Upload
james-titcumb
View
116
Download
1
Embed Size (px)
Citation preview
@asgrim
Dip Your Toes inthe Sea of Security
James TitcumbConFoo Vancouver 2017
$ whoami
James Titcumb
www.jamestitcumb.com
www.roave.com
@asgrim
@asgrim
@asgrim
Some simple PHP code...
<?php
$a = (int)filter_var($_GET['a'],
FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'],
FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);
@asgrim
@asgrim
The Golden Rules
@asgrim
The Golden Rules(my made up golden rules)
@asgrim
1. Keep it simple
@asgrim
2. Know the risks
@asgrim
3. Fail securely
@asgrim
4. Don’t reinvent the wheel
@asgrim
5. Never trust anything
@asgrim
Application Security(mainly PHP applications)
@asgrim
Always remember…
Filter InputEscape Output
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
SQL Injection (#1)
@asgrim
SQL Injection (#1)
@asgrim
SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql); ✘
@asgrim
SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();✓
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
exec($_GET)
https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
@asgrim
eval()
https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
@asgrim
Cross-Site Scripting / XSS (#7)
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
Cross-Site Scripting / XSS (#7)
<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescaped - JS will run :'(
echo $unfilteredInput;
// Escaped - JS will not run :)
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
@asgrim
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Generating randomness
@asgrim
Constant-time comparison
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
@asgrim
Timing attacks
// From zend_is_identical:
return (Z_STR_P(op1) == Z_STR_P(op2) ||
(Z_STRLEN_P(op1) == Z_STRLEN_P(op2) &&
memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));
@asgrim
Timing attacks
Actual string: “foobar”
● a (0.00001)● aa (0.00001)● aaa (0.00001)● aaaa (0.00001)● aaaaa (0.00001)● aaaaaa (0.00002) ← success!● aaaaaaa (0.00001)
● aaaaaaaa (0.00001)
● aaaaaaaaa (0.00001)
@asgrim
Timing attacks
1 int memcmp(const void* s1, const void* s2,size_t n)
2 {
3 const unsigned char *p1 = s1, *p2 = s2;
4 while(n--)
5 if( *p1 != *p2 )
6 return *p1 - *p2;
7 else
8 p1++,p2++;
9 return 0;
10 }
http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation
@asgrim
Timing attacks
Actual string: “foobar”
● “aaaaaa” (0.00001)● “baaaaa” (0.00001) ● …● “faaaaa” (0.00002) ← success!● “fbaaaa” (0.00002)● “fcaaaa” (0.00002)● …● “foaaaa” (0.00003) ← success!
@asgrim
Sensitive Data Exposure (#3)© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
Sensitive Data Exposure (#3)
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
Insecure deserialisation (#8)
<?php
$user = unserialize($_COOKIE['user']);
if ($user['role'] === 'admin') {
// uh oh...
}
@asgrim
PSR-7 storageless sessioncomposer require psr7-sessions/storageless
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
Third Party Code (#9)
@asgrim
Third Party Code (#9)!!! WARNING !!
!
@asgrim
Third Party Code (#9) github.com/ /SecurityAdvisories
!!! WARNING !!!
@asgrim
Dependencies Disappearing
@asgrim
composer.lock(and other stuff in web root)
@asgrim
@asgrim
We are not allsecurity experts!
@asgrim
We are not allsecurity experts!
… but we CAN write secure code
@asgrim
Hack your own system!
© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
What do you want?
Think like a hacker
@asgrim
How do you get it?
Think Differently
@asgrim
Threat ModellingD.R.E.A.D.
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
R
E
A
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
E
A
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
A
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
D
© Buena Vista Pictures
@asgrim
Threat Modelling
Damage
Reproducibility
Exploitability
Affected users
Discoverability
© Buena Vista Pictures
@asgrim
Rank them in orderAnd fix them!
© Buena Vista Pictures
@asgrim
Authentication& Authorization
@asgrim
AuthenticationVerifying Identity
@asgrim
Case Study: Custom Authentication
We thought about doing this…
@asgrim
Case Study: Custom Authentication
We thought about doing this…
@asgrim
Case Study: Custom Authentication
We thought about doing this…
✘
@asgrim
Password Hashingpassword_hash()
(basically, bcrypt with proper salt)
@asgrim
Two Factor Authentication
@asgrim
@asgrim
AuthorizationVerifying Access
@asgrim
CRYPTOGRAPHYIS
HARD
@asgrim
@asgrim
CRYPTOGRAPHYIS
HARDNEVER EVER “ROLL YOUR OWN”
@asgrim
CRYPTOGRAPHYIS
HARDNEVER EVER “ROLL YOUR OWN”
EVER!!!
@asgrim
How to encrypt then?
@asgrim
I’ve got some great ideas for encryption...
Image: IBTimes (http://goo.gl/zPVeo0)
@asgrim
How to encrypt then?sodium+halite or Defuse php-encryption
@asgrim
Linux Server Security
@asgrim
Create an SSH Fortress
@asgrim
Firewalls
@asgrim
iptables
#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Inbound traffic
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Outbound traffic
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
@asgrim
iptables
https://twitter.com/sadserver/status/615988393198026752
@asgrim
ufw
sudo ufw enable
sudo ufw allow 22
sudo ufw allow 80
@asgrim
Mitigate Brute Force Attacks
@asgrim
Install Only What You Need
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
@asgrim
+
@asgrim
Case Study: Be Minimal
Internets
Postfix
Squid Proxy(badly configured)
hacker
spam
@asgrim
Resources
● http://securingphp.com/● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project● http://blog.ircmaxell.com/● https://github.com/paragonie/random_compat● https://github.com/paragonie/sodium_compat● https://github.com/ircmaxell/password_compat● https://paragonie.com/blog● https://websec.io/resources.php● https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04● https://www.kali.org/
@asgrim
The Golden Rules
1. Keep it simple2. Know the risks3. Fail securely4. Don’t reinvent the wheel5. Never trust anything / anyone
@asgrim
If you follow all this, you get...
@asgrim
If you follow all this, you get...
Any questions?
...James Titcumb@asgrim