Phpnw security-20111009

Paul Lemon PHPNW 11 – Notes from the trenches

are

you

feelin

g s

ecu

re?

Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches

Are you feeling secure – notes from the trenches

Paul Lemon @anthonylime

http://joind.in/3603


are

you

feelin

g s

ecu

re?


Introduction

- I am a web developer and have been for 13 years- Former sound engineer to the obscure and poor- Technical Director at MadeByPi- I love what I do - PHP / Java / Actionscript / Javascript / C#- Wear a mean hairnet

About me


are

you

feelin

g s

ecu

re?


“The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction.

Photo courtesy http://www.flickr.com/photos/katescars/


are

you

feelin

g s

ecu

re?


Introduction

- Notes based on personal professional experience- Over 20+ third party tests on our applications- Development orientated- Simple code examples – not production code.

This presentation


are

you

feelin

g s

ecu

re?


Introduction

Open Web Application Security Project

Best resource for developers / analysts / testers

https://www.owasp.org/

OWASP


are

you

feelin

g s

ecu

re?


Introduction

SQL Injection

Cross-Site Scripting (XSS)

Broken Authentication and Session Management

Insecure Direct Object References

Cross-Site Request Forgery (CSRF)

Security Misconfiguration

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Unvalidated Redirects and Forwards

OWASP Top 10


are

you

feelin

g s

ecu

re?


SQL Injection

http://www.flickr.com/photos/andresrueda/2983149263/


are

you

feelin

g s

ecu

re?


Injection

http://xkcd.com/327/


are

you

feelin

g s

ecu

re?


Injection

http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('[email protected]','hello',‘paul',’Paul Lemon');

Sample Code


are

you

feelin

g s

ecu

re?


Injection

- Confidential data can be disclosed

- -

The results of the query may not visible in the HTML

- Trial and error to iterate data in tables

- Execute long running queries

- Test for errors in page execution

- Vulnerable to inserts / updates / defacement

How is it exploited


are

you

feelin

g s

ecu

re?


Injection

Validation and Parameterised Query


are

you

feelin

g s

ecu

re?


Injection

- Validate all input. - Use PDO to create parameterised queries or- Use a ORM or Database Library (not your own!)- Set up your database permissions.- Don’t expose your queries (logging etc)- Code review- Don’t be complacent

How to prevent


are

you

feelin

g s

ecu

re?


Injection

- Validation is not just for the user’s benefit- Cast to correct type i.e. intval / floatval / boolean- Whitelist Input ranges - Reasonable minimums and maximums- Whitelist with regular expression- Blacklist with regular expression- Validate Email / Urls - Don’t rely on your model layer

A quick note about validation


are

you

feelin

g s

ecu

re?


XSS

http://www.flickr.com/photos/andresrueda/2983149263/


are

you

feelin

g s

ecu

re?


XSS

http://someserver/script.php?name=<script>alert();</script>orhttp://bit.ly/lYMcHjkj

Sample XSS


are

you

feelin

g s

ecu

re?


XSS

http://host/script.php?name=<script src='http://hacker/script.js' />

Sample XSS


are

you

feelin

g s

ecu

re?


XSS

Potential Exploits

- Theft of session cookies- Insertion of content / forms etc- Redirection to malicious sites- Insertion of trojan downloads / keyloggers etc.


are

you

feelin

g s

ecu

re?


XSS

Varieties of XSS

• Persistent - data is stored in the database• Nonpersistent - injected code is present in the URL/Request• DOM Based - javascript executed in the page reads the request


are

you

feelin

g s

ecu

re?


XSS

Web application

Trusted Not Trusted

Browser

• Posted Form• Querystring• Url• Cookies• HTTP Headers


are

you

feelin

g s

ecu

re?


XSS – Trust zones

Web application

Trusted Not Trusted

APIAPI

• Use HTTPS•Treat as user input


are

you

feelin

g s

ecu

re?


XSS – Trust zones

Web application

Trusted Not Trusted

Database

• Database may have been compromised• Validation may have failed• Escape all output


are

you

feelin

g s

ecu

re?


XSS – Trust zones

Web application

Trusted Not Trusted

Browser

APIAPI

Database


are

you

feelin

g s

ecu

re?


XSS – Trust zones

Web application

Trusted Not Trusted

Browser

APIAPI

Database

Your application should be modular too


are

you

feelin

g s

ecu

re?


XSS

Escape all output

- ENT_QUOTES option is important – double and single quotes- Page encoding is important- If you need HTML output use HTML Purifier


are

you

feelin

g s

ecu

re?


XSS

Escape all output – context is important


are

you

feelin

g s

ecu

re?


XSS

?name=<script>alert("hello");</script>&link=javascript:alert('hello')

Escape all output – context is important


are

you

feelin

g s

ecu

re?


XSS


are

you

feelin

g s

ecu

re?


XSS

- Check your templating engine for XSS protection (options in Symfony 1/ Twig for escaping by default)

- Context is important to the escaping used - Image and Hyperlinks- Javascript blocks- CSS

- There is not a definitive solution for PHP- https://www.owasp.org/index.php/ESAPI#tab=PHP

Preventing XSS


are

you

feelin

g s

ecu

re?


XSS

Session cookie to use HTTPOnly in php.ini

- Or use PHP function session_set_cookie_params

Cookies set as HTTPOnly


are

you

feelin

g s

ecu

re?


Session Exploits


are

you

feelin

g s

ecu

re?


Session Exploits

- Session Fixation

- Man in the middle attacks

Overview


are

you

feelin

g s

ecu

re?


Session Exploits

Allowing the session id to be passed on the querystring

Url is sent via email to potential victim

visit this url to the site http://localhost/?sessionid=1234

Victim logs in and this is attached to the session id

Sender uses the original session id and gains access

http://localhost/viewprofile?sessionid=1234

Session Fixation


are

you

feelin

g s

ecu

re?


Session Exploits

Do not allow session id to be passed on the querystring

Session Fixation – How to prevent


are

you

feelin

g s

ecu

re?


Session Exploits

Where the attacker has access to the machine

- First user notes down the session id on the computer

- Second user logs in and this is attached to the session id

- First user uses the original session id and gains access

Session Fixation


are

you

feelin

g s

ecu

re?


Session Exploits

- Roll the session id when a user logs in

-

You can change the session id more frequently…

Session Fixation – How to prevent


are

you

feelin

g s

ecu

re?


Session Exploits

Man in the middle attacks

Web applicationUsername / Password

User logs in…

Session Id - Cookie

HTTP POST


are

you

feelin

g s

ecu

re?


Session Exploits



User logs in…

Session Id - Cookie

HTTP POST

Ahoy!


are

you

feelin

g s

ecu

re?


Session Exploits



User logs in…

Session Id - Cookie

HTTPS POST


are

you

feelin

g s

ecu

re?


Session Exploits

- Login and authentication must always be over HTTPS- Passwords are personal and confidential- Users are not disciplined- (Store your passwords securely SHA1 / Salt )



are

you

feelin

g s

ecu

re?


Session Exploits



User logs in…

Session Id - Cookie

HTTPS POST

Web application

User visits a non-secure page

Resource downloaded

HTTP GET

Session Id - Cookie


are

you

feelin

g s

ecu

re?


Session Exploits

- Authenticated session cookies should be delivered over SSL- Use HTTPS only option on session cookie- Use a separate domain if you can e.g. https://admin.yoursite/- Use a separate path for your session cookie



are

you

feelin

g s

ecu

re?


Session Exploits



are

you

feelin

g s

ecu

re?


Session Exploits



User logs in…

Session Id - Cookie

HTTPS POST

Web application


Resource downloaded

HTTP GET


are

you

feelin

g s

ecu

re?


Session Exploits



User logs in…

Session Id - Cookie

HTTPS POST

Web application


Resource downloaded

HTTP GET

Curses!


are

you

feelin

g s

ecu

re?


Session Exploits


- Sometimes you cannot limit session to HTTPS- Users can log in and see non-secure data in public pages- There are still secure areas of the site- Use two cookies- Or make the user login again


are

you

feelin

g s

ecu

re?


Session Exploits

Web application

Username / PasswordUser logs in…

Session Id – Cookie SECURE

HTTPS POST

Open Zone ofWeb application


Resource downloaded

HTTP GET

Session Id

Extra Auth – Cookie SECURE


are

you

feelin

g s

ecu

re?


Session Exploits

Web application

Username / PasswordUser logs in…

Session Id – Cookie SECURE

HTTPS POST

Secure Zone ofWeb application


Response

HTTPS GET/POST/PUT

Session Id

Extra Auth – Cookie SECURE

Extra Auth – Cookie


are

you

feelin

g s

ecu

re?


XSRF


are

you

feelin

g s

ecu

re?


XSRF – Sorry no time


are

you

feelin

g s

ecu

re?


Conclusions


are

you

feelin

g s

ecu

re?


Conclusions

Get someone else to do the work


are

you

feelin

g s

ecu

re?


Conclusions

- Use a framework. I like symfony.- Use a well supported platform / CMS - Check their response to security issues- If there is no solution – check again (and again)

Get someone else to do the work


are

you

feelin

g s

ecu

re?


Conclusions

- Expect there to be faults – test as much as you can.- Expect there to be attacks – monitor your site- Stay on top of your versions – PHP / MySQL etc- Input validation is critical- Code for quality / Unit tests / regression- Code review- Operate with least privilege- Establish a build and deployment script- Read OWASP

Recommendations


are

you

feelin

g s

ecu

re?


• XSS cheatlist: http://ha.ckers.org/xss.html• OWASP:

https://www.owasp.org/index.php/Main_Page • HTML Purifier: http://htmlpurifier.org/• Context aware templates:

http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html

• MadeByPi: http://www.madebypi.co.uk

Conclusions

Resources


are

you

feelin

g s

ecu

re?


Are you feeling secure – notes from the trenches

Paul Lemon @anthonylime – [email protected]

http://joind.in/3603

Phpnw security-20111009

Technology

Transcript of Phpnw security-20111009