Ryan Dewhurst - 20th March 2012

Web Application (PHP) Security

Ryan Dewhurst aka @ethicalhack3r

Projects Experience

BSc Ethical Hacking for Computer Security

Security Engineer @ RandomStorm

Hobbyist Security Researcher

Blogger @ ethicalhack3r.co.uk

Contribute to Open Source security related tools

DevBug

Aims of this talk

Briefly show how you can test your own apps.

Introduction to the OWASP Top 10 2010.

Why bother with security?

Secure code is better quality code.

Your or your employer’s reputation.

Compliance (PCI,DPA,HIPAA).

The right thing to do, users trust you with their data.

Open Web Application Security Project (OWASP)

“The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application

software.”

Top 10 RisksTesting Guide

Code Review GuideWIKI

Security Cheat SheetsOpen Source Tools (ZAP, WebGoat....)

Local Chapter Meetings (one in Newcastle soon!)

A lot more!

https://www.owasp.org/index.php/Main_Page

OWASP TOP 10 Risks 2010

■ A1: Injection

■ A2: Cross-Site Scripting (XSS)

■ A3: Broken Authentication and Session Management

■ A4: Insecure Direct Object References

■ A5: Cross-Site Request Forgery (CSRF)

■ A6: Security Misconfiguration

■ A7: Insecure Cryptographic Storage

■ A8: Failure to Restrict URL Access

■ A9: Insufficient Transport Layer Protection

■ A10: Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/Top_10_2010-Main

A1: InjectionSQL, XPath, LDAP, OS Commands...

mysql_query(‘SELECT pass FROM users WHERE userid =’ . $_GET[‘id’]);

SELECT pass FROM users WHERE userid = 1 OR 1=1 --

Prevention: Proper use of prepared statements and stored procedures.

http://php.net/manual/en/pdo.prepared-statements.php

A2: Cross-Site Scripting (XSS)Mainly JavaScript & HTML.

echo(‘<h1>Username: ’ . $_GET[‘name’] . ‘</h1>’);

Prevention: Escape all untrusted data. Proper input validation.

<h1>Username: <scrip>window.location = ‘evil.com’</script></h1>

echo(‘<h1>Username: ’ . htmlentities($_GET[‘name’]) . ‘</h1>’);

A2: Cross-Site Scripting (XSS)

Zazzle.co.uk still vulnerable. Reported in January.

http://www.zazzle.co.uk/pd/realviewpopup?url=</style><script>alert(1);</script>

A3: Broken Authentication and Session Management

Passwords properly hashed and salted in the database?

Weak change password functionality?

Sessions in the URL?

Sessions sent over SSL?

Prevention:

Hash & salt passwords stored in the database.

Ensure sensitive data is sent over SSL.

Test all authentication functionality.

A4: Insecure Direct Object References

http://www.bank.com/accounts/account.php?userid=123456

Prevention:

Check authorisation on each request.

http://www.bank.com/accounts/account.php?userid=123457

http://www.facebook.com/photos/album.php?album_id=1234

http://www.facebook.com/photos/album.php?album_id=1235

A5: Cross-Site Request Forgery (CSRF)

Prevention:

Use anti CSRF tokens in the URL.

Perform actions on behalf of authenticated user.

http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243

Frameworks will normally do this for you. (Symfony, CodeIgniter >= 2.0...)

http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243&token=yt5y5hu

A6: Security Misconfiguration

Prevention:

All software up to date? (OS, PHP, MySQL)

Unnecessary features disabled?

Software configured properly?

Default files/folders removed? (documentation)

Server hardening.Update software.

Configure software.

A6: Security Misconfiguration

http://www.apache.org/server-status

Apparently it is not a misconfiguration according to Apache.

It is there purposely according to them.

I would advise to disable it in your Apache configs.

A7: Insecure Cryptographic Storage

Prevention:

Offsite backups?

Data backups properly encrypted?

Strong encryption algorithm used? (AES)

Secure key used for decryption?

Keys properly protected.

A8: Failure to Restrict URL Access

Prevention:

Check authorisation on every page.

http://www.example.com/admin/add_user.php

http://www.example.com/admin/edit_user.php

A9: Insufficient Transport Layer Protection

Prevention:

Ensure all sensitive data is sent over SSL.Valid SSL certificate.

Add ‘secure’ flag to cookies.

SSL used when sensitive is data sent to the server?

SSL properly implemented/configured?

Cookies have the ‘secure’ flag?

HTTPS downgrade-able to HTTP?

A10: Unvalidated Redirects and Forwards

Prevention:

Warn user when being redirected off site.Validate redirects.

https://www.ea.com/uk/profile/remote-redirect?returnurl=http://www.ethicalhack3r.co.uk/

EA.com still vulnerable. Reported in October 2011.

How to test your own applications.

OWASP Testing Methodology

Passive Active

Configuration ManagementBusiness LogicAuthenticationAuthorisationSession ManagementData ValidationDenial of ServiceWeb ServicesAjax Testing

Browse applicationUnderstand application logicInformation GatheringUse a HTTP Proxy (ZAP, Burp)

Black Box Testing

Arachni Web Application Scanner

OWASP ZAP

Manual Interaction

Tools/Techniques Pros

Less effective than white box

Cons

Emulates a ‘real’ attacker*

*real attackers are not limited by time or scope

Less time than white box (cheaper)

Post Interpreted (black box)

White Box Testing

Tools/Techniques Pros

More effective than black box

Cons

More thorough test

More time than black box (more expensive)

RIPS Static Code Analysis

Manual Source Code Review

Tester needs to be able to read code

GNU Grep

Pre Interpreted (white box)

Demo: RIPS Static Code Analysis (white box tool)

http://127.0.0.1/~ryan/Sites/rips-0.51/

/Users/ryan/Sites/Sites/jobfinder/

What you really need!

Black & White box testing within your Software

Development Life Cycle (SDLC).

Microsoft Security Development Lifecycle (SDL)

http://www.microsoft.com/security/sdl/default.aspx

Summary

OWASP Top 10 is useful but not extensive list.

OWASP has lots of other great resources, including an up and coming Newcastle chapter!

It is easy and free to do basic testing of your own apps.

Build security into your development process.

“You'll never reach zero security vulnerabilities” - Michael Howard

(Software Security Expert, Microsoft)

Further Reading

https://www.owasp.org/index.php/Main_Page

http://arachni-scanner.com/

http://rips-scanner.sourceforge.net/

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

http://www.youtube.com/watch?v=FYfMZx2hy_8

Questions?

http://twitter.com/ethicalhack3r

www.ethicalhack3r.co.uk