Upload
merry-henderson
View
220
Download
0
Embed Size (px)
Citation preview
Ryan Dewhurst - 20th March 2012
Web Application (PHP) Security
Ryan Dewhurst aka @ethicalhack3r
Projects Experience
BSc Ethical Hacking for Computer Security
Security Engineer @ RandomStorm
Hobbyist Security Researcher
Blogger @ ethicalhack3r.co.uk
Contribute to Open Source security related tools
DevBug
Aims of this talk
Briefly show how you can test your own apps.
Introduction to the OWASP Top 10 2010.
Why bother with security?
Secure code is better quality code.
Your or your employer’s reputation.
Compliance (PCI,DPA,HIPAA).
The right thing to do, users trust you with their data.
Open Web Application Security Project (OWASP)
“The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application
software.”
Top 10 RisksTesting Guide
Code Review GuideWIKI
Security Cheat SheetsOpen Source Tools (ZAP, WebGoat....)
Local Chapter Meetings (one in Newcastle soon!)
A lot more!
https://www.owasp.org/index.php/Main_Page
OWASP TOP 10 Risks 2010
■ A1: Injection
■ A2: Cross-Site Scripting (XSS)
■ A3: Broken Authentication and Session Management
■ A4: Insecure Direct Object References
■ A5: Cross-Site Request Forgery (CSRF)
■ A6: Security Misconfiguration
■ A7: Insecure Cryptographic Storage
■ A8: Failure to Restrict URL Access
■ A9: Insufficient Transport Layer Protection
■ A10: Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2010-Main
A1: InjectionSQL, XPath, LDAP, OS Commands...
mysql_query(‘SELECT pass FROM users WHERE userid =’ . $_GET[‘id’]);
SELECT pass FROM users WHERE userid = 1 OR 1=1 --
Prevention: Proper use of prepared statements and stored procedures.
http://php.net/manual/en/pdo.prepared-statements.php
A2: Cross-Site Scripting (XSS)Mainly JavaScript & HTML.
echo(‘<h1>Username: ’ . $_GET[‘name’] . ‘</h1>’);
Prevention: Escape all untrusted data. Proper input validation.
<h1>Username: <scrip>window.location = ‘evil.com’</script></h1>
echo(‘<h1>Username: ’ . htmlentities($_GET[‘name’]) . ‘</h1>’);
A2: Cross-Site Scripting (XSS)
Zazzle.co.uk still vulnerable. Reported in January.
http://www.zazzle.co.uk/pd/realviewpopup?url=</style><script>alert(1);</script>
A3: Broken Authentication and Session Management
Passwords properly hashed and salted in the database?
Weak change password functionality?
Sessions in the URL?
Sessions sent over SSL?
Prevention:
Hash & salt passwords stored in the database.
Ensure sensitive data is sent over SSL.
Test all authentication functionality.
A4: Insecure Direct Object References
http://www.bank.com/accounts/account.php?userid=123456
Prevention:
Check authorisation on each request.
http://www.bank.com/accounts/account.php?userid=123457
http://www.facebook.com/photos/album.php?album_id=1234
http://www.facebook.com/photos/album.php?album_id=1235
A5: Cross-Site Request Forgery (CSRF)
Prevention:
Use anti CSRF tokens in the URL.
Perform actions on behalf of authenticated user.
http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243
Frameworks will normally do this for you. (Symfony, CodeIgniter >= 2.0...)
http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243&token=yt5y5hu
A6: Security Misconfiguration
Prevention:
All software up to date? (OS, PHP, MySQL)
Unnecessary features disabled?
Software configured properly?
Default files/folders removed? (documentation)
Server hardening.Update software.
Configure software.
A6: Security Misconfiguration
http://www.apache.org/server-status
Apparently it is not a misconfiguration according to Apache.
It is there purposely according to them.
I would advise to disable it in your Apache configs.
A7: Insecure Cryptographic Storage
Prevention:
Offsite backups?
Data backups properly encrypted?
Strong encryption algorithm used? (AES)
Secure key used for decryption?
Keys properly protected.
A8: Failure to Restrict URL Access
Prevention:
Check authorisation on every page.
http://www.example.com/admin/add_user.php
http://www.example.com/admin/edit_user.php
A9: Insufficient Transport Layer Protection
Prevention:
Ensure all sensitive data is sent over SSL.Valid SSL certificate.
Add ‘secure’ flag to cookies.
SSL used when sensitive is data sent to the server?
SSL properly implemented/configured?
Cookies have the ‘secure’ flag?
HTTPS downgrade-able to HTTP?
A10: Unvalidated Redirects and Forwards
Prevention:
Warn user when being redirected off site.Validate redirects.
https://www.ea.com/uk/profile/remote-redirect?returnurl=http://www.ethicalhack3r.co.uk/
EA.com still vulnerable. Reported in October 2011.
How to test your own applications.
OWASP Testing Methodology
Passive Active
Configuration ManagementBusiness LogicAuthenticationAuthorisationSession ManagementData ValidationDenial of ServiceWeb ServicesAjax Testing
Browse applicationUnderstand application logicInformation GatheringUse a HTTP Proxy (ZAP, Burp)
Black Box Testing
Arachni Web Application Scanner
OWASP ZAP
Manual Interaction
Tools/Techniques Pros
Less effective than white box
Cons
Emulates a ‘real’ attacker*
*real attackers are not limited by time or scope
Less time than white box (cheaper)
Post Interpreted (black box)
White Box Testing
Tools/Techniques Pros
More effective than black box
Cons
More thorough test
More time than black box (more expensive)
RIPS Static Code Analysis
Manual Source Code Review
Tester needs to be able to read code
GNU Grep
Pre Interpreted (white box)
Demo: RIPS Static Code Analysis (white box tool)
http://127.0.0.1/~ryan/Sites/rips-0.51/
/Users/ryan/Sites/Sites/jobfinder/
What you really need!
Black & White box testing within your Software
Development Life Cycle (SDLC).
Microsoft Security Development Lifecycle (SDL)
http://www.microsoft.com/security/sdl/default.aspx
Summary
OWASP Top 10 is useful but not extensive list.
OWASP has lots of other great resources, including an up and coming Newcastle chapter!
It is easy and free to do basic testing of your own apps.
Build security into your development process.
“You'll never reach zero security vulnerabilities” - Michael Howard
(Software Security Expert, Microsoft)
Further Reading
https://www.owasp.org/index.php/Main_Page
http://arachni-scanner.com/
http://rips-scanner.sourceforge.net/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
http://www.youtube.com/watch?v=FYfMZx2hy_8
Questions?
http://twitter.com/ethicalhack3r
www.ethicalhack3r.co.uk