Dip Your Toesin the Sea of Security

James TitcumbDutch PHP Conference 2015

James Titcumbwww.jamestitcumb.comwww.roave.comwww.phphants.co.ukwww.phpsouthcoast.co.uk@asgrim

Who is this guy?

Some simple code...

<?php

$a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT);

$b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT);

$result = $a + $b;

printf('The answer is %d', $result);

The Golden Rules

The Golden Rules(my made up golden rules)

1. Keep it simple

2. Know the risks

3. Fail securely

4. Don’t reinvent the wheel

5. Never trust anything

OWASP& the OWASP Top 10

https://www.owasp.org/

Application Security(mainly PHP applications)

Always remember…

Filter InputEscape Output

SQL Injection (#1)

http://xkcd.com/327/

SQL Injection (#1)

1. Use PDO / mysqli2. Use prepared / parameterized statements

SQL Injection (#1)<?php

// user_id=1; DROP TABLE users; --

$user_id = $_GET['user_id'];

$sql = "

SELECT * FROM users

WHERE user_id = {$user_id}";

$db->execute($sql); ✘

SQL Injection (#1)<?php

$user_id = $_GET['user_id'];

$sql = "

SELECT * FROM users

WHERE user_id = :userid";

$stmt = $db->prepare($sql);

$stmt->bind('userid', $user_id);

$stmt->execute();✓

exec($_GET)https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

eval()https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

Cross-Site Scripting / XSS (#3)

Cross-Site Scripting / XSS (#3)

● Escape output<?php

$unfilteredInput = '<script type="text/javascript">...</script>';

// Unescaped - JS will run :'(

echo $unfilteredInput;

// Escaped - JS will not run :)

echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

Cross-Site Request Forgery / CSRF (#8)

<?php

if (!$isPost) {

$csrfToken = hash("sha512",mt_rand(0,mt_getrandmax()));

$_SESSION['csrf_token'] = $csrfToken;

// ... output the form ...

echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';

} else if ($isPost) {

if ($_SESSION['csrf_token'] != $_POST['csrf_token']) {

die("Token invalid...");

}

// ... handle the form ...

}

Cross-Site Request Forgery / CSRF (#8)

Errors, Exceptions & Logging (#6)

curl + https<?php

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

✘

curl + https<?php

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");

✓

WordPress Plugins

WordPress Plugins

Urgh.

We are not security experts!

We are not security experts!

… but we CAN write secure code

Be the threat

Think Differently

What do you want?

Think Differently

How do you get it?

Think Differently

Threat ModellingD.R.E.A.D.

Authentication& Authorization

AuthenticationVerifying Identity

CRYPTOGRAPHYIS

HARD

CRYPTOGRAPHYIS

HARDNEVER EVER “ROLL YOUR OWN”

CRYPTOGRAPHYIS

HARDNEVER EVER “ROLL YOUR OWN”

EVER!!!

Case Study: Custom Authentication

We thought about doing this…

Case Study: Custom Authentication

We thought about doing this…

Case Study: Custom Authentication

We thought about doing this…

✘

Password Hashingpassword_hash()

AuthorizationVerifying Access

Linux Server Security

Create an SSH Fortress

Firewalls

IPTABLES#!/bin/bash

IPT="/sbin/iptables"

$IPT --flush

$IPT --delete-chain

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT DROP

# Loopback

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# Inbound traffic

$IPT -A INPUT -p tcp --dport ssh -j ACCEPT

$IPT -A INPUT -p tcp --dport 80 -j ACCEPT

# Outbound traffic

$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT

$IPT -A OUTPUT -p udp --dport 53 -m state \

--state NEW -j ACCEPT

Mitigate Brute Force Attacks

Install OnlyWhat You Need

Case Study: Be Minimal

Internets

Postfix

Squid Proxy(badly configured)

hacker

spam

Resources

● http://securingphp.com/● https://www.owasp.org/● http://blog.ircmaxell.com/

The Golden Rules

1. Keep it simple2. Know the risks3. Fail securely4. Don’t reinvent the wheel5. Never trust anything / anyone

If you follow all this, you get...

If you follow all this, you get...

Any questions? :)

https://joind.in/14227James Titcumb @asgrim