What is Security?Jason Ragsdale
Sr. Technical YahooYahoo!
Help usThank ourSponsors:
Friday, November 12, 2010
A good place to start...php.ini
display_errors = Off
register_globals = Off
open_basedir = ....
What about safe_mode??
Friday, November 12, 2010
Don’t be stupidNever require/include any file based on user input without checking it first.
<?phpif (isset($_GET[‘page’]){ require $_GET[‘page’];}?>
URL: script.php?page=/etc/passwd
....nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:*:0:0:System Administrator:/var/root:/bin/sh
Friday, November 12, 2010
Don’t be stupid... 2If your solution uses eval().... you are doing it wrong
<?phpif (isset($_GET[‘input’]){ eval($_GET[‘input’]);}?>
URL: script.php?input=passthru(“cat /etc/passwd”);....nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:*:0:0:System Administrator:/var/root:/bin/sh
Friday, November 12, 2010
Input FilteringWhat is input?
Anything the user or interacting system sends to your site i.e. ($_POST, $_GET, $_REQUEST, $_COOKIE...)
What is a whitelist?
“A list of approved or favored items”
What is a blacklist?
“A list persons who are disapproved of or are to be punished or boycotted”
Friday, November 12, 2010
Input ValidationUnfiltered code
Example
<?php
if (isset($_POST[‘username’])){ $username = $_POST[‘username’];}
Friday, November 12, 2010
Input Validationctype
Example
<?php
$clean = array();
if (ctype_alnum($_POST[‘username’])){ $clean[‘username’] = $_POST[‘username’];}
Friday, November 12, 2010
Input ValidationZend_Filter_Input
Example
<?php
if (isset($_POST[‘username’])){ $filterChain = new Zend_Filter(); $filterChain->addFilter(new Zend_Filter_Alpha()) ->addFilter(new Zend_Filter_StringToLower()); $username = $filterChain->filter($_POST[‘username’]);}
Friday, November 12, 2010
Input Validationphp/filter
Example
<?php
if (isset($_POST[‘username’])){ $username = filter_var(‘username’, FILTER_VALIDATE_REGEXP, array( ‘options’=> array(‘regexp’=>’/([a-zA-Z0-9]+)/’) ));}
Friday, November 12, 2010
Output EncodingWhat is output?
Anything sent back to the user / sender of the request (RSS Feed, Form Validate, User created data...)
htmlentities Example<?php$str = “A ‘quote’ is <b>bold</b>”;
//Outputs: A ‘quote’ is <b>bold</b>echo htmlentities($str);
//Outputs: A 'quote' is <b>bold</b>echo htmlentities($str, ENT_QUOTES);
Friday, November 12, 2010
Tim Stiles
At this point mention XmlWriter and all it’s wonders.... ;)
Friday, November 12, 2010
Database Inputs(or: How I Learned to Stop Worrying and Love the Users)
Friday, November 12, 2010
How do i deal with it?A input filter (whitelist) combined with prepared statements... DONE
$clean = array();
if (ctype_alnum($_POST[‘username’])){ $clean[‘username’] = $_POST[‘username’];}
$sql = “SELECT `username` FROM `users` WHERE `username` = :username”;
$sth = $dbh->prepare($sql);
$sth->execute(array(‘:username’=> $clean[‘username’]));
$username = $sth->fetchColumn();
Friday, November 12, 2010
XSS (Cross Site Scripting)Example
<?php
echo “<p> Welcome back, {$_GET[‘username’]}.</p>”;
?>
------Let’s exploit this------
<p> Welcome back, <script> ....do something bad here... </script>. </p>
Friday, November 12, 2010
XSS (Cross Site Scripting)If you do the two items we spoke about
Input Filtering
Output Encoding
You most likely are still vulnerable, but it’ll be a lot harder to exploit
Almost impossible to completely nullify all security / XSS stuff (new browsers and plugins all the time + bad guys keep getting smarter)
Friday, November 12, 2010
CSRF (Cross Site Request Forgeries)
Somewhere on MyFavoriteForum.com:
<img src=”bank.com/transfermoney.php?to=me&amount=100.00”>
...if users are logged in, invisible actions can be taken on their behalf, with their authority.
Friday, November 12, 2010
CSRF (Cross Site Request Forgeries)
Solutions
Sign your forms with a token (MD5 hash with a secret key)
Validate the token before processing the data
This can be done with Cookie and Session data as well
Friday, November 12, 2010
Protecting Source Code
Make sure all code file extensions are blocked from viewing
You can remove them from the html root
Or block them in the apache config
<FilesMatch “\.inc$”> order deny, allow deny from all</FilesMatch>
Friday, November 12, 2010
Protecting Source Code
Watch for editor backup files too!
.file.php.tmp
file.php~
etc...
Or don’t edit code on production boxes.
Friday, November 12, 2010
Code Auditing
Set a standard for your team (and yes a team can be a single person)
Input Filtering Methods
Output Encoding Methods
Database Access Methods
Search code security points (echo, print...)
Enforce these methods
Friday, November 12, 2010
Code Auditing
Default to Secure.
Make being unsecure obvious and auditable
YAHOO_GET_RAW( “blah” )
Friday, November 12, 2010
System SecurityYour website is only as secure as the server/network is it hosted on
Perform regular package updates
Make sure you apply any updated PHP or Apache code as soon as you can, there are reasons for security releases
Friday, November 12, 2010
Firewalls & Access Control
Only allow access to ports that you need to
80 - Web
443 - SSL
22 - SSH
Friday, November 12, 2010
Misc... Signed Data (MD5)
Encrypted passwords in the DB
Config Files outside DOCROOT
Secret keys outside code, in config files
If it’s customer data USE SSL
Friday, November 12, 2010
Q&A
Friday, November 12, 2010
Please Complete An Evaluation Form
http://joind.in/talk/view/2356
Friday, November 12, 2010
Top Related