Web Application Security: Winning When The Odds Are Against You

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Web Application SecurityWeb Application SecurityWinning When The Odds Are Against YouWinning When The Odds Are Against You

New

Zea

land

PH

P C

onfe

renc

e 20

14

Ben DechraiBen Dechrai@bendechrai@bendechrai

#webappsec #phpnz14 #webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435


What Is Web What Is Web Application Security?Application Security?



What's Applicable to PHP Developers?



Where to Start?



Top Ten Cheat Sheet

Injection Cross Site Scripting

Weak authentication& session management

Insecure DirectObject Reference

Cross SiteRequest Forgery

SecurityMisconfiguration

InsufficientCryptographic Storage

Failure to RestrictURL access

Insufficient TransportLayer Protection

Unvalidated Redirectsand Forwards


Top Ten Cheat Sheet

Injection Cross Site Scripting

Weak authentication& session management

Insecure DirectObject Reference

Cross SiteRequest Forgery

SecurityMisconfiguration

InsufficientCryptographic Storage

Failure to RestrictURL access

Insufficient TransportLayer Protection

Unvalidated Redirectsand Forwards


DemoDemo


What Are What Are The Odds?The Odds?


Solutions?


Think like PHP...


Not in PHP...


Think LIKE PHP...


HTTP

GET /index.html

<html>..</html>

GET /css/styles.css

GET /js/script.js

GET /images/logo.jpg

body { ... }

$(document).ready(...)

data:image/jpg;base64,/9j/4AAQSkZJRgA...


HTTP

GET /index.php

<html>..</html>

PHP process

PHP returns

POST /login.phpPHP process

PHP returns<html>..</html>


HTTP

POST /images.php/logo.jpg

<html>..</html>

PHP process

PHP returns

POST /images/logo.jpgPHP process


URL rewriting means anythingcan be passed to PHP


Cross-Site Request Forgeries

visage.cto.to

POST /login

<html>..</html>

PHP processPHP returns

POST /checkout PHP processPHP returns<html>..</html>

POST /address/edit

{401}

POST /address/edit

{ 200 }

evil.com

POST /payment

<html>..</html>

PHP processPHP returns

GET /confirmation PHP process


PHP process

PHP returns

PHP process

PHP returns


PHP Ain't Clever(hint, not many programming languages are!)

Data Data

Database

User Input

Files

Other sites via APIDatabaseBrowser Response

Other systemsSending emails


PHP Environment

● 1 page load = 1 PHP process● Web server passes whole request to the PHP

process● When a script ends, all data are lost


Piecing Data Together

$_GET $_POST

$_COOKIE $_FILES

$_REQUEST


Request Basics

● $_REQUEST variables can come from Environment, Post, Get, Cookie or Session variables!

● Don't use them, specify the source● Even then, don't trust $_POST, et al● Consider all data harmful


Whitelist All Incoming Data

● Treat all data as untrusted● Only if it passed a whitelist, let it through● Look for odd data entry points

– Did you know the filename of an uploaded file is user generated input?

● Email addresses have fixed validation rules



(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*

| "(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]

| \\[\x01-\x09\x0b\x0c\x0e-\x7f])*")

@ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

| \[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}

(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:

(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]

| \\[\x01-\x09\x0b\x0c\x0e-\x7f])+)

\])



Some people, when confronted with a problem, think, “I know, I’ll use regular expressions.”

Now they have two problems.

— Jamie Zawinksi



filter_var($email, FILTER_VALIDATE_EMAIL);

(Or just send them an email)



● Names are a big topic(see http://is.gd/validating_names)

● Who decides if a name is valid?

– Josè Smith– La amonȝ– Þórinn Eikinskjaldi– Πηληϊάδεω χιλ οςἈ ῆ– Federico del Sagrado Corazón de Jesús García

Lorca

http://is.gd/validating_names


Encode on Output

● Avoid encoding for storage● Keep valid user input intact● Encode when used in an output stream

– HTML encode for screen– URL encode for querystrings– Escape for CSV output

● By keeping the original data, you can repurpose for many outputs


Encode on Output

User GeneratedContent

User GeneratedContent

Sanitize

HTML EMAIL

Sanitize

XML/JSON/CSV

Sanitize

UNKNOWNFUTURE APP

Sanitize


Encode on Output

filter_var($comment,

FILTER_SANITIZE_FULL_SPECIAL_CHARS);



Tokens

Username

Password

Token

SUBMIT

ABC123

ABC123



Referrers can be easily forged;

don't rely on them


Credits

● Security Camera image by Henning Mühlinghaus

● Conception image by Lynn (Gracie's mom)

● Piecing Data by José Manuel Ríos Valiente

References

● OWASP Top 10 Cheat Sheet

https://www.flickr.com/photos/muehlinghaus/241755891

https://www.flickr.com/photos/38274933@N00/280238861/

https://www.flickr.com/photos/josemanuelerre/3984847570

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet


Thank You!Thank You!Questions?Questions?

Ben DechraiBen Dechrai@bendechrai@bendechrai

New

Zea

land

PH

P C

onf

eren

ce 2

014

Internet

Web Application Security: Winning When The Odds Are Against You