Transcript

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Web Application SecurityWeb Application SecurityWinning When The Odds Are Against YouWinning When The Odds Are Against You

New

Zea

land

PH

P C

onfe

renc

e 20

14

Ben DechraiBen Dechrai@bendechrai@bendechrai

#webappsec #phpnz14 #webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

What Is Web What Is Web Application Security?Application Security?

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

What's Applicable to PHP Developers?

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Where to Start?

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Top Ten Cheat Sheet

Injection Cross Site Scripting

Weak authentication& session management

Insecure DirectObject Reference

Cross SiteRequest Forgery

SecurityMisconfiguration

InsufficientCryptographic Storage

Failure to RestrictURL access

Insufficient TransportLayer Protection

Unvalidated Redirectsand Forwards

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Top Ten Cheat Sheet

Injection Cross Site Scripting

Weak authentication& session management

Insecure DirectObject Reference

Cross SiteRequest Forgery

SecurityMisconfiguration

InsufficientCryptographic Storage

Failure to RestrictURL access

Insufficient TransportLayer Protection

Unvalidated Redirectsand Forwards

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

DemoDemo

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

What Are What Are The Odds?The Odds?

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Solutions?

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Think like PHP...

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Not in PHP...

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Think LIKE PHP...

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

HTTP

GET /index.html

<html>..</html>

GET /css/styles.css

GET /js/script.js

GET /images/logo.jpg

body { ... }

$(document).ready(...)

data:image/jpg;base64,/9j/4AAQSkZJRgA...

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

HTTP

GET /index.php

<html>..</html>

PHP process

PHP returns

POST /login.phpPHP process

PHP returns<html>..</html>

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

HTTP

POST /images.php/logo.jpg

<html>..</html>

PHP process

PHP returns

POST /images/logo.jpgPHP process

PHP returns<html>..</html>

URL rewriting means anythingcan be passed to PHP

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Cross-Site Request Forgeries

visage.cto.to

POST /login

<html>..</html>

PHP processPHP returns

POST /checkout PHP processPHP returns<html>..</html>

POST /address/edit

{401}

POST /address/edit

{ 200 }

evil.com

POST /payment

<html>..</html>

PHP processPHP returns

GET /confirmation PHP process

PHP returns<html>..</html>

PHP process

PHP returns

PHP process

PHP returns

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

PHP Ain't Clever(hint, not many programming languages are!)

Data Data

Database

User Input

Files

Other sites via APIDatabaseBrowser Response

Other systemsSending emails

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

PHP Environment

● 1 page load = 1 PHP process● Web server passes whole request to the PHP

process● When a script ends, all data are lost

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Piecing Data Together

$_GET $_POST

$_COOKIE $_FILES

$_REQUEST

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Request Basics

● $_REQUEST variables can come from Environment, Post, Get, Cookie or Session variables!

● Don't use them, specify the source● Even then, don't trust $_POST, et al● Consider all data harmful

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Whitelist All Incoming Data

● Treat all data as untrusted● Only if it passed a whitelist, let it through● Look for odd data entry points

– Did you know the filename of an uploaded file is user generated input?

● Email addresses have fixed validation rules

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Whitelist All Incoming Data

(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*

| "(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]

| \\[\x01-\x09\x0b\x0c\x0e-\x7f])*")

@ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

| \[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}

(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:

(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]

| \\[\x01-\x09\x0b\x0c\x0e-\x7f])+)

\])

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Whitelist All Incoming Data

Some people, when confronted with a problem, think, “I know, I’ll use regular expressions.”

Now they have two problems.

— Jamie Zawinksi

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Whitelist All Incoming Data

filter_var($email, FILTER_VALIDATE_EMAIL);

(Or just send them an email)

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Whitelist All Incoming Data

● Names are a big topic(see http://is.gd/validating_names)

● Who decides if a name is valid?

– Josè Smith– La amonȝ– Þórinn Eikinskjaldi– Πηληϊάδεω χιλ οςἈ ῆ– Federico del Sagrado Corazón de Jesús García

Lorca

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Encode on Output

● Avoid encoding for storage● Keep valid user input intact● Encode when used in an output stream

– HTML encode for screen– URL encode for querystrings– Escape for CSV output

● By keeping the original data, you can repurpose for many outputs

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Encode on Output

User GeneratedContent

User GeneratedContent

Sanitize

HTML EMAIL

Sanitize

XML/JSON/CSV

Sanitize

UNKNOWNFUTURE APP

Sanitize

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Encode on Output

filter_var($comment,

FILTER_SANITIZE_FULL_SPECIAL_CHARS);

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Cross-Site Request Forgeries

Tokens

Username

Password

Token

SUBMIT

ABC123

ABC123

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Cross-Site Request Forgeries

Referrers can be easily forged;

don't rely on them

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Credits

● Security Camera image by Henning Mühlinghaus

● Conception image by Lynn (Gracie's mom)

● Piecing Data by José Manuel Ríos Valiente

References

● OWASP Top 10 Cheat Sheet

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Thank You!Thank You!Questions?Questions?

Ben DechraiBen Dechrai@bendechrai@bendechrai

New

Zea

land

PH

P C

onf

eren

ce 2

014