security in PHP](https://reader035.fdocuments.us/reader035/viewer/2022062410/56816008550346895dcf08de/html5/thumbnails/43.jpg)
Disable dangerous functions (eval())