Tulsa techfest2010 security

What is Security?Jason Ragsdale

Sr. Technical YahooYahoo!

Help usThank ourSponsors:

Friday, November 12, 2010

A good place to start...php.ini

display_errors = Off

register_globals = Off

open_basedir = ....

What about safe_mode??


Don’t be stupidNever require/include any file based on user input without checking it first.

<?phpif (isset($_GET[‘page’]){ require $_GET[‘page’];}?>

URL: script.php?page=/etc/passwd

....nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:*:0:0:System Administrator:/var/root:/bin/sh


Don’t be stupid... 2If your solution uses eval().... you are doing it wrong

<?phpif (isset($_GET[‘input’]){ eval($_GET[‘input’]);}?>

URL: script.php?input=passthru(“cat /etc/passwd”);....nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:*:0:0:System Administrator:/var/root:/bin/sh


Input FilteringWhat is input?

Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...)

What is a whitelist?

“A list of approved or favored items”

What is a blacklist?

“A list persons who are disapproved of or are to be punished or boycotted”


Input ValidationUnfiltered code

Example

<?php

if (isset($_POST[‘username’])){ $username = $_POST[‘username’];}


Input Validationctype

Example

<?php

$clean = array();

if (ctype_alnum($_POST[‘username’])){ $clean[‘username’] = $_POST[‘username’];}


Input ValidationZend_Filter_Input

Example

<?php

if (isset($_POST[‘username’])){ $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]);}


Input Validationphp/filter

Example

<?php

if (isset($_POST[‘username’])){ $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ));}


Output EncodingWhat is output?

Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...)

htmlentities Example<?php$str = “A ‘quote’ is <b>bold</b>”;

//Outputs: A ‘quote’ is <b>bold</b&gtecho htmlentities($str);

//Outputs: A 'quote' is <b>bold</b&gtecho htmlentities($str, ENT_QUOTES);


Tim Stiles

At this point mention XmlWriter and all it’s wonders.... ;)


Database Inputs(or: How I Learned to Stop Worrying and Love the Users)


How do i deal with it?A input filter (whitelist) combined with prepared statements... DONE

$clean = array();

if (ctype_alnum($_POST[‘username’])){ $clean[‘username’] = $_POST[‘username’];}

$sql = “SELECT ùsername` FROM ùsers` WHERE ùsername` = :username”;

$sth = $dbh->prepare($sql);

$sth->execute(array(‘:username’=> $clean[‘username’]));

$username = $sth->fetchColumn();


XSS (Cross Site Scripting)Example

<?php

echo “<p> Welcome back, {$_GET[‘username’]}.</p>”;

?>

------Let’s exploit this------

<p> Welcome back, <script> ....do something bad here... </script>. </p>


XSS (Cross Site Scripting)If you do the two items we spoke about

Input Filtering

Output Encoding

You most likely are still vulnerable, but it’ll be a lot harder to exploit

Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter)


CSRF (Cross Site Request Forgeries)

Somewhere on MyFavoriteForum.com:

<img src=”bank.com/transfermoney.php?to=me&amount=100.00”>

...if users are logged in, invisible actions can be taken on their behalf, with their authority.


CSRF (Cross Site Request Forgeries)

Solutions

Sign your forms with a token (MD5 hash with a secret key)

Validate the token before processing the data

This can be done with Cookie and Session data as well


Protecting Source Code

Make sure all code file extensions are blocked from viewing

You can remove them from the html root

Or block them in the apache config

<FilesMatch “\.inc$”> order deny, allow deny from all</FilesMatch>


Protecting Source Code

Watch for editor backup files too!

.file.php.tmp

file.php~

etc...

Or don’t edit code on production boxes.


Code Auditing

Set a standard for your team (and yes a team can be a single person)

Input Filtering Methods

Output Encoding Methods

Database Access Methods

Search code security points (echo, print...)

Enforce these methods


Code Auditing

Default to Secure.

Make being unsecure obvious and auditable

YAHOO_GET_RAW( “blah” )


System SecurityYour website is only as secure as the server/network is it hosted on

Perform regular package updates

Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases


Firewalls & Access Control

Only allow access to ports that you need to

80 - Web

443 - SSL

22 - SSH


Misc... Signed Data (MD5)

Encrypted passwords in the DB

Config Files outside DOCROOT

Secret keys outside code, in config files

If it’s customer data USE SSL


Q&A


Please Complete An Evaluation Form

http://joind.in/talk/view/2356




Tulsa techfest2010 security

Documents

Transcript of Tulsa techfest2010 security