PHP Security Tips
-
Upload
chris-tankersley -
Category
Technology
-
view
3.545 -
download
1
Transcript of PHP Security Tips
![Page 1: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/1.jpg)
PHP Security
September 20, 2011 NWO-PUG 1
E-mail: [email protected]: @dragonmantankIdenti.ca: dragonmantank
![Page 2: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/2.jpg)
Who are you and why are you in my house?
Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a
few that some do TL;DR
https://github.com/dragonmantank
NWO-PUG 2September 20, 2011
![Page 3: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/3.jpg)
The Parts of SecurityIt’s more than just a username/password
NWO-PUG 3September 20, 2011
![Page 4: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/4.jpg)
What is Secure Programming?
1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly
September 20, 2011 NWO-PUG 4
https://www.owasp.org/index.php/Secure_Coding_Principles
![Page 5: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/5.jpg)
Most Common AttacksAnd how to avoid them
NWO-PUG 5September 20, 2011
![Page 6: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/6.jpg)
OWASP Top 10
1. Injection2. Cross-Site Scripting3. Broken Authentication and Session
Management4. Insecure Direct Object References5. Cross-Site Request Forgery6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure To Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards
NWO-PUG 6
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
September 20, 2011
![Page 7: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/7.jpg)
Injection
NWO-PUG 7September 20, 2011
![Page 8: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/8.jpg)
What is Injection?
When a user or service corrupts a command due to improper validation of input
September 20, 2011 NWO-PUG 8
![Page 9: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/9.jpg)
Many Shapes and Sizes
SQL Injection Command Injection HTML Injection
September 20, 2011 NWO-PUG 9
![Page 10: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/10.jpg)
Protecting against Injections Attacks
Filter user input Escape anything not hard-coded Ignore $_REQUEST
NWO-PUG 10September 20, 2011
![Page 11: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/11.jpg)
SQL Injection
NWO-PUG 11September 20, 2011
![Page 12: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/12.jpg)
A Bit More Real Life
NWO-PUG 12September 20, 2011
![Page 13: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/13.jpg)
Protecting against SQL Injection
Use PDO and prepared statements
NWO-PUG 13September 20, 2011
![Page 14: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/14.jpg)
Command Injection
When your script calls an external program, users can run code
NWO-PUG 14September 20, 2011
![Page 15: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/15.jpg)
Protecting against Command Injection
If allowing the user to specify commands, use escapeshellcmd()
If allowing the user to specify arguments, use escapeshellarg()
NWO-PUG 15September 20, 2011
![Page 16: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/16.jpg)
HTML/Script Injection
HTML Injection: When user input is used to create new markup that the application did not expect
Script Injection: When user input is used to add new scripting to a page
NWO-PUG 16September 20, 2011
![Page 17: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/17.jpg)
HTML/Script Injection
NWO-PUG 17September 20, 2011
![Page 18: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/18.jpg)
Protecting against HTML/Script Injection
Decide if you really need to take HTML input
If you do: Use an HTML cleaner like Tidy or
htmLawed Create a whitelist of allowed tags
If you don’t: Use htmlentities()/htmlspecialchars()
NWO-PUG 18September 20, 2011
![Page 19: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/19.jpg)
Cross Site ScriptingOr XSS
NWO-PUG 19September 20, 2011
![Page 20: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/20.jpg)
What is it?
When a user injects a script into a page or extra JS into a command to send information to another site
September 20, 2011 NWO-PUG 20
![Page 21: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/21.jpg)
How to avoid XSS?
Since this is an injection attack, use the same steps as a HTML/Script injection
NWO-PUG 21September 20, 2011
![Page 22: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/22.jpg)
Broken Authentication and Session Management
NWO-PUG 22September 20, 2011
![Page 23: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/23.jpg)
What is it?
Insecure storing of credentials Session IDs exposed via URL Session fixation attacks
September 20, 2011 NWO-PUG 23
![Page 24: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/24.jpg)
Storing Credentials
Hash with a salt using the hash() command
Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not
recommended for secure hashing If you have to use the raw data, encrypt
using mcrypt() Use AES256 (RIJNDAEL 256)
NWO-PUG 24September 20, 2011
![Page 25: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/25.jpg)
Session IDs in URL
Commonly used when cookies can’t be enabled
Make sure the following is set in your php.ini:
session.use_trans_id = 0session.use_only_cookies = 1
NWO-PUG 25September 20, 2011
![Page 26: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/26.jpg)
Session Fixation
What happens if your users don’t log out?
Use sessions to detect login status
NWO-PUG 26September 20, 2011
![Page 27: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/27.jpg)
Insecure Direct Object References
NWO-PUG 27September 20, 2011
![Page 28: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/28.jpg)
What is it?
Making sure that what the user is accessing they have access to.
Should be handled by checking authorization when accessed, or mapping
This is not an injection attack, but a logic attack
September 20, 2011 NWO-PUG 28
![Page 29: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/29.jpg)
An Example
NWO-PUG 29September 20, 2011
![Page 30: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/30.jpg)
How to Avoid
Always check to make sure the user has authorization to access the resource
Map variables/whitelist to make it harder
NWO-PUG 30September 20, 2011
![Page 31: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/31.jpg)
Cross Site Request ForgeryOr CSRF Attacks
NWO-PUG 31September 20, 2011
![Page 32: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/32.jpg)
What is it?
When unauthorized commands are sent to and from a trusted website
In days gone by, this would be done with Referral checking, but don’t trust referrer information
September 20, 2011 NWO-PUG 32
![Page 33: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/33.jpg)
An example – Bank Transfer
A bank transfer is done via $_GET variables
User is authenticated but not logged out
NWO-PUG 33September 20, 2011
![Page 34: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/34.jpg)
How to avoid this
Include a hidden element in the form with a one-time value
NWO-PUG 34September 20, 2011
![Page 35: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/35.jpg)
Security Misconfiguration
NWO-PUG 35September 20, 2011
![Page 36: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/36.jpg)
Beyond the scope of programming
Check for server hardening guidelines for your OS
Password rotation practices Understanding your settings
Keep your stack up to date!
September 20, 2011 NWO-PUG 36
![Page 37: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/37.jpg)
Insecure Cryptographic Storage
NWO-PUG 37September 20, 2011
![Page 38: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/38.jpg)
More of a logic problem
Encrypting data in the database, but leaving it unencrypted during output
Using unsalted hashes
September 20, 2011 NWO-PUG 38
![Page 39: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/39.jpg)
How to avoid this
Like when storing credentials, use a salt whenever hashing information
Only decrypt data when it is needed
NWO-PUG 39September 20, 2011
![Page 40: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/40.jpg)
Failure to Restrict URL Access
NWO-PUG 40September 20, 2011
![Page 41: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/41.jpg)
What is it?
When users can gain access to parts of the application just through URL manipulation
When the app doesn’t check authorization properly
September 20, 2011 NWO-PUG 41
![Page 42: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/42.jpg)
Security through Obscurity
Don’t trust that just because a user doesn’t know a URL, they can’t get to it
Fuzzers can find all kinds of things, especially if the app is common
NWO-PUG 42September 20, 2011
![Page 43: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/43.jpg)
How to avoid this
ALWAYS check authorization. The extra CPU cycles are worth it.
NWO-PUG 43September 20, 2011
![Page 44: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/44.jpg)
Insufficient Transport Layer Protection
NWO-PUG 44September 20, 2011
![Page 45: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/45.jpg)
Not using SSL when you should
If your data is sensitive, use SSL Are your logins behind SSL?
There isn’t really an excuse. You can get an SSL cert for $9/year.
September 20, 2011 NWO-PUG 45
![Page 46: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/46.jpg)
Unvalidated Redirects and Forwards
NWO-PUG 46September 20, 2011
![Page 47: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/47.jpg)
What is it?
When an app doesn’t properly validate that the redirect destination is valid
September 20, 2011 NWO-PUG 47
![Page 48: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/48.jpg)
Putting it Together
NWO-PUG 48September 20, 2011
![Page 49: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/49.jpg)
Attacking from Multiple Fronts
Attackers will employ many different vectors in an attack
HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions
Script injection can lead to Session hijacking
September 20, 2011 NWO-PUG 49
![Page 50: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/50.jpg)
Remember…
1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly
September 20, 2011 NWO-PUG 50
https://www.owasp.org/index.php/Secure_Coding_Principles
![Page 51: PHP Security Tips](https://reader036.fdocuments.in/reader036/viewer/2022062405/555ab880d8b42a405b8b528b/html5/thumbnails/51.jpg)
Questions?
September 20, 2011 NWO-PUG 51