===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Web Application SecurityWeb Application SecurityWinning When The Odds Are Against YouWinning When The Odds Are Against You
New
Zea
land
PH
P C
onfe
renc
e 20
14
Ben DechraiBen Dechrai@bendechrai@bendechrai
#webappsec #phpnz14 #webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What Is Web What Is Web Application Security?Application Security?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What's Applicable to PHP Developers?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Where to Start?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Top Ten Cheat Sheet
Injection Cross Site Scripting
Weak authentication& session management
Insecure DirectObject Reference
Cross SiteRequest Forgery
SecurityMisconfiguration
InsufficientCryptographic Storage
Failure to RestrictURL access
Insufficient TransportLayer Protection
Unvalidated Redirectsand Forwards
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Top Ten Cheat Sheet
Injection Cross Site Scripting
Weak authentication& session management
Insecure DirectObject Reference
Cross SiteRequest Forgery
SecurityMisconfiguration
InsufficientCryptographic Storage
Failure to RestrictURL access
Insufficient TransportLayer Protection
Unvalidated Redirectsand Forwards
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
DemoDemo
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What Are What Are The Odds?The Odds?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Solutions?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Think like PHP...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Not in PHP...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Think LIKE PHP...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
GET /index.html
<html>..</html>
GET /css/styles.css
GET /js/script.js
GET /images/logo.jpg
body { ... }
$(document).ready(...)
data:image/jpg;base64,/9j/4AAQSkZJRgA...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
GET /index.php
<html>..</html>
PHP process
PHP returns
POST /login.phpPHP process
PHP returns<html>..</html>
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
POST /images.php/logo.jpg
<html>..</html>
PHP process
PHP returns
POST /images/logo.jpgPHP process
PHP returns<html>..</html>
URL rewriting means anythingcan be passed to PHP
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
visage.cto.to
POST /login
<html>..</html>
PHP processPHP returns
POST /checkout PHP processPHP returns<html>..</html>
POST /address/edit
{401}
POST /address/edit
{ 200 }
evil.com
POST /payment
<html>..</html>
PHP processPHP returns
GET /confirmation PHP process
PHP returns<html>..</html>
PHP process
PHP returns
PHP process
PHP returns
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
PHP Ain't Clever(hint, not many programming languages are!)
Data Data
Database
User Input
Files
Other sites via APIDatabaseBrowser Response
Other systemsSending emails
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
PHP Environment
● 1 page load = 1 PHP process● Web server passes whole request to the PHP
process● When a script ends, all data are lost
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Piecing Data Together
$_GET $_POST
$_COOKIE $_FILES
$_REQUEST
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Request Basics
● $_REQUEST variables can come from Environment, Post, Get, Cookie or Session variables!
● Don't use them, specify the source● Even then, don't trust $_POST, et al● Consider all data harmful
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
● Treat all data as untrusted● Only if it passed a whitelist, let it through● Look for odd data entry points
– Did you know the filename of an uploaded file is user generated input?
● Email addresses have fixed validation rules
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*
| "(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]
| \\[\x01-\x09\x0b\x0c\x0e-\x7f])*")
@ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?
| \[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}
(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:
(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]
| \\[\x01-\x09\x0b\x0c\x0e-\x7f])+)
\])
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
Some people, when confronted with a problem, think, “I know, I’ll use regular expressions.”
Now they have two problems.
— Jamie Zawinksi
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
filter_var($email, FILTER_VALIDATE_EMAIL);
(Or just send them an email)
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
● Names are a big topic(see http://is.gd/validating_names)
● Who decides if a name is valid?
– Josè Smith– La amonȝ– Þórinn Eikinskjaldi– Πηληϊάδεω χιλ οςἈ ῆ– Federico del Sagrado Corazón de Jesús García
Lorca
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
● Avoid encoding for storage● Keep valid user input intact● Encode when used in an output stream
– HTML encode for screen– URL encode for querystrings– Escape for CSV output
● By keeping the original data, you can repurpose for many outputs
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
User GeneratedContent
User GeneratedContent
Sanitize
HTML EMAIL
Sanitize
XML/JSON/CSV
Sanitize
UNKNOWNFUTURE APP
Sanitize
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
filter_var($comment,
FILTER_SANITIZE_FULL_SPECIAL_CHARS);
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
Tokens
Username
Password
Token
SUBMIT
ABC123
ABC123
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
Referrers can be easily forged;
don't rely on them
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Credits
● Security Camera image by Henning Mühlinghaus
● Conception image by Lynn (Gracie's mom)
● Piecing Data by José Manuel Ríos Valiente
References
● OWASP Top 10 Cheat Sheet